Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Quotation.scr.exe

Overview

General Information

Sample name:Quotation.scr.exe
Analysis ID:1527851
MD5:c4480b58328126c07e887230ad86d282
SHA1:7c226422b08bdf0e3258b9e8d52d1a30a80bd567
SHA256:a01a62156170d2f163507a09320efe3ac4112be7ac0e82752799963c6603a095
Tags:exeuser-adrian__luca
Infos:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Mass process execution to delay analysis
Obfuscated command line found
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Sample file is different than original file name gathered from version info
Too many similar processes found
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • Quotation.scr.exe (PID: 4188 cmdline: "C:\Users\user\Desktop\Quotation.scr.exe" MD5: C4480B58328126C07E887230AD86D282)
    • cmd.exe (PID: 3328 cmdline: cmd.exe /c set /a "250^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5440 cmdline: cmd.exe /c set /a "244^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2620 cmdline: cmd.exe /c set /a "227^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1616 cmdline: cmd.exe /c set /a "255^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2184 cmdline: cmd.exe /c set /a "244^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3748 cmdline: cmd.exe /c set /a "253^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5672 cmdline: cmd.exe /c set /a "130^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7088 cmdline: cmd.exe /c set /a "131^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1596 cmdline: cmd.exe /c set /a "139^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5896 cmdline: cmd.exe /c set /a "139^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5356 cmdline: cmd.exe /c set /a "242^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2724 cmdline: cmd.exe /c set /a "195^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5724 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3800 cmdline: cmd.exe /c set /a "208^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5792 cmdline: cmd.exe /c set /a "197^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5916 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4016 cmdline: cmd.exe /c set /a "247^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 356 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5720 cmdline: cmd.exe /c set /a "221^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5996 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5728 cmdline: cmd.exe /c set /a "240^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6112 cmdline: cmd.exe /c set /a "153^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1176 cmdline: cmd.exe /c set /a "220^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3392 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5172 cmdline: cmd.exe /c set /a "195^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3172 cmdline: cmd.exe /c set /a "133^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 776 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6104 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3424 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3892 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6320 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2724 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5724 cmdline: cmd.exe /c set /a "201^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 516 cmdline: cmd.exe /c set /a "137^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3984 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5168 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5376 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 356 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6068 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3424 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3892 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6320 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5960 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5724 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 516 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5976 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 948 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4016 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5720 cmdline: cmd.exe /c set /a "193^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3604 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7072 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5448 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4876 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5764 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5648 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 516 cmdline: cmd.exe /c set /a "133^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5976 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5532 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7088 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2688 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3328 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6568 cmdline: cmd.exe /c set /a "201^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5448 cmdline: cmd.exe /c set /a "137^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4876 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.4582856976.0000000000656000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
    00000000.00000002.4582856976.000000000066A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
      00000000.00000002.4582856976.0000000000681000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
        00000000.00000002.4583598901.00000000068E3000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          Process Memory Space: Quotation.scr.exe PID: 4188JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: Quotation.scr.exeReversingLabs: Detection: 28%
            Source: Quotation.scr.exeVirustotal: Detection: 48%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
            Source: Quotation.scr.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: Quotation.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_004059E3 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004059E3
            Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_00406598 FindFirstFileA,FindClose,0_2_00406598
            Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_004027AA FindFirstFileA,0_2_004027AA
            Source: Quotation.scr.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
            Source: Quotation.scr.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_00405480 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405480
            Source: Conhost.exeProcess created: 122

            System Summary

            barindex
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Quotation.scr.exe
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_0040337D EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040337D
            Source: C:\Users\user\Desktop\Quotation.scr.exeFile created: C:\Windows\resources\0809Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_004069210_2_00406921
            Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_73F11B280_2_73F11B28
            Source: Quotation.scr.exe, 00000000.00000000.2138897540.0000000000437000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameabdicere.exe@ vs Quotation.scr.exe
            Source: Quotation.scr.exeBinary or memory string: OriginalFilenameabdicere.exe@ vs Quotation.scr.exe
            Source: Quotation.scr.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal84.troj.evad.winEXE@400/11@0/0
            Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_0040337D EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040337D
            Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_00404730 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404730
            Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_00402173 CoCreateInstance,MultiByteToWideChar,0_2_00402173
            Source: C:\Users\user\Desktop\Quotation.scr.exeFile created: C:\Users\user\AppData\Roaming\filigranersJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeFile created: C:\Users\user\AppData\Local\Temp\nsgBB08.tmpJump to behavior
            Source: Quotation.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Quotation.scr.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Quotation.scr.exeReversingLabs: Detection: 28%
            Source: Quotation.scr.exeVirustotal: Detection: 48%
            Source: C:\Users\user\Desktop\Quotation.scr.exeFile read: C:\Users\user\Desktop\Quotation.scr.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Quotation.scr.exe "C:\Users\user\Desktop\Quotation.scr.exe"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: Quotation.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000000.00000002.4583598901.00000000068E3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4582856976.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4582856976.000000000066A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4582856976.0000000000681000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Quotation.scr.exe PID: 4188, type: MEMORYSTR
            Obfuscated command line found
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_73F11B28 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_73F11B28
            Source: C:\Users\user\Desktop\Quotation.scr.exeFile created: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\nsExec.dllJump to dropped file
            Source: C:\Users\user\Desktop\Quotation.scr.exeFile created: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Mass process execution to delay analysis
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\Quotation.scr.exeRDTSC instruction interceptor: First address: 6C4D5D6 second address: 6C4D5D6 instructions: 0x00000000 rdtsc 0x00000002 cmp bl, dl 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F40048800FFh 0x00000008 cmp edi, 3DD574F0h 0x0000000e inc ebp 0x0000000f test cx, ax 0x00000012 inc ebx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\Quotation.scr.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\nsExec.dllJump to dropped file
            Source: C:\Users\user\Desktop\Quotation.scr.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\Quotation.scr.exe TID: 2788Thread sleep time: -31900s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
            Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
            Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_004059E3 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004059E3
            Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_00406598 FindFirstFileA,FindClose,0_2_00406598
            Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_004027AA FindFirstFileA,0_2_004027AA
            Source: C:\Users\user\Desktop\Quotation.scr.exeAPI call chain: ExitProcess graph end nodegraph_0-4995
            Source: C:\Users\user\Desktop\Quotation.scr.exeAPI call chain: ExitProcess graph end nodegraph_0-4991
            Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_73F11B28 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_73F11B28
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_0040337D EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040337D

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Access Token Manipulation            		11
            Masquerading            		OS Credential Dumping11
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Command and Scripting Interpreter            		Boot or Logon Initialization Scripts11
            Process Injection            		2
            Virtualization/Sandbox Evasion            		LSASS Memory2
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Clipboard Data            		Junk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Native API            		Logon Script (Windows)1
            DLL Side-Loading            		1
            Access Token Manipulation            		Security Account Manager1
            Time Based Evasion            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Process Injection            		NTDS2
            File and Directory Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets123
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Time Based Evasion            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1527851 Sample: Quotation.scr.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 84 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected GuLoader 2->39 41 Initial sample is a PE file and has a suspicious name 2->41 43 AI detected suspicious sample 2->43 7 Quotation.scr.exe 36 2->7         started        process3 file4 33 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 7->33 dropped 35 C:\Users\user\AppData\Local\...\System.dll, PE32 7->35 dropped 45 Obfuscated command line found 7->45 47 Mass process execution to delay analysis 7->47 49 Tries to detect virtualization through RDTSC time measurements 7->49 11 cmd.exe 7->11         started        13 cmd.exe 7->13         started        15 cmd.exe 7->15         started        17 61 other processes 7->17 signatures5 process6 process7 19 Conhost.exe 11->19         started        21 Conhost.exe 13->21         started        23 Conhost.exe 15->23         started        25 Conhost.exe 17->25         started        27 Conhost.exe 17->27         started        29 Conhost.exe 17->29         started        31 58 other processes 17->31

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Quotation.scr.exe29%ReversingLabsWin32.Trojan.Generic
            Quotation.scr.exe49%VirustotalBrowse

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll0%VirustotalBrowse
            C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\nsExec.dll0%VirustotalBrowse
            C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\nsExec.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
            http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://nsis.sf.net/NSIS_ErrorQuotation.scr.exefalse
            • URL Reputation: safe
            		unknown
            http://nsis.sf.net/NSIS_ErrorErrorQuotation.scr.exefalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1527851
            Start date and time:2024-10-07 10:51:18 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 7m 19s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:134
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:Quotation.scr.exe
            Detection:MAL
            Classification:mal84.troj.evad.winEXE@400/11@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 49
            • Number of non-executed functions: 30
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Override analysis time to 240s for sample files taking high CPU consumption

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
            • Excluded IPs from analysis (whitelisted): 172.202.163.200, 40.69.42.241, 13.85.23.206
            • Excluded domains from analysis (whitelisted): client.wns.windows.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtWriteVirtualMemory calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            04:52:47API Interceptor18x Sleep call for process: Quotation.scr.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dllhttps://www.inputdirector.com/downloads/InputDirector.v2.2.zipGet hashmaliciousUnknownBrowse
              rE4qoSFquu.exeGet hashmaliciousGuLoaderBrowse
                rE4qoSFquu.exeGet hashmaliciousGuLoaderBrowse
                  swift_remittance_copy_inv_30_04_2024_0000000000_pdf.exeGet hashmaliciousGuLoaderBrowse
                    swift_remittance_copy_inv_30_04_2024_0000000000_pdf.exeGet hashmaliciousGuLoaderBrowse
                      PKO_TRANS_DETAILS_Partial xlsx.exeGet hashmaliciousUnknownBrowse
                        https://www.inputdirector.com/downloads.htmlGet hashmaliciousUnknownBrowse
                          Fund_Transfer_REF#932844-9374637.exeGet hashmaliciousGuLoaderBrowse
                            Bank_Account_Confirmation_For_Fund_Transfer_Ref#92749373929.exeGet hashmaliciousGuLoaderBrowse
                              Fund_Transfer_REF#932844-9374637.exeGet hashmaliciousGuLoaderBrowse

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll

                                Download File
                                Process:C:\Users\user\Desktop\Quotation.scr.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):12288
                                Entropy (8bit):5.7526639220430935
                                Encrypted:false
                                SSDEEP:192:rFiQJ771Jt17C8F1A5xjGNNvgFOiLb7lrT/L93:X71Jt48F2eNvgFF/L
                                MD5:792B6F86E296D3904285B2BF67CCD7E0
                                SHA1:966B16F84697552747E0DDD19A4BA8AB5083AF31
                                SHA-256:C7A20BCAA0197AEDDDC8E4797BBB33FDF70D980F5E83C203D148121C2106D917
                                SHA-512:97EDC3410B88CA31ABC0AF0324258D2B59127047810947D0FB5E7E12957DB34D206FFD70A0456ADD3A26B0546643FF0234124B08423C2C9FFE9BDEC6EB210F2C
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                Joe Sandbox View:
                                • Filename: , Detection: malicious, Browse
                                • Filename: rE4qoSFquu.exe, Detection: malicious, Browse
                                • Filename: rE4qoSFquu.exe, Detection: malicious, Browse
                                • Filename: swift_remittance_copy_inv_30_04_2024_0000000000_pdf.exe, Detection: malicious, Browse
                                • Filename: swift_remittance_copy_inv_30_04_2024_0000000000_pdf.exe, Detection: malicious, Browse
                                • Filename: PKO_TRANS_DETAILS_Partial xlsx.exe, Detection: malicious, Browse
                                • Filename: , Detection: malicious, Browse
                                • Filename: Fund_Transfer_REF#932844-9374637.exe, Detection: malicious, Browse
                                • Filename: Bank_Account_Confirmation_For_Fund_Transfer_Ref#92749373929.exe, Detection: malicious, Browse
                                • Filename: Fund_Transfer_REF#932844-9374637.exe, Detection: malicious, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L....Oa...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...h....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\nsExec.dll

                                Download File
                                Process:C:\Users\user\Desktop\Quotation.scr.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):6656
                                Entropy (8bit):5.1793678932213725
                                Encrypted:false
                                SSDEEP:96:AOBtEB2flLkatAthPZJoi9jpfW/er6cBbcB/NFyVOHd0+uHwEX:AhB2flXAVJtjf6cBbcB/N8Ved0PZ
                                MD5:5AA38904ACDCC21A2FB8A1D30A72D92F
                                SHA1:A9CE7D1456698921791DB91347DBA0489918D70C
                                SHA-256:10675F13ABAEE592F14382349AA35D82FB52AAB4E27EEF61D0C83DEC1F6B73DA
                                SHA-512:F04740DA561D7CD0DEA5E839C9E1C339D4A3E63944D3566C94C921A3D170A69918A32DFF3F3B43F13D55CC25A2DBB4C21104F062C324308AC5104179766402A3
                                Malicious:false
                                Antivirus:
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                • Antivirus: ReversingLabs, Detection: 0%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........PE..L.....Oa...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Roaming\filigraners\nonforming\gumphion\Feltbeskrivelsernes\akilleshles.bur

                                Download File
                                Process:C:\Users\user\Desktop\Quotation.scr.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):114753
                                Entropy (8bit):1.2586540497437009
                                Encrypted:false
                                SSDEEP:768:WenmVh/k7TozK55riAiNJ8t6443KBt7zHZNRpyqMWed:rUKP+8jnxa
                                MD5:2EF7E321C82D59579C325034F74BA4AD
                                SHA1:086F45A146595A46C9BC849312B89F1B5BCDE6D2
                                SHA-256:1EDAE1AEFE70CCBA599760888CD2CF641B1539F1D0A569261C55DC11A50D84B1
                                SHA-512:D642C90CA8C70DDEF043DBE4FDEFDC99AE598780B1FD59492FD2D1DFEEB5F53FBEEAAA1154E560E9D2A44B717CC440C6B3AA581C3952D3E54BCDA249D892686D
                                Malicious:false
                                Preview:k.K.......k......................................E.................................w............b.........8.......e.......................................l.......O...........................!..............................................j......x...........6..$...........................................................h.....[...z..+.........................../.........................................................q......................................p....................:......................................................`.....................P...........................................................J...\........ ..................L............ ....I..........................+.......6..?....................................%....................................S....R.................L........................d............X......:......................................................+.................................................L......U..... ........+........P................

                                C:\Users\user\AppData\Roaming\filigraners\nonforming\gumphion\Feltbeskrivelsernes\citerens.bra

                                Download File
                                Process:C:\Users\user\Desktop\Quotation.scr.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):153818
                                Entropy (8bit):1.2639290002649561
                                Encrypted:false
                                SSDEEP:768:M9DhluOoe1fMZfFHPVpwCVms1Q0A8CbD4tGpx7QLicW2UkOkGBSbSmLssM:Mlta/Vt1J1M7aXip
                                MD5:888F177E0683B79B6D441AF045B326F4
                                SHA1:03D9A09EF833CFE221A90772D1E4546FD0D4261F
                                SHA-256:4F80E6F1DB419DD5D623D7E185F74D90C52799A302DB99BD6CCC9E2B6295F570
                                SHA-512:39FB92D4E9A5237296756437807C16F76083CB294065DF3FA5FAF827C814550EF48C150F2AD0F9739D91B06E24F2C379D148AAF0480F66BFDF7C62C4CCA4D91B
                                Malicious:false
                                Preview:........6........2.......................r.....................................-.......Z..............l..........................................<.................j......%.......J.......................E.............................................................).....}...................A.....*.......&.....<.............-...........Z........j...........`...... ...-...................l........................................S..............................................s.....................................................r.....%...........................................................................b............................................................. ......................{...............................................?.................+................................................."....O.....................................................1........................................6................................................9.......6............................

                                C:\Users\user\AppData\Roaming\filigraners\nonforming\gumphion\Feltbeskrivelsernes\henneth.boh

                                Download File
                                Process:C:\Users\user\Desktop\Quotation.scr.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):9508
                                Entropy (8bit):1.211681161165311
                                Encrypted:false
                                SSDEEP:48:FtQQBWTu5fmY59wxRv/TOi9AWFM0P2osj5OIAtF6/8JF6:MQg65mDi8CjcDa
                                MD5:13B1B7AB14DED226678354F654062A36
                                SHA1:56555B9C396C1CFA7B289F9B34C1F85F5BDC9F93
                                SHA-256:8549C87DE02847950BC65CAF8E7039E9FC293640EB0F850ADEE9064DFAD7A9D6
                                SHA-512:695D2BB1EA2D32057A6768DE4E82C8E3D37D7EE8A2CD47C066543E4F8DACCF4DB1E5D0E7D28E80D239C294DF07B455AED12935387900EB0CD831F3F0658A5C15
                                Malicious:false
                                Preview:...o................................................................................2..........................z..............................................................................r%.......................................e.................................................................................................................g.....K..................................................................E......._.......................................................................................)............<..................Y............4...........a.......................................t....x........G...........'................%.........L..]..........'.......................P........................................................................................-...................................[......S.......................S.............X......A....C......p...........?..................................o.................................GP.........................

                                C:\Users\user\AppData\Roaming\filigraners\nonforming\gumphion\Feltbeskrivelsernes\irresiliency.fen

                                Download File
                                Process:C:\Users\user\Desktop\Quotation.scr.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):303688
                                Entropy (8bit):1.2608745221554885
                                Encrypted:false
                                SSDEEP:768:rl5hQMLbU5wLoRCnqzRjuoQYSwX8aCW6xQFO+iFmxa1L1xQsbPQTGFH3sS+DQgUR:ja8aMhFmU1j4McsKXdO0kp
                                MD5:9A8BB2F18F1F388A6669FEB7359B8C5F
                                SHA1:502B38F86935CD011C01AD85F74A9D7256A1F959
                                SHA-256:503C39408403116FF0322DBD262B6A7C9506DB4C4C9385C7612AD2BFDC038D1A
                                SHA-512:519D83D5DA40F6759A6F137AEE1C26384548DA7F3C9C0773F5EB6588868945F5BEC8971ABA8ADBC75DA8A2FE4170F2C070350B3294B18F893BF77B684BDEBA68
                                Malicious:false
                                Preview:.................+...................................z.....................................................t...........).#............B..........Y............................................?..............W..........r.......................................I.........................................p.....................................[..!.......................................................................................................................@......................2.........................................................................................................................l..................................,.........}............................`....W.............."...........................................K........................................i.....r......... ....R7...;..$.............................................................q...............................-....s.......................G.........................................................s.....

                                C:\Users\user\AppData\Roaming\filigraners\nonforming\gumphion\Feltbeskrivelsernes\maniform.lic

                                Download File
                                Process:C:\Users\user\Desktop\Quotation.scr.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):207365
                                Entropy (8bit):1.261435024266845
                                Encrypted:false
                                SSDEEP:768:iRJ349wvwq1AYt/DHNrr+C6+qBvXngt3yY1kidN6zyBSelQBOkFKi2HT78bExsQ0:in3pTNZUu1LJohx3t
                                MD5:A743239852B769682031B0202AFC0C2F
                                SHA1:579B06715FCB9D8AFBBF4CF804F0D395503863F8
                                SHA-256:317B6FB5E8BF3BE3B1917E7EFC4292769981A0E9CCBE9DFCE0D8F50B22B89F2A
                                SHA-512:B433DA21C70CF611454EE73C2045914C9EE66AA799C18B6571E0AA8B2EF67936E505187B28B6D734DB96F5E1E746C337AED7D0D1C88C005F62F718F0B5F19688
                                Malicious:false
                                Preview:.............................l...-.............................................................................................................................................................q.............9......h.....(......S$............................$........................................$....|...k......................................}....._...................6.............%.....0...........................................Ff.................................................................................3..................-........d........................................].................$............................\............................_.....................&.....................b..................................l...............................?.........................'.........................................................'........................................S..........>..e........................Yz...d.......................K..........................w....)

                                C:\Users\user\AppData\Roaming\filigraners\nonforming\gumphion\Hudormene.svr

                                Download File
                                Process:C:\Users\user\Desktop\Quotation.scr.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):103695
                                Entropy (8bit):1.251468671568616
                                Encrypted:false
                                SSDEEP:768:Ce4jUurc2sdFwiUbkifCHsn6ZBsOUWUAlCLv7QiGXZwsc:GeMrMKvUc
                                MD5:2F94BAB742D098F603582B5A87070472
                                SHA1:F366400D7D1C460129F626C56CF5447F4204CACB
                                SHA-256:AD2ABCDDCF963ACC3388796EE9A8AEED2E206AE39C1AB4989577BEBACD55B6F2
                                SHA-512:06FBC422A8C6D361BDC45679D4FE991B5C4DB5EF171E3EF1B4688E001CD489674D7B12A87AAB6DF1E226236F1C586693248DFE1EF904E10C6DBF76AFC1580D77
                                Malicious:false
                                Preview:........................................................................................y.t................................c.@....................................5...........................................f............................................/.........Z................y.........P.....J...0b....m.t............_........................................................................4............L............................l...................J.......................S..........i...........................................................8..................................................................................W..^............K.......................*....L........!.............P..........\.................................................................................................................................!.L.......p......{P............................................................................................................................................

                                C:\Users\user\AppData\Roaming\filigraners\nonforming\gumphion\Nationalbudgetternes.Oms

                                Download File
                                Process:C:\Users\user\Desktop\Quotation.scr.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):154339
                                Entropy (8bit):7.744575026749979
                                Encrypted:false
                                SSDEEP:3072:Fwrah2wnXGV8IPPMO9mT56hBJIiPga01hW8l9S36ytAACAH:Ga2rVQO9M5MBJI3nWGaf
                                MD5:BC3219013431B736152718B854D5D0D8
                                SHA1:8AD9B89B3CCC420E46C78145A80DFCCCB6DD5582
                                SHA-256:7529524AAEE315F4E5D57E46988A86A6A62C1E6AA97DD82ED43D58CEA9D2F208
                                SHA-512:2EC8880C39560B62A852AA717F7B0167BB7C565F2A1CBBE08DC619B7FA98D59E62CE478076D179045284AE5C188B0A2F26A821C88A32D26465A2130C85DEB6D6
                                Malicious:false
                                Preview:.........................................9.......666..++++++..:............................0........?...k.................&.B..............y...9.......E.........M..............................m....777......fff......................................U........FFF......LL.X............xx................................nn..k............k.?.b.'...........#.zz.y.rr.}}}............DD..............$$.q........'..e......A.....YY........3...............X..v...}.....<<.00............N............~...................Z...9.....P.%%%%..........Y.LLL.....TTTT.....s..........^^......-..ttttt..Q.F.II...22....ssss......A...............S..OOOOO........vvv.......ppp.................................[..f......;l.f........sSAP4.f.......qM...f.....9..ff......y.o.f.... .f!....3*2.....Z.........Xf...f.....5..................f..............,....L...... ..d.kK..X......VX..........-}.......f...>...1............f.................\..|.f..........f.............7.Cf!..........f........q...f.......*q...f

                                C:\Users\user\AppData\Roaming\filigraners\nonforming\gumphion\Rhodosperm.Tra

                                Download File
                                Process:C:\Users\user\Desktop\Quotation.scr.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):13727
                                Entropy (8bit):4.66899548202078
                                Encrypted:false
                                SSDEEP:192:hFMAK1b8x1A8/hQhiaJ8f418h2y5lsoAvQajIsWXOs4QrIx:hib1b8Q8/h94Oh9soO1jIdXO1Qsx
                                MD5:E519AABB8C8189F20D6C50ED622694E1
                                SHA1:586B88267558899013C45562C75BFED299C4803E
                                SHA-256:AC52F6D6464B58B716A6D3C83DF4F90695D3EC7F446FCE63E2BE0EFB781CB201
                                SHA-512:C4BCB0F7C82FE517B180DBCBE36709F136FB832636F647A83F36829C7E6ABAAB394787958583260360F6749A87CA4BAA2ED39EC9689F80E94B874AC4B531E5DF
                                Malicious:false
                                Preview:.......]]]]]...a.....KK........$$$....._.n......................h..'.......................................................................................................................................................................................................................................................................ss...R.....F.................<....44........rr................r..}................~.x.......+......6666...e.......``...N.|.......d......@...............................,,...............A..........,.6.....=......FF..........++..>>....1............K....SS..g..............H......5..................cc.i.%........._.0.V.....qq.HH............v.....11............z........._...........]]..G..............y....ZZ.........Y..%%%%%...t....###.A....6........Y..000............rr..................y................................k..................t...D.FF......f..p......W..................................iii.......####..........Y

                                C:\Users\user\AppData\Roaming\filigraners\nonforming\gumphion\Tolvmandsforeningernes\Trod.txt

                                Download File
                                Process:C:\Users\user\Desktop\Quotation.scr.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):422
                                Entropy (8bit):4.271830252620368
                                Encrypted:false
                                SSDEEP:12:rp6Be3Ld+WHjMW/C88JMVsvoBGaOCzRUd2xrfMjJpIOYKy:l6ByZ+WHjSiFQCzRUnIOYKy
                                MD5:2C00D966CFDFF8B11C0F33D2BA87CF2A
                                SHA1:95762821A7F3231CA97A2E5907CCA9330B0727F0
                                SHA-256:FFCAFFD73F4661C5BFC8F7AAF1A048A2F7627B6D9E05AA23CDB5A48EC5C5B336
                                SHA-512:003C54EA50B56E01632DBC49713D4F3C2FF4C97E43D7EE356FBA5E435AAAD92E0EDEBFDC030ECAF693621F0254F3F19744CC14E1F7681DAFF6C41355386D4A41
                                Malicious:false
                                Preview:plotinize macroconidium sulfoforbindelsernes snusdaasens,koussos rosevins taagehorn,phrenography tailpipes alectoria plebeianisation.civil previsional nonpromotion selvhad trudged divorcee grundmures middeltemperaturers scrofulosis afskumme silkehalernes xerotes..groundswell condolences espelvet unslashed.magredes hjemmenes demonologer kapitulationen afsatte farhands zaramo agalawood underopdeles mesethmoid alderamin..

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                Entropy (8bit):7.84795704193886
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:Quotation.scr.exe
                                File size:407'117 bytes
                                MD5:c4480b58328126c07e887230ad86d282
                                SHA1:7c226422b08bdf0e3258b9e8d52d1a30a80bd567
                                SHA256:a01a62156170d2f163507a09320efe3ac4112be7ac0e82752799963c6603a095
                                SHA512:95479cd3368aea9ee77f7398a9870843c4bbe9b26f8dfc1b0b199e6508513863354f087b447e0691f60d271b79511786b749cbd996f99d470e899936597e79b1
                                SSDEEP:12288:Ck13jLO9cLkxp6qu07AoF6DrGUnekSnea5+Ns054Pio:C036Qk79uWAoF8ZOSscSd
                                TLSH:0B8412603EF4C4E3DA6916B02CAF7FB8AEA6DC017484124B4B222F657DA2184DD5FF05
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d..........}3............@

                                File Icon

                                Icon Hash:5129ce9696168c55

                                Static PE Info

                                General

                                Entrypoint:0x40337d
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0x614F9AC7 [Sat Sep 25 21:55:19 2021 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:5f0c714c36e6cc016b3a1f4bc86559e4

                                Entrypoint Preview

                                Instruction
                                push ebp
                                mov ebp, esp
                                sub esp, 00000220h
                                push esi
                                push edi
                                xor edi, edi
                                push 00008001h
                                mov dword ptr [ebp-10h], edi
                                mov dword ptr [ebp-04h], 0040A198h
                                mov dword ptr [ebp-08h], edi
                                mov byte ptr [ebp-0Ch], 00000020h
                                call dword ptr [004080B8h]
                                mov esi, dword ptr [004080BCh]
                                lea eax, dword ptr [ebp-000000C0h]
                                push eax
                                mov dword ptr [ebp-000000ACh], edi
                                mov dword ptr [ebp-2Ch], edi
                                mov dword ptr [ebp-28h], edi
                                mov dword ptr [ebp-000000C0h], 0000009Ch
                                call esi
                                test eax, eax
                                jne 00007F4004EF3821h
                                lea eax, dword ptr [ebp-000000C0h]
                                mov dword ptr [ebp-000000C0h], 00000094h
                                push eax
                                call esi
                                cmp dword ptr [ebp-000000B0h], 02h
                                jne 00007F4004EF380Ch
                                movsx cx, byte ptr [ebp-0000009Fh]
                                mov al, byte ptr [ebp-000000ACh]
                                sub ecx, 30h
                                sub al, 53h
                                mov byte ptr [ebp-26h], 00000004h
                                neg al
                                sbb eax, eax
                                not eax
                                and eax, ecx
                                mov word ptr [ebp-2Ch], ax
                                cmp dword ptr [ebp-000000B0h], 02h
                                jnc 00007F4004EF3804h
                                and byte ptr [ebp-26h], 00000000h
                                cmp byte ptr [ebp-000000ABh], 00000041h
                                jl 00007F4004EF37F3h
                                movsx ax, byte ptr [ebp-000000ABh]
                                sub eax, 40h
                                mov word ptr [ebp-2Ch], ax
                                jmp 00007F4004EF37E6h
                                mov word ptr [ebp-2Ch], di
                                cmp dword ptr [ebp-000000BCh], 0Ah
                                jnc 00007F4004EF37EAh
                                and word ptr [ebp+00000000h], 0000h

                                Rich Headers

                                Programming Language:
                                • [EXP] VC++ 6.0 SP5 build 8804

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x84380xa0.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000xcb50.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x62380x6400e501b7d0024d882356016fc405498263False0.65984375data6.3894494417917445IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x80000x12760x1400e1e3342c6b91dfcc1b72e0ad0801bcc3False0.43359375data5.057696881091476IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0xa0000x1a8380x6003ee9e10e2cb73a6568d7f859493318f4False0.4368489583333333data3.9916398882751056IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .ndata0x250000x120000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x370000xcb500xcc004fad5d57d86ceeda67b56b00c01910e2False0.5526769301470589data6.3832972048748005IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0x374480x49caPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9939121228163049
                                RT_ICON0x3be180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.2237551867219917
                                RT_ICON0x3e3c00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.2682926829268293
                                RT_ICON0x3f4680xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.375
                                RT_ICON0x403100x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.33811475409836067
                                RT_ICON0x40c980x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.3686823104693141
                                RT_ICON0x415400x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.3392857142857143
                                RT_ICON0x41c080x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.29878048780487804
                                RT_ICON0x422700x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.2565028901734104
                                RT_ICON0x427d80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.39273049645390073
                                RT_ICON0x42c400x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.38844086021505375
                                RT_ICON0x42f280x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.41598360655737704
                                RT_ICON0x431100x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.46959459459459457
                                RT_DIALOG0x432380x100dataEnglishUnited States0.5234375
                                RT_DIALOG0x433380xf8dataEnglishUnited States0.6330645161290323
                                RT_DIALOG0x434300xa0dataEnglishUnited States0.6125
                                RT_DIALOG0x434d00x60dataEnglishUnited States0.7291666666666666
                                RT_GROUP_ICON0x435300xbcdataEnglishUnited States0.6063829787234043
                                RT_VERSION0x435f00x220dataEnglishUnited States0.5367647058823529
                                RT_MANIFEST0x438100x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                Imports

                                DLLImport
                                ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, SetWindowPos, SetCursor, GetSysColor, SetClassLongA, GetWindowLongA, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersionExA, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                No network behavior found

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:04:52:10
                                Start date:07/10/2024
                                Path:C:\Users\user\Desktop\Quotation.scr.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\Quotation.scr.exe"
                                Imagebase:0x400000
                                File size:407'117 bytes
                                MD5 hash:C4480B58328126C07E887230AD86D282
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000002.4582856976.0000000000656000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000002.4582856976.000000000066A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000002.4582856976.0000000000681000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.4583598901.00000000068E3000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:2
                                Start time:04:52:11
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "250^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:3
                                Start time:04:52:11
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:4
                                Start time:04:52:12
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "244^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:5
                                Start time:04:52:12
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:6
                                Start time:04:52:12
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "227^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:7
                                Start time:04:52:12
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:8
                                Start time:04:52:13
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "255^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:9
                                Start time:04:52:13
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:10
                                Start time:04:52:13
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "244^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:11
                                Start time:04:52:13
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:12
                                Start time:04:52:13
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "253^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:13
                                Start time:04:52:13
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:14
                                Start time:04:52:13
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "130^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:15
                                Start time:04:52:13
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:16
                                Start time:04:52:13
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "131^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:17
                                Start time:04:52:13
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:18
                                Start time:04:52:13
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "139^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:19
                                Start time:04:52:13
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:20
                                Start time:04:52:13
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "139^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:21
                                Start time:04:52:13
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:22
                                Start time:04:52:13
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "242^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:23
                                Start time:04:52:13
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:24
                                Start time:04:52:13
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "195^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:25
                                Start time:04:52:13
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:26
                                Start time:04:52:14
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "212^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:27
                                Start time:04:52:14
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:28
                                Start time:04:52:14
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "208^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:29
                                Start time:04:52:14
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:30
                                Start time:04:52:14
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "197^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:31
                                Start time:04:52:14
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:32
                                Start time:04:52:14
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "212^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:33
                                Start time:04:52:14
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:34
                                Start time:04:52:14
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "247^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:35
                                Start time:04:52:14
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:36
                                Start time:04:52:14
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "216^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:37
                                Start time:04:52:14
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:38
                                Start time:04:52:14
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "221^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:39
                                Start time:04:52:14
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:40
                                Start time:04:52:14
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "212^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:41
                                Start time:04:52:14
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:42
                                Start time:04:52:15
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "240^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:43
                                Start time:04:52:15
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:44
                                Start time:04:52:15
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "153^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:45
                                Start time:04:52:15
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:46
                                Start time:04:52:15
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "220^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:47
                                Start time:04:52:15
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:48
                                Start time:04:52:16
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "145^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:49
                                Start time:04:52:16
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:50
                                Start time:04:52:16
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "195^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:51
                                Start time:04:52:16
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:52
                                Start time:04:52:16
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "133^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:53
                                Start time:04:52:16
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:54
                                Start time:04:52:16
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "145^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:55
                                Start time:04:52:16
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:56
                                Start time:04:52:16
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd.exe /c set /a "157^177"
                                Imagebase:0x7ff66e660000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:57
                                Start time:04:52:16
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:58
                                Start time:04:52:16
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "145^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:59
                                Start time:04:52:16
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:60
                                Start time:04:52:16
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd.exe /c set /a "216^177"
                                Imagebase:0x7ff7403e0000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:61
                                Start time:04:52:16
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:62
                                Start time:04:52:16
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "145^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:63
                                Start time:04:52:16
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:64
                                Start time:04:52:16
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "129^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:65
                                Start time:04:52:16
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:66
                                Start time:04:52:17
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "201^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:67
                                Start time:04:52:17
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:68
                                Start time:04:52:17
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "137^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:69
                                Start time:04:52:17
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:70
                                Start time:04:52:17
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "129^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:71
                                Start time:04:52:17
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:72
                                Start time:04:52:17
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "129^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:73
                                Start time:04:52:17
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:74
                                Start time:04:52:17
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "129^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:75
                                Start time:04:52:17
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:76
                                Start time:04:52:17
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "129^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:77
                                Start time:04:52:17
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:78
                                Start time:04:52:17
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "129^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:79
                                Start time:04:52:17
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:80
                                Start time:04:52:17
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "129^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:81
                                Start time:04:52:17
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:82
                                Start time:04:52:18
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "129^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:83
                                Start time:04:52:18
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:84
                                Start time:04:52:18
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "157^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:85
                                Start time:04:52:18
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:86
                                Start time:04:52:18
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "145^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:87
                                Start time:04:52:18
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:88
                                Start time:04:52:18
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "216^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:89
                                Start time:04:52:18
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:90
                                Start time:04:52:18
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "145^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:91
                                Start time:04:52:18
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:92
                                Start time:04:52:18
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "129^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:93
                                Start time:04:52:18
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:94
                                Start time:04:52:18
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "157^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:95
                                Start time:04:52:18
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:96
                                Start time:04:52:18
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "145^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:97
                                Start time:04:52:18
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:98
                                Start time:04:52:18
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "193^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:99
                                Start time:04:52:18
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:100
                                Start time:04:52:19
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "145^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:101
                                Start time:04:52:19
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:102
                                Start time:04:52:19
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "129^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:103
                                Start time:04:52:19
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:104
                                Start time:04:52:19
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "157^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:105
                                Start time:04:52:19
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:106
                                Start time:04:52:19
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "145^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:107
                                Start time:04:52:19
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:108
                                Start time:04:52:19
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "216^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:109
                                Start time:04:52:19
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:110
                                Start time:04:52:19
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "145^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:111
                                Start time:04:52:19
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:112
                                Start time:04:52:19
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "133^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:113
                                Start time:04:52:19
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:114
                                Start time:04:52:19
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "157^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:115
                                Start time:04:52:19
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:116
                                Start time:04:52:19
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "145^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:117
                                Start time:04:52:19
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:118
                                Start time:04:52:20
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "216^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:119
                                Start time:04:52:20
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:120
                                Start time:04:52:20
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "145^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:121
                                Start time:04:52:20
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:122
                                Start time:04:52:20
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "129^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:123
                                Start time:04:52:20
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:124
                                Start time:04:52:20
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "201^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:125
                                Start time:04:52:20
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:126
                                Start time:04:52:20
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "137^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:127
                                Start time:04:52:20
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:128
                                Start time:04:52:20
                                Start date:07/10/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):
                                Commandline:cmd.exe /c set /a "129^177"
                                Imagebase:
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:129
                                Start time:04:52:20
                                Start date:07/10/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:19.1%
                                  Dynamic/Decrypted Code Coverage:13.5%
                                  Signature Coverage:16.6%
                                  Total number of Nodes:1573
                                  Total number of Limit Nodes:38
                                  execution_graph 5184 73f12c73 5185 73f12c8b 5184->5185 5186 73f115c4 2 API calls 5185->5186 5187 73f12ca6 5186->5187 4360 401ec5 4368 402c17 4360->4368 4362 401ecb 4363 402c17 17 API calls 4362->4363 4364 401ed7 4363->4364 4365 401ee3 ShowWindow 4364->4365 4366 401eee EnableWindow 4364->4366 4367 402ac5 4365->4367 4366->4367 4369 4062b4 17 API calls 4368->4369 4370 402c2c 4369->4370 4370->4362 5188 4039c5 5189 4039d0 5188->5189 5190 4039d7 GlobalAlloc 5189->5190 5191 4039d4 5189->5191 5190->5191 4564 401746 4565 402c39 17 API calls 4564->4565 4566 40174d 4565->4566 4570 405de3 4566->4570 4568 401754 4569 405de3 2 API calls 4568->4569 4569->4568 4571 405dee GetTickCount GetTempFileNameA 4570->4571 4572 405e1f 4571->4572 4573 405e1b 4571->4573 4572->4568 4573->4571 4573->4572 5192 401947 5193 402c39 17 API calls 5192->5193 5194 40194e lstrlenA 5193->5194 5195 402628 5194->5195 5199 401fcb 5200 402c39 17 API calls 5199->5200 5201 401fd2 5200->5201 5202 406598 2 API calls 5201->5202 5203 401fd8 5202->5203 5205 401fea 5203->5205 5206 40617f wsprintfA 5203->5206 5206->5205 5207 73f11661 5213 73f1154b 5207->5213 5209 73f116bf GlobalFree 5210 73f11679 5210->5209 5211 73f11694 5210->5211 5212 73f116ab VirtualFree 5210->5212 5211->5209 5212->5209 5215 73f11551 5213->5215 5214 73f11557 5214->5210 5215->5214 5216 73f11563 GlobalFree 5215->5216 5216->5210 5217 73f110e0 5218 73f11110 5217->5218 5219 73f1129a GlobalFree 5218->5219 5220 73f111cd GlobalAlloc 5218->5220 5221 73f11295 5218->5221 5222 73f11286 GlobalFree 5218->5222 5223 73f1133d 2 API calls 5218->5223 5224 73f112f6 2 API calls 5218->5224 5225 73f11165 GlobalAlloc 5218->5225 5226 73f11361 lstrcpyA 5218->5226 5220->5218 5221->5219 5222->5218 5223->5218 5224->5218 5225->5218 5226->5218 5227 4043d4 lstrcpynA lstrlenA 5235 4014d6 5236 402c17 17 API calls 5235->5236 5237 4014dc Sleep 5236->5237 5239 402ac5 5237->5239 4809 401759 4810 402c39 17 API calls 4809->4810 4811 401760 4810->4811 4812 401786 4811->4812 4813 40177e 4811->4813 4871 406221 lstrcpynA 4812->4871 4870 406221 lstrcpynA 4813->4870 4816 401784 4820 4064ff 5 API calls 4816->4820 4817 401791 4818 405bb3 3 API calls 4817->4818 4819 401797 lstrcatA 4818->4819 4819->4816 4827 4017a3 4820->4827 4821 406598 2 API calls 4821->4827 4822 4017e4 4823 405d8f 2 API calls 4822->4823 4823->4827 4825 4017ba CompareFileTime 4825->4827 4826 40187e 4828 405342 24 API calls 4826->4828 4827->4821 4827->4822 4827->4825 4827->4826 4831 406221 lstrcpynA 4827->4831 4835 4062b4 17 API calls 4827->4835 4842 405937 MessageBoxIndirectA 4827->4842 4845 401855 4827->4845 4848 405db4 GetFileAttributesA CreateFileA 4827->4848 4829 401888 4828->4829 4849 403143 4829->4849 4830 405342 24 API calls 4846 40186a 4830->4846 4831->4827 4834 4018af SetFileTime 4836 4018c1 CloseHandle 4834->4836 4835->4827 4837 4018d2 4836->4837 4836->4846 4838 4018d7 4837->4838 4839 4018ea 4837->4839 4840 4062b4 17 API calls 4838->4840 4841 4062b4 17 API calls 4839->4841 4843 4018df lstrcatA 4840->4843 4844 4018f2 4841->4844 4842->4827 4843->4844 4844->4846 4847 405937 MessageBoxIndirectA 4844->4847 4845->4830 4845->4846 4847->4846 4848->4827 4850 403159 4849->4850 4851 403184 4850->4851 4882 403335 SetFilePointer 4850->4882 4872 40331f 4851->4872 4855 4031a1 GetTickCount 4867 4031b4 4855->4867 4856 4032bf 4857 4032c3 4856->4857 4862 4032db 4856->4862 4859 40331f ReadFile 4857->4859 4858 40189b 4858->4834 4858->4836 4859->4858 4860 40331f ReadFile 4860->4862 4861 40331f ReadFile 4861->4867 4862->4858 4862->4860 4863 405e5b WriteFile 4862->4863 4863->4862 4865 40321a GetTickCount 4865->4867 4866 403243 MulDiv wsprintfA 4868 405342 24 API calls 4866->4868 4867->4858 4867->4861 4867->4865 4867->4866 4869 405e5b WriteFile 4867->4869 4875 406772 4867->4875 4868->4867 4869->4867 4870->4816 4871->4817 4873 405e2c ReadFile 4872->4873 4874 40318f 4873->4874 4874->4855 4874->4856 4874->4858 4878 40679f 4875->4878 4879 406797 4875->4879 4876 406826 GlobalFree 4877 40682f GlobalAlloc 4876->4877 4877->4878 4877->4879 4878->4876 4878->4877 4878->4878 4878->4879 4880 4068a6 GlobalAlloc 4878->4880 4881 40689d GlobalFree 4878->4881 4879->4867 4880->4878 4880->4879 4881->4880 4882->4851 5247 401659 5248 402c39 17 API calls 5247->5248 5249 40165f 5248->5249 5250 406598 2 API calls 5249->5250 5251 401665 5250->5251 5252 401959 5253 402c17 17 API calls 5252->5253 5254 401960 5253->5254 5255 402c17 17 API calls 5254->5255 5256 40196d 5255->5256 5257 402c39 17 API calls 5256->5257 5258 401984 lstrlenA 5257->5258 5259 401994 5258->5259 5263 4019d4 5259->5263 5264 406221 lstrcpynA 5259->5264 5261 4019c4 5262 4019c9 lstrlenA 5261->5262 5261->5263 5262->5263 5264->5261 5265 73f122ea 5266 73f12354 5265->5266 5267 73f1235f GlobalAlloc 5266->5267 5268 73f1237e 5266->5268 5267->5266 5269 401a5e 5270 402c17 17 API calls 5269->5270 5271 401a67 5270->5271 5272 402c17 17 API calls 5271->5272 5273 401a0e 5272->5273 5281 401563 5282 402a42 5281->5282 5285 40617f wsprintfA 5282->5285 5284 402a47 5285->5284 5286 401b63 5287 402c39 17 API calls 5286->5287 5288 401b6a 5287->5288 5289 402c17 17 API calls 5288->5289 5290 401b73 wsprintfA 5289->5290 5291 402ac5 5290->5291 5292 401d65 5293 401d78 GetDlgItem 5292->5293 5294 401d6b 5292->5294 5296 401d72 5293->5296 5295 402c17 17 API calls 5294->5295 5295->5296 5297 401db9 GetClientRect LoadImageA SendMessageA 5296->5297 5298 402c39 17 API calls 5296->5298 5300 401e1a 5297->5300 5302 401e26 5297->5302 5298->5297 5301 401e1f DeleteObject 5300->5301 5300->5302 5301->5302 5303 402766 5304 40276c 5303->5304 5305 402774 FindClose 5304->5305 5306 402ac5 5304->5306 5305->5306 5307 4023e8 5308 402c39 17 API calls 5307->5308 5309 4023f9 5308->5309 5310 402c39 17 API calls 5309->5310 5311 402402 5310->5311 5312 402c39 17 API calls 5311->5312 5313 40240c GetPrivateProfileStringA 5312->5313 5314 4027e8 5315 402c39 17 API calls 5314->5315 5316 4027f4 5315->5316 5317 40280a 5316->5317 5318 402c39 17 API calls 5316->5318 5319 405d8f 2 API calls 5317->5319 5318->5317 5320 402810 5319->5320 5342 405db4 GetFileAttributesA CreateFileA 5320->5342 5322 40281d 5323 4028d9 5322->5323 5324 4028c1 5322->5324 5325 402838 GlobalAlloc 5322->5325 5326 4028e0 DeleteFileA 5323->5326 5327 4028f3 5323->5327 5329 403143 35 API calls 5324->5329 5325->5324 5328 402851 5325->5328 5326->5327 5343 403335 SetFilePointer 5328->5343 5331 4028ce CloseHandle 5329->5331 5331->5323 5332 402857 5333 40331f ReadFile 5332->5333 5334 402860 GlobalAlloc 5333->5334 5335 402870 5334->5335 5336 4028aa 5334->5336 5337 403143 35 API calls 5335->5337 5338 405e5b WriteFile 5336->5338 5341 40287d 5337->5341 5339 4028b6 GlobalFree 5338->5339 5339->5324 5340 4028a1 GlobalFree 5340->5336 5341->5340 5342->5322 5343->5332 5344 4046e9 5345 4046f9 5344->5345 5346 40471f 5344->5346 5347 40429e 18 API calls 5345->5347 5348 404305 8 API calls 5346->5348 5349 404706 SetDlgItemTextA 5347->5349 5350 40472b 5348->5350 5349->5346 5351 73f11058 5353 73f11074 5351->5353 5352 73f110dc 5353->5352 5354 73f11091 5353->5354 5355 73f1154b GlobalFree 5353->5355 5356 73f1154b GlobalFree 5354->5356 5355->5354 5357 73f110a1 5356->5357 5358 73f110b1 5357->5358 5359 73f110a8 GlobalSize 5357->5359 5360 73f110b5 GlobalAlloc 5358->5360 5361 73f110c6 5358->5361 5359->5358 5362 73f11572 3 API calls 5360->5362 5363 73f110d1 GlobalFree 5361->5363 5362->5361 5363->5352 5364 40166a 5365 402c39 17 API calls 5364->5365 5366 401671 5365->5366 5367 402c39 17 API calls 5366->5367 5368 40167a 5367->5368 5369 402c39 17 API calls 5368->5369 5370 401683 MoveFileA 5369->5370 5371 401696 5370->5371 5372 40168f 5370->5372 5373 406598 2 API calls 5371->5373 5376 4022ea 5371->5376 5374 401423 24 API calls 5372->5374 5375 4016a5 5373->5375 5374->5376 5375->5376 5377 405ffa 36 API calls 5375->5377 5377->5372 5385 4019ed 5386 402c39 17 API calls 5385->5386 5387 4019f4 5386->5387 5388 402c39 17 API calls 5387->5388 5389 4019fd 5388->5389 5390 401a04 lstrcmpiA 5389->5390 5391 401a16 lstrcmpA 5389->5391 5392 401a0a 5390->5392 5391->5392 5393 40156f 5394 401586 5393->5394 5395 40157f ShowWindow 5393->5395 5396 401594 ShowWindow 5394->5396 5397 402ac5 5394->5397 5395->5394 5396->5397 5398 402173 5399 402c39 17 API calls 5398->5399 5400 40217a 5399->5400 5401 402c39 17 API calls 5400->5401 5402 402184 5401->5402 5403 402c39 17 API calls 5402->5403 5404 40218e 5403->5404 5405 402c39 17 API calls 5404->5405 5406 40219b 5405->5406 5407 402c39 17 API calls 5406->5407 5408 4021a5 5407->5408 5409 4021e7 CoCreateInstance 5408->5409 5410 402c39 17 API calls 5408->5410 5413 402206 5409->5413 5415 4022b4 5409->5415 5410->5409 5411 401423 24 API calls 5412 4022ea 5411->5412 5414 402294 MultiByteToWideChar 5413->5414 5413->5415 5414->5415 5415->5411 5415->5412 5416 4022f3 5417 402c39 17 API calls 5416->5417 5418 4022f9 5417->5418 5419 402c39 17 API calls 5418->5419 5420 402302 5419->5420 5421 402c39 17 API calls 5420->5421 5422 40230b 5421->5422 5423 406598 2 API calls 5422->5423 5424 402314 5423->5424 5425 402325 lstrlenA lstrlenA 5424->5425 5426 402318 5424->5426 5428 405342 24 API calls 5425->5428 5427 405342 24 API calls 5426->5427 5430 402320 5426->5430 5427->5430 5429 402361 SHFileOperationA 5428->5429 5429->5426 5429->5430 5431 4014f4 SetForegroundWindow 5432 402ac5 5431->5432 4799 402675 4800 402c17 17 API calls 4799->4800 4804 40267f 4800->4804 4801 4026ed 4802 405e2c ReadFile 4802->4804 4803 4026ef 4808 40617f wsprintfA 4803->4808 4804->4801 4804->4802 4804->4803 4805 4026ff 4804->4805 4805->4801 4807 402715 SetFilePointer 4805->4807 4807->4801 4808->4801 5433 402375 5434 40238f 5433->5434 5435 40237c 5433->5435 5436 4062b4 17 API calls 5435->5436 5437 402389 5436->5437 5437->5434 5438 405937 MessageBoxIndirectA 5437->5438 5438->5434 5439 73f118c7 5440 73f118ea 5439->5440 5441 73f1191a GlobalFree 5440->5441 5442 73f1192c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5440->5442 5441->5442 5443 73f112f6 2 API calls 5442->5443 5444 73f11aae GlobalFree GlobalFree 5443->5444 5445 4029f6 5446 402a49 5445->5446 5447 4029fd 5445->5447 5448 40662d 5 API calls 5446->5448 5449 402a47 5447->5449 5451 402c17 17 API calls 5447->5451 5450 402a50 5448->5450 5452 402c39 17 API calls 5450->5452 5453 402a0b 5451->5453 5454 402a59 5452->5454 5455 402c17 17 API calls 5453->5455 5454->5449 5463 406274 5454->5463 5457 402a1a 5455->5457 5462 40617f wsprintfA 5457->5462 5459 402a67 5459->5449 5467 40625e 5459->5467 5462->5449 5464 40627f 5463->5464 5465 4062a2 IIDFromString 5464->5465 5466 40629b 5464->5466 5465->5459 5466->5459 5470 406243 WideCharToMultiByte 5467->5470 5469 402a88 CoTaskMemFree 5469->5449 5470->5469 5471 73f116c8 5472 73f116f7 5471->5472 5473 73f11b28 18 API calls 5472->5473 5474 73f116fe 5473->5474 5475 73f11711 5474->5475 5476 73f11705 5474->5476 5478 73f11738 5475->5478 5479 73f1171b 5475->5479 5477 73f112f6 2 API calls 5476->5477 5482 73f1170f 5477->5482 5480 73f11762 5478->5480 5481 73f1173e 5478->5481 5483 73f11572 3 API calls 5479->5483 5485 73f11572 3 API calls 5480->5485 5484 73f115e9 3 API calls 5481->5484 5486 73f11720 5483->5486 5487 73f11743 5484->5487 5485->5482 5488 73f115e9 3 API calls 5486->5488 5489 73f112f6 2 API calls 5487->5489 5490 73f11726 5488->5490 5491 73f11749 GlobalFree 5489->5491 5492 73f112f6 2 API calls 5490->5492 5491->5482 5493 73f1175d GlobalFree 5491->5493 5494 73f1172c GlobalFree 5492->5494 5493->5482 5494->5482 5495 401ef9 5496 402c39 17 API calls 5495->5496 5497 401eff 5496->5497 5498 402c39 17 API calls 5497->5498 5499 401f08 5498->5499 5500 402c39 17 API calls 5499->5500 5501 401f11 5500->5501 5502 402c39 17 API calls 5501->5502 5503 401f1a 5502->5503 5504 401423 24 API calls 5503->5504 5505 401f21 5504->5505 5512 4058fd ShellExecuteExA 5505->5512 5507 401f5c 5508 4066a2 5 API calls 5507->5508 5510 4027c8 5507->5510 5509 401f76 CloseHandle 5508->5509 5509->5510 5512->5507 4883 401f7b 4884 402c39 17 API calls 4883->4884 4885 401f81 4884->4885 4886 405342 24 API calls 4885->4886 4887 401f8b 4886->4887 4898 4058ba CreateProcessA 4887->4898 4890 401fb2 CloseHandle 4894 4027c8 4890->4894 4893 401fa6 4895 401fb4 4893->4895 4896 401fab 4893->4896 4895->4890 4906 40617f wsprintfA 4896->4906 4899 401f91 4898->4899 4900 4058ed CloseHandle 4898->4900 4899->4890 4899->4894 4901 4066a2 WaitForSingleObject 4899->4901 4900->4899 4902 4066bc 4901->4902 4903 4066ce GetExitCodeProcess 4902->4903 4907 406669 4902->4907 4903->4893 4906->4890 4908 406686 PeekMessageA 4907->4908 4909 406696 WaitForSingleObject 4908->4909 4910 40667c DispatchMessageA 4908->4910 4909->4902 4910->4908 5513 401ffb 5514 402c39 17 API calls 5513->5514 5515 402002 5514->5515 5516 40662d 5 API calls 5515->5516 5517 402011 5516->5517 5518 402029 GlobalAlloc 5517->5518 5521 402099 5517->5521 5519 40203d 5518->5519 5518->5521 5520 40662d 5 API calls 5519->5520 5522 402044 5520->5522 5523 40662d 5 API calls 5522->5523 5524 40204e 5523->5524 5524->5521 5528 40617f wsprintfA 5524->5528 5526 402089 5529 40617f wsprintfA 5526->5529 5528->5526 5529->5521 4942 40337d SetErrorMode GetVersionExA 4943 4033cf GetVersionExA 4942->4943 4945 40340e 4942->4945 4944 4033eb 4943->4944 4943->4945 4944->4945 4946 403492 4945->4946 4947 40662d 5 API calls 4945->4947 4948 4065bf 3 API calls 4946->4948 4947->4946 4949 4034a8 lstrlenA 4948->4949 4949->4946 4950 4034b8 4949->4950 4951 40662d 5 API calls 4950->4951 4952 4034bf 4951->4952 4953 40662d 5 API calls 4952->4953 4954 4034c6 4953->4954 4955 40662d 5 API calls 4954->4955 4956 4034d2 #17 OleInitialize SHGetFileInfoA 4955->4956 5034 406221 lstrcpynA 4956->5034 4959 403520 GetCommandLineA 5035 406221 lstrcpynA 4959->5035 4961 403532 4962 405bde CharNextA 4961->4962 4963 403559 CharNextA 4962->4963 4971 403568 4963->4971 4964 40362e 4965 403642 GetTempPathA 4964->4965 5036 40334c 4965->5036 4967 40365a 4968 4036b4 DeleteFileA 4967->4968 4969 40365e GetWindowsDirectoryA lstrcatA 4967->4969 5046 402f0c GetTickCount GetModuleFileNameA 4968->5046 4972 40334c 12 API calls 4969->4972 4970 405bde CharNextA 4970->4971 4971->4964 4971->4970 4975 403630 4971->4975 4974 40367a 4972->4974 4974->4968 4977 40367e GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 4974->4977 5130 406221 lstrcpynA 4975->5130 4976 4036c7 4981 40374c 4976->4981 4985 405bde CharNextA 4976->4985 5029 40375c 4976->5029 4980 40334c 12 API calls 4977->4980 4983 4036ac 4980->4983 5074 403a07 4981->5074 4983->4968 4983->5029 4988 4036e1 4985->4988 4986 403776 4989 405937 MessageBoxIndirectA 4986->4989 4987 403899 4990 4038a1 GetCurrentProcess OpenProcessToken 4987->4990 4991 403917 ExitProcess 4987->4991 4993 403726 4988->4993 4994 40378b 4988->4994 4995 403783 ExitProcess 4989->4995 4996 4038e7 4990->4996 4997 4038b8 LookupPrivilegeValueA AdjustTokenPrivileges 4990->4997 4998 405ca1 18 API calls 4993->4998 4999 4058a2 5 API calls 4994->4999 5000 40662d 5 API calls 4996->5000 4997->4996 5001 403732 4998->5001 5002 403790 lstrcatA 4999->5002 5003 4038ee 5000->5003 5001->5029 5131 406221 lstrcpynA 5001->5131 5004 4037a1 lstrcatA 5002->5004 5005 4037ac lstrcatA lstrcmpiA 5002->5005 5006 403903 ExitWindowsEx 5003->5006 5007 403910 5003->5007 5004->5005 5009 4037c8 5005->5009 5005->5029 5006->4991 5006->5007 5010 40140b 2 API calls 5007->5010 5012 4037d4 5009->5012 5013 4037cd 5009->5013 5010->4991 5011 403741 5132 406221 lstrcpynA 5011->5132 5016 405885 2 API calls 5012->5016 5015 405808 4 API calls 5013->5015 5018 4037d2 5015->5018 5017 4037d9 SetCurrentDirectoryA 5016->5017 5019 4037f4 5017->5019 5020 4037e9 5017->5020 5018->5017 5141 406221 lstrcpynA 5019->5141 5140 406221 lstrcpynA 5020->5140 5023 4062b4 17 API calls 5024 403836 DeleteFileA 5023->5024 5025 403844 CopyFileA 5024->5025 5030 403801 5024->5030 5025->5030 5026 40388d 5027 405ffa 36 API calls 5026->5027 5027->5029 5028 405ffa 36 API calls 5028->5030 5133 40392d 5029->5133 5030->5023 5030->5026 5030->5028 5031 4062b4 17 API calls 5030->5031 5032 4058ba 2 API calls 5030->5032 5033 403878 CloseHandle 5030->5033 5031->5030 5032->5030 5033->5030 5034->4959 5035->4961 5037 4064ff 5 API calls 5036->5037 5039 403358 5037->5039 5038 403362 5038->4967 5039->5038 5040 405bb3 3 API calls 5039->5040 5041 40336a 5040->5041 5042 405885 2 API calls 5041->5042 5043 403370 5042->5043 5044 405de3 2 API calls 5043->5044 5045 40337b 5044->5045 5045->4967 5142 405db4 GetFileAttributesA CreateFileA 5046->5142 5048 402f4c 5067 402f5c 5048->5067 5143 406221 lstrcpynA 5048->5143 5050 402f72 5051 405bfa 2 API calls 5050->5051 5052 402f78 5051->5052 5144 406221 lstrcpynA 5052->5144 5054 402f83 GetFileSize 5055 40307d 5054->5055 5073 402f9a 5054->5073 5145 402ea8 5055->5145 5057 403086 5059 4030b6 GlobalAlloc 5057->5059 5057->5067 5157 403335 SetFilePointer 5057->5157 5058 40331f ReadFile 5058->5073 5156 403335 SetFilePointer 5059->5156 5062 4030e9 5064 402ea8 6 API calls 5062->5064 5063 4030d1 5066 403143 35 API calls 5063->5066 5064->5067 5065 40309f 5068 40331f ReadFile 5065->5068 5071 4030dd 5066->5071 5067->4976 5069 4030aa 5068->5069 5069->5059 5069->5067 5070 402ea8 6 API calls 5070->5073 5071->5067 5071->5071 5072 40311a SetFilePointer 5071->5072 5072->5067 5073->5055 5073->5058 5073->5062 5073->5067 5073->5070 5075 40662d 5 API calls 5074->5075 5076 403a1b 5075->5076 5077 403a21 5076->5077 5078 403a33 5076->5078 5166 40617f wsprintfA 5077->5166 5079 406108 3 API calls 5078->5079 5080 403a5e 5079->5080 5081 403a7c lstrcatA 5080->5081 5083 406108 3 API calls 5080->5083 5084 403a31 5081->5084 5083->5081 5158 403ccc 5084->5158 5087 405ca1 18 API calls 5088 403aae 5087->5088 5089 403b37 5088->5089 5091 406108 3 API calls 5088->5091 5090 405ca1 18 API calls 5089->5090 5092 403b3d 5090->5092 5093 403ada 5091->5093 5094 403b4d LoadImageA 5092->5094 5095 4062b4 17 API calls 5092->5095 5093->5089 5100 403af6 lstrlenA 5093->5100 5101 405bde CharNextA 5093->5101 5096 403bf3 5094->5096 5097 403b74 RegisterClassA 5094->5097 5095->5094 5099 40140b 2 API calls 5096->5099 5098 403baa SystemParametersInfoA CreateWindowExA 5097->5098 5129 403bfd 5097->5129 5098->5096 5104 403bf9 5099->5104 5102 403b04 lstrcmpiA 5100->5102 5103 403b2a 5100->5103 5105 403af4 5101->5105 5102->5103 5106 403b14 GetFileAttributesA 5102->5106 5107 405bb3 3 API calls 5103->5107 5109 403ccc 18 API calls 5104->5109 5104->5129 5105->5100 5108 403b20 5106->5108 5110 403b30 5107->5110 5108->5103 5111 405bfa 2 API calls 5108->5111 5112 403c0a 5109->5112 5167 406221 lstrcpynA 5110->5167 5111->5103 5114 403c16 ShowWindow 5112->5114 5115 403c99 5112->5115 5117 4065bf 3 API calls 5114->5117 5116 405414 5 API calls 5115->5116 5118 403c9f 5116->5118 5119 403c2e 5117->5119 5120 403ca3 5118->5120 5121 403cbb 5118->5121 5122 403c3c GetClassInfoA 5119->5122 5126 4065bf 3 API calls 5119->5126 5128 40140b 2 API calls 5120->5128 5120->5129 5125 40140b 2 API calls 5121->5125 5123 403c50 GetClassInfoA RegisterClassA 5122->5123 5124 403c66 DialogBoxParamA 5122->5124 5123->5124 5127 40140b 2 API calls 5124->5127 5125->5129 5126->5122 5127->5129 5128->5129 5129->5029 5130->4965 5131->5011 5132->4981 5134 403945 5133->5134 5135 403937 CloseHandle 5133->5135 5169 403972 5134->5169 5135->5134 5138 4059e3 67 API calls 5139 403764 OleUninitialize 5138->5139 5139->4986 5139->4987 5140->5019 5141->5030 5142->5048 5143->5050 5144->5054 5146 402eb1 5145->5146 5147 402ec9 5145->5147 5148 402ec1 5146->5148 5149 402eba DestroyWindow 5146->5149 5150 402ed1 5147->5150 5151 402ed9 GetTickCount 5147->5151 5148->5057 5149->5148 5152 406669 2 API calls 5150->5152 5153 402ee7 CreateDialogParamA ShowWindow 5151->5153 5154 402f0a 5151->5154 5155 402ed7 5152->5155 5153->5154 5154->5057 5155->5057 5156->5063 5157->5065 5159 403ce0 5158->5159 5168 40617f wsprintfA 5159->5168 5161 403d51 5162 403d85 18 API calls 5161->5162 5164 403d56 5162->5164 5163 403a8c 5163->5087 5164->5163 5165 4062b4 17 API calls 5164->5165 5165->5164 5166->5084 5167->5089 5168->5161 5170 403980 5169->5170 5171 40394a 5170->5171 5172 403985 FreeLibrary GlobalFree 5170->5172 5171->5138 5172->5171 5172->5172 5530 4018fd 5531 401934 5530->5531 5532 402c39 17 API calls 5531->5532 5533 401939 5532->5533 5534 4059e3 67 API calls 5533->5534 5535 401942 5534->5535 5536 40247e 5537 402c39 17 API calls 5536->5537 5538 402490 5537->5538 5539 402c39 17 API calls 5538->5539 5540 40249a 5539->5540 5553 402cc9 5540->5553 5543 402ac5 5544 4024cf 5546 4024db 5544->5546 5549 402c17 17 API calls 5544->5549 5545 402c39 17 API calls 5548 4024c8 lstrlenA 5545->5548 5547 4024fd RegSetValueExA 5546->5547 5550 403143 35 API calls 5546->5550 5551 402513 RegCloseKey 5547->5551 5548->5544 5549->5546 5550->5547 5551->5543 5554 402ce4 5553->5554 5557 4060d5 5554->5557 5558 4060e4 5557->5558 5559 4024aa 5558->5559 5560 4060ef RegCreateKeyExA 5558->5560 5559->5543 5559->5544 5559->5545 5560->5559 5561 401cfe 5562 402c17 17 API calls 5561->5562 5563 401d04 IsWindow 5562->5563 5564 401a0e 5563->5564 4139 73f129b1 4140 73f12a01 4139->4140 4141 73f129c1 VirtualProtect 4139->4141 4141->4140 4142 405480 4143 4054a2 GetDlgItem GetDlgItem GetDlgItem 4142->4143 4144 40562b 4142->4144 4188 4042d3 SendMessageA 4143->4188 4146 405633 GetDlgItem CreateThread CloseHandle 4144->4146 4147 40565b 4144->4147 4146->4147 4264 405414 OleInitialize 4146->4264 4149 405689 4147->4149 4152 405671 ShowWindow ShowWindow 4147->4152 4153 4056aa 4147->4153 4148 405512 4157 405519 GetClientRect GetSystemMetrics SendMessageA SendMessageA 4148->4157 4150 405691 4149->4150 4151 4056e4 4149->4151 4154 405699 4150->4154 4155 4056bd ShowWindow 4150->4155 4151->4153 4164 4056f1 SendMessageA 4151->4164 4193 4042d3 SendMessageA 4152->4193 4197 404305 4153->4197 4194 404277 4154->4194 4160 4056dd 4155->4160 4161 4056cf 4155->4161 4162 405587 4157->4162 4163 40556b SendMessageA SendMessageA 4157->4163 4166 404277 SendMessageA 4160->4166 4211 405342 4161->4211 4167 40559a 4162->4167 4168 40558c SendMessageA 4162->4168 4163->4162 4169 4056b6 4164->4169 4170 40570a CreatePopupMenu 4164->4170 4166->4151 4189 40429e 4167->4189 4168->4167 4222 4062b4 4170->4222 4174 4055aa 4177 4055b3 ShowWindow 4174->4177 4178 4055e7 GetDlgItem SendMessageA 4174->4178 4175 405738 GetWindowRect 4176 40574b TrackPopupMenu 4175->4176 4176->4169 4179 405767 4176->4179 4180 4055d6 4177->4180 4181 4055c9 ShowWindow 4177->4181 4178->4169 4182 40560e SendMessageA SendMessageA 4178->4182 4183 405786 SendMessageA 4179->4183 4192 4042d3 SendMessageA 4180->4192 4181->4180 4182->4169 4183->4183 4184 4057a3 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4183->4184 4186 4057c5 SendMessageA 4184->4186 4186->4186 4187 4057e7 GlobalUnlock SetClipboardData CloseClipboard 4186->4187 4187->4169 4188->4148 4190 4062b4 17 API calls 4189->4190 4191 4042a9 SetDlgItemTextA 4190->4191 4191->4174 4192->4178 4193->4149 4195 404284 SendMessageA 4194->4195 4196 40427e 4194->4196 4195->4153 4196->4195 4198 4043c8 4197->4198 4199 40431d GetWindowLongA 4197->4199 4198->4169 4199->4198 4200 404332 4199->4200 4200->4198 4201 404362 4200->4201 4202 40435f GetSysColor 4200->4202 4203 404372 SetBkMode 4201->4203 4204 404368 SetTextColor 4201->4204 4202->4201 4205 404390 4203->4205 4206 40438a GetSysColor 4203->4206 4204->4203 4207 404397 SetBkColor 4205->4207 4208 4043a1 4205->4208 4206->4205 4207->4208 4208->4198 4209 4043b4 DeleteObject 4208->4209 4210 4043bb CreateBrushIndirect 4208->4210 4209->4210 4210->4198 4212 405400 4211->4212 4213 40535d 4211->4213 4212->4160 4214 40537a lstrlenA 4213->4214 4215 4062b4 17 API calls 4213->4215 4216 4053a3 4214->4216 4217 405388 lstrlenA 4214->4217 4215->4214 4219 4053b6 4216->4219 4220 4053a9 SetWindowTextA 4216->4220 4217->4212 4218 40539a lstrcatA 4217->4218 4218->4216 4219->4212 4221 4053bc SendMessageA SendMessageA SendMessageA 4219->4221 4220->4219 4221->4212 4226 4062c1 4222->4226 4223 4064e6 4224 40571a AppendMenuA 4223->4224 4255 406221 lstrcpynA 4223->4255 4224->4175 4224->4176 4226->4223 4227 4064c0 lstrlenA 4226->4227 4229 4062b4 10 API calls 4226->4229 4232 4063dc GetSystemDirectoryA 4226->4232 4233 4063ef GetWindowsDirectoryA 4226->4233 4235 4062b4 10 API calls 4226->4235 4236 406469 lstrcatA 4226->4236 4237 406423 SHGetSpecialFolderLocation 4226->4237 4239 406108 4226->4239 4244 4064ff 4226->4244 4253 40617f wsprintfA 4226->4253 4254 406221 lstrcpynA 4226->4254 4227->4226 4229->4227 4232->4226 4233->4226 4235->4226 4236->4226 4237->4226 4238 40643b SHGetPathFromIDListA CoTaskMemFree 4237->4238 4238->4226 4256 4060a7 4239->4256 4242 40616b 4242->4226 4243 40613c RegQueryValueExA RegCloseKey 4243->4242 4251 40650b 4244->4251 4245 406573 4246 406577 CharPrevA 4245->4246 4248 406592 4245->4248 4246->4245 4247 406568 CharNextA 4247->4245 4247->4251 4248->4226 4250 406556 CharNextA 4250->4251 4251->4245 4251->4247 4251->4250 4252 406563 CharNextA 4251->4252 4260 405bde 4251->4260 4252->4247 4253->4226 4254->4226 4255->4224 4257 4060b6 4256->4257 4258 4060bf RegOpenKeyExA 4257->4258 4259 4060ba 4257->4259 4258->4259 4259->4242 4259->4243 4261 405be4 4260->4261 4262 405bf7 4261->4262 4263 405bea CharNextA 4261->4263 4262->4251 4263->4261 4271 4042ea 4264->4271 4266 40545e 4267 4042ea SendMessageA 4266->4267 4268 405470 OleUninitialize 4267->4268 4270 405437 4270->4266 4274 401389 4270->4274 4272 404302 4271->4272 4273 4042f3 SendMessageA 4271->4273 4272->4270 4273->4272 4276 401390 4274->4276 4275 4013fe 4275->4270 4276->4275 4277 4013cb MulDiv SendMessageA 4276->4277 4277->4276 5565 401000 5566 401037 BeginPaint GetClientRect 5565->5566 5567 40100c DefWindowProcA 5565->5567 5569 4010f3 5566->5569 5570 401179 5567->5570 5571 401073 CreateBrushIndirect FillRect DeleteObject 5569->5571 5572 4010fc 5569->5572 5571->5569 5573 401102 CreateFontIndirectA 5572->5573 5574 401167 EndPaint 5572->5574 5573->5574 5575 401112 6 API calls 5573->5575 5574->5570 5575->5574 5576 401900 5577 402c39 17 API calls 5576->5577 5578 401907 5577->5578 5579 405937 MessageBoxIndirectA 5578->5579 5580 401910 5579->5580 5581 402780 5582 402786 5581->5582 5583 40278a FindNextFileA 5582->5583 5584 40279c 5582->5584 5583->5584 5585 4027db 5583->5585 5587 406221 lstrcpynA 5585->5587 5587->5584 5588 404a81 5589 404a91 5588->5589 5590 404aad 5588->5590 5599 40591b GetDlgItemTextA 5589->5599 5592 404ae0 5590->5592 5593 404ab3 SHGetPathFromIDListA 5590->5593 5595 404ac3 5593->5595 5598 404aca SendMessageA 5593->5598 5594 404a9e SendMessageA 5594->5590 5596 40140b 2 API calls 5595->5596 5596->5598 5598->5592 5599->5594 5600 401502 5601 40151d 5600->5601 5602 40150a 5600->5602 5603 402c17 17 API calls 5602->5603 5603->5601 4574 401b87 4575 401b94 4574->4575 4576 401bd8 4574->4576 4579 401c1c 4575->4579 4584 401bab 4575->4584 4577 401c01 GlobalAlloc 4576->4577 4578 401bdc 4576->4578 4580 4062b4 17 API calls 4577->4580 4587 40238f 4578->4587 4595 406221 lstrcpynA 4578->4595 4581 4062b4 17 API calls 4579->4581 4579->4587 4580->4579 4583 402389 4581->4583 4583->4587 4596 405937 4583->4596 4593 406221 lstrcpynA 4584->4593 4585 401bee GlobalFree 4585->4587 4588 401bba 4594 406221 lstrcpynA 4588->4594 4591 401bc9 4600 406221 lstrcpynA 4591->4600 4593->4588 4594->4591 4595->4585 4597 40594c 4596->4597 4598 405998 4597->4598 4599 405960 MessageBoxIndirectA 4597->4599 4598->4587 4599->4598 4600->4587 5611 404409 5612 40441f 5611->5612 5619 40452b 5611->5619 5615 40429e 18 API calls 5612->5615 5613 40459a 5614 404664 5613->5614 5616 4045a4 GetDlgItem 5613->5616 5621 404305 8 API calls 5614->5621 5620 404475 5615->5620 5617 404622 5616->5617 5618 4045ba 5616->5618 5617->5614 5625 404634 5617->5625 5618->5617 5624 4045e0 SendMessageA LoadCursorA SetCursor 5618->5624 5619->5613 5619->5614 5622 40456f GetDlgItem SendMessageA 5619->5622 5623 40429e 18 API calls 5620->5623 5636 40465f 5621->5636 5644 4042c0 KiUserCallbackDispatcher 5622->5644 5627 404482 CheckDlgButton 5623->5627 5648 4046ad 5624->5648 5630 40463a SendMessageA 5625->5630 5631 40464b 5625->5631 5642 4042c0 KiUserCallbackDispatcher 5627->5642 5630->5631 5635 404651 SendMessageA 5631->5635 5631->5636 5632 404595 5645 404689 5632->5645 5633 4044a0 GetDlgItem 5643 4042d3 SendMessageA 5633->5643 5635->5636 5639 4044b6 SendMessageA 5640 4044d4 GetSysColor 5639->5640 5641 4044dd SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 5639->5641 5640->5641 5641->5636 5642->5633 5643->5639 5644->5632 5646 404697 5645->5646 5647 40469c SendMessageA 5645->5647 5646->5647 5647->5613 5651 4058fd ShellExecuteExA 5648->5651 5650 404613 LoadCursorA SetCursor 5650->5617 5651->5650 5652 40298a 5653 402c17 17 API calls 5652->5653 5654 402990 5653->5654 5655 4062b4 17 API calls 5654->5655 5656 4027c8 5654->5656 5655->5656 5657 40260c 5658 402c39 17 API calls 5657->5658 5659 402613 5658->5659 5662 405db4 GetFileAttributesA CreateFileA 5659->5662 5661 40261f 5662->5661 5663 73f1103d 5666 73f1101b 5663->5666 5667 73f1154b GlobalFree 5666->5667 5668 73f11020 5667->5668 5669 73f11027 GlobalAlloc 5668->5669 5670 73f11024 5668->5670 5669->5670 5671 73f11572 3 API calls 5670->5671 5672 73f1103b 5671->5672 4646 402590 4647 402c79 17 API calls 4646->4647 4648 40259a 4647->4648 4649 402c17 17 API calls 4648->4649 4650 4025a3 4649->4650 4651 4025b1 4650->4651 4656 4027c8 4650->4656 4652 4025ca RegEnumValueA 4651->4652 4653 4025be RegEnumKeyA 4651->4653 4654 4025e6 RegCloseKey 4652->4654 4655 4025df 4652->4655 4653->4654 4654->4656 4655->4654 5673 401490 5674 405342 24 API calls 5673->5674 5675 401497 5674->5675 5676 407014 5679 4067a5 5676->5679 5677 406826 GlobalFree 5678 40682f GlobalAlloc 5677->5678 5678->5679 5680 407110 5678->5680 5679->5677 5679->5678 5679->5679 5679->5680 5681 4068a6 GlobalAlloc 5679->5681 5682 40689d GlobalFree 5679->5682 5681->5679 5681->5680 5682->5681 5173 40159d 5174 402c39 17 API calls 5173->5174 5175 4015a4 SetFileAttributesA 5174->5175 5176 4015b6 5175->5176 5683 40149d 5684 4014ab PostQuitMessage 5683->5684 5685 40238f 5683->5685 5684->5685 5686 401a1e 5687 402c39 17 API calls 5686->5687 5688 401a27 ExpandEnvironmentStringsA 5687->5688 5689 401a3b 5688->5689 5690 401a4e 5688->5690 5689->5690 5691 401a40 lstrcmpA 5689->5691 5691->5690 5692 40251e 5693 402c79 17 API calls 5692->5693 5694 402528 5693->5694 5695 402c39 17 API calls 5694->5695 5696 402531 5695->5696 5697 40253b RegQueryValueExA 5696->5697 5702 4027c8 5696->5702 5698 402561 RegCloseKey 5697->5698 5699 40255b 5697->5699 5698->5702 5699->5698 5703 40617f wsprintfA 5699->5703 5703->5698 5709 40171f 5710 402c39 17 API calls 5709->5710 5711 401726 SearchPathA 5710->5711 5712 401741 5711->5712 5713 401d1f 5714 402c17 17 API calls 5713->5714 5715 401d26 5714->5715 5716 402c17 17 API calls 5715->5716 5717 401d32 GetDlgItem 5716->5717 5718 402628 5717->5718 5719 402aa0 SendMessageA 5720 402ac5 5719->5720 5721 402aba InvalidateRect 5719->5721 5721->5720 5722 406921 5724 4067a5 5722->5724 5723 407110 5724->5723 5725 406826 GlobalFree 5724->5725 5726 40682f GlobalAlloc 5724->5726 5727 4068a6 GlobalAlloc 5724->5727 5728 40689d GlobalFree 5724->5728 5725->5726 5726->5723 5726->5724 5727->5723 5727->5724 5728->5727 5729 404ca3 GetDlgItem GetDlgItem 5730 404cf9 7 API calls 5729->5730 5741 404f20 5729->5741 5731 404da1 DeleteObject 5730->5731 5732 404d95 SendMessageA 5730->5732 5733 404dac 5731->5733 5732->5731 5734 404de3 5733->5734 5736 4062b4 17 API calls 5733->5736 5737 40429e 18 API calls 5734->5737 5735 4050ae 5740 4050b8 SendMessageA 5735->5740 5747 4050c0 5735->5747 5742 404dc5 SendMessageA SendMessageA 5736->5742 5738 404df7 5737->5738 5743 40429e 18 API calls 5738->5743 5739 405002 5739->5735 5744 40505b SendMessageA 5739->5744 5772 404f13 5739->5772 5740->5747 5741->5739 5760 404f8f 5741->5760 5783 404bf1 SendMessageA 5741->5783 5742->5733 5761 404e08 5743->5761 5750 405070 SendMessageA 5744->5750 5744->5772 5745 404ff4 SendMessageA 5745->5739 5746 404305 8 API calls 5751 4052af 5746->5751 5752 4050d2 ImageList_Destroy 5747->5752 5753 4050d9 5747->5753 5757 4050e9 5747->5757 5749 405263 5758 405275 ShowWindow GetDlgItem ShowWindow 5749->5758 5749->5772 5756 405083 5750->5756 5752->5753 5754 4050e2 GlobalFree 5753->5754 5753->5757 5754->5757 5755 404ee2 GetWindowLongA SetWindowLongA 5759 404efb 5755->5759 5766 405094 SendMessageA 5756->5766 5757->5749 5776 405124 5757->5776 5788 404c71 5757->5788 5758->5772 5762 404f00 ShowWindow 5759->5762 5763 404f18 5759->5763 5760->5739 5760->5745 5761->5755 5765 404e5a SendMessageA 5761->5765 5767 404edd 5761->5767 5769 404e98 SendMessageA 5761->5769 5770 404eac SendMessageA 5761->5770 5781 4042d3 SendMessageA 5762->5781 5782 4042d3 SendMessageA 5763->5782 5765->5761 5766->5735 5767->5755 5767->5759 5769->5761 5770->5761 5772->5746 5773 40522e 5774 405239 InvalidateRect 5773->5774 5777 405245 5773->5777 5774->5777 5775 405152 SendMessageA 5780 405168 5775->5780 5776->5775 5776->5780 5777->5749 5797 404bac 5777->5797 5779 4051dc SendMessageA SendMessageA 5779->5780 5780->5773 5780->5779 5781->5772 5782->5741 5784 404c50 SendMessageA 5783->5784 5785 404c14 GetMessagePos ScreenToClient SendMessageA 5783->5785 5787 404c48 5784->5787 5786 404c4d 5785->5786 5785->5787 5786->5784 5787->5760 5800 406221 lstrcpynA 5788->5800 5790 404c84 5801 40617f wsprintfA 5790->5801 5792 404c8e 5793 40140b 2 API calls 5792->5793 5794 404c97 5793->5794 5802 406221 lstrcpynA 5794->5802 5796 404c9e 5796->5776 5803 404ae7 5797->5803 5799 404bc1 5799->5749 5800->5790 5801->5792 5802->5796 5804 404afd 5803->5804 5805 4062b4 17 API calls 5804->5805 5806 404b61 5805->5806 5807 4062b4 17 API calls 5806->5807 5808 404b6c 5807->5808 5809 4062b4 17 API calls 5808->5809 5810 404b82 lstrlenA wsprintfA SetDlgItemTextA 5809->5810 5810->5799 4278 403da4 4279 403dbc 4278->4279 4280 403f1d 4278->4280 4279->4280 4281 403dc8 4279->4281 4282 403f6e 4280->4282 4283 403f2e GetDlgItem GetDlgItem 4280->4283 4285 403dd3 SetWindowPos 4281->4285 4286 403de6 4281->4286 4284 403fc8 4282->4284 4292 401389 2 API calls 4282->4292 4287 40429e 18 API calls 4283->4287 4288 4042ea SendMessageA 4284->4288 4344 403f18 4284->4344 4285->4286 4289 403e31 4286->4289 4290 403def ShowWindow 4286->4290 4291 403f58 SetClassLongA 4287->4291 4341 403fda 4288->4341 4295 403e50 4289->4295 4296 403e39 DestroyWindow 4289->4296 4293 403f0a 4290->4293 4294 403e0f GetWindowLongA 4290->4294 4297 40140b 2 API calls 4291->4297 4300 403fa0 4292->4300 4301 404305 8 API calls 4293->4301 4294->4293 4302 403e28 ShowWindow 4294->4302 4298 403e55 SetWindowLongA 4295->4298 4299 403e66 4295->4299 4306 404227 4296->4306 4297->4282 4298->4344 4299->4293 4303 403e72 GetDlgItem 4299->4303 4300->4284 4304 403fa4 SendMessageA 4300->4304 4301->4344 4302->4289 4308 403ea0 4303->4308 4309 403e83 SendMessageA IsWindowEnabled 4303->4309 4304->4344 4305 40140b 2 API calls 4305->4341 4310 404258 ShowWindow 4306->4310 4306->4344 4307 404229 DestroyWindow EndDialog 4307->4306 4312 403ead 4308->4312 4315 403ef4 SendMessageA 4308->4315 4316 403ec0 4308->4316 4323 403ea5 4308->4323 4309->4308 4309->4344 4310->4344 4311 4062b4 17 API calls 4311->4341 4312->4315 4312->4323 4313 404277 SendMessageA 4317 403edb 4313->4317 4314 40429e 18 API calls 4314->4341 4315->4293 4318 403ec8 4316->4318 4319 403edd 4316->4319 4317->4293 4357 40140b 4318->4357 4320 40140b 2 API calls 4319->4320 4322 403ee4 4320->4322 4322->4293 4322->4323 4323->4313 4324 40429e 18 API calls 4325 404055 GetDlgItem 4324->4325 4326 404072 ShowWindow KiUserCallbackDispatcher 4325->4326 4327 40406a 4325->4327 4351 4042c0 KiUserCallbackDispatcher 4326->4351 4327->4326 4329 40409c EnableWindow 4334 4040b0 4329->4334 4330 4040b5 GetSystemMenu EnableMenuItem SendMessageA 4331 4040e5 SendMessageA 4330->4331 4330->4334 4331->4334 4334->4330 4352 4042d3 SendMessageA 4334->4352 4353 403d85 4334->4353 4356 406221 lstrcpynA 4334->4356 4336 404114 lstrlenA 4337 4062b4 17 API calls 4336->4337 4338 404125 SetWindowTextA 4337->4338 4339 401389 2 API calls 4338->4339 4339->4341 4340 404169 DestroyWindow 4340->4306 4342 404183 CreateDialogParamA 4340->4342 4341->4305 4341->4307 4341->4311 4341->4314 4341->4324 4341->4340 4341->4344 4342->4306 4343 4041b6 4342->4343 4345 40429e 18 API calls 4343->4345 4346 4041c1 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4345->4346 4347 401389 2 API calls 4346->4347 4348 404207 4347->4348 4348->4344 4349 40420f ShowWindow 4348->4349 4350 4042ea SendMessageA 4349->4350 4350->4306 4351->4329 4352->4334 4354 4062b4 17 API calls 4353->4354 4355 403d93 SetWindowTextA 4354->4355 4355->4334 4356->4336 4358 401389 2 API calls 4357->4358 4359 401420 4358->4359 4359->4323 5811 4023a4 5812 4023b2 5811->5812 5813 4023ac 5811->5813 5815 402c39 17 API calls 5812->5815 5816 4023c2 5812->5816 5814 402c39 17 API calls 5813->5814 5814->5812 5815->5816 5817 402c39 17 API calls 5816->5817 5819 4023d0 5816->5819 5817->5819 5818 402c39 17 API calls 5820 4023d9 WritePrivateProfileStringA 5818->5820 5819->5818 4371 4020a5 4372 4020b7 4371->4372 4381 402165 4371->4381 4392 402c39 4372->4392 4375 401423 24 API calls 4382 4022ea 4375->4382 4376 402c39 17 API calls 4377 4020c7 4376->4377 4378 4020dc LoadLibraryExA 4377->4378 4379 4020cf GetModuleHandleA 4377->4379 4380 4020ec GetProcAddress 4378->4380 4378->4381 4379->4378 4379->4380 4383 402138 4380->4383 4384 4020fb 4380->4384 4381->4375 4385 405342 24 API calls 4383->4385 4386 402103 4384->4386 4387 40211a 4384->4387 4388 40210b 4385->4388 4440 401423 4386->4440 4398 73f1176b 4387->4398 4388->4382 4390 402159 FreeLibrary 4388->4390 4390->4382 4393 402c45 4392->4393 4394 4062b4 17 API calls 4393->4394 4395 402c66 4394->4395 4396 4020be 4395->4396 4397 4064ff 5 API calls 4395->4397 4396->4376 4397->4396 4399 73f1179b 4398->4399 4443 73f11b28 4399->4443 4401 73f117a2 4402 73f118c4 4401->4402 4403 73f117b3 4401->4403 4404 73f117ba 4401->4404 4402->4388 4491 73f1233f 4403->4491 4475 73f12381 4404->4475 4409 73f117d0 4414 73f117d6 4409->4414 4418 73f117e1 4409->4418 4410 73f117e9 4424 73f117df 4410->4424 4501 73f12d53 4410->4501 4411 73f11800 4504 73f12568 4411->4504 4412 73f1181e 4415 73f11824 4412->4415 4416 73f1186c 4412->4416 4414->4424 4485 73f12ac8 4414->4485 4523 73f115fb 4415->4523 4422 73f12568 11 API calls 4416->4422 4417 73f11806 4515 73f115e9 4417->4515 4495 73f12742 4418->4495 4427 73f1185d 4422->4427 4424->4411 4424->4412 4439 73f118b3 4427->4439 4529 73f1252e 4427->4529 4429 73f117e7 4429->4424 4430 73f12568 11 API calls 4430->4427 4434 73f118bd GlobalFree 4434->4402 4436 73f1189f 4436->4439 4533 73f11572 wsprintfA 4436->4533 4437 73f11898 FreeLibrary 4437->4436 4439->4402 4439->4434 4441 405342 24 API calls 4440->4441 4442 401431 4441->4442 4442->4388 4536 73f112a5 GlobalAlloc 4443->4536 4445 73f11b4f 4537 73f112a5 GlobalAlloc 4445->4537 4447 73f11d90 GlobalFree GlobalFree GlobalFree 4448 73f11dad 4447->4448 4460 73f11df7 4447->4460 4450 73f12181 4448->4450 4458 73f11dc2 4448->4458 4448->4460 4449 73f11b5a 4449->4447 4451 73f11c4d GlobalAlloc 4449->4451 4453 73f11cb6 GlobalFree 4449->4453 4456 73f11c98 lstrcpyA 4449->4456 4457 73f11ca2 lstrcpyA 4449->4457 4449->4460 4462 73f12047 4449->4462 4466 73f11f89 GlobalFree 4449->4466 4467 73f120c3 4449->4467 4471 73f112b4 2 API calls 4449->4471 4538 73f115c4 GlobalSize GlobalAlloc 4449->4538 4452 73f121a3 GetModuleHandleA 4450->4452 4450->4460 4451->4449 4454 73f121b4 LoadLibraryA 4452->4454 4455 73f121c9 4452->4455 4453->4449 4454->4455 4454->4460 4544 73f11652 GetProcAddress 4455->4544 4456->4457 4457->4449 4458->4460 4540 73f112b4 4458->4540 4460->4401 4461 73f1221a 4461->4460 4465 73f12227 lstrlenA 4461->4465 4543 73f112a5 GlobalAlloc 4462->4543 4545 73f11652 GetProcAddress 4465->4545 4466->4449 4467->4460 4473 73f1211c lstrcpyA 4467->4473 4468 73f121db 4468->4461 4474 73f12204 GetProcAddress 4468->4474 4469 73f1204f 4469->4401 4471->4449 4473->4460 4474->4461 4477 73f1239a 4475->4477 4476 73f112b4 GlobalAlloc lstrcpynA 4476->4477 4477->4476 4479 73f124d6 GlobalFree 4477->4479 4480 73f12448 GlobalAlloc MultiByteToWideChar 4477->4480 4482 73f12495 4477->4482 4547 73f1133d 4477->4547 4479->4477 4481 73f117c0 4479->4481 4480->4482 4483 73f12474 GlobalAlloc CLSIDFromString GlobalFree 4480->4483 4481->4409 4481->4410 4481->4424 4482->4479 4551 73f126d6 4482->4551 4483->4479 4487 73f12ada 4485->4487 4486 73f12b7f ReadFile 4490 73f12b9d 4486->4490 4487->4486 4489 73f12c69 4489->4424 4554 73f12a74 4490->4554 4492 73f12354 4491->4492 4493 73f1235f GlobalAlloc 4492->4493 4494 73f117b9 4492->4494 4493->4492 4494->4404 4499 73f12772 4495->4499 4496 73f12820 4498 73f12826 GlobalSize 4496->4498 4500 73f12830 4496->4500 4497 73f1280d GlobalAlloc 4497->4500 4498->4500 4499->4496 4499->4497 4500->4429 4502 73f12d5e 4501->4502 4503 73f12d9e GlobalFree 4502->4503 4558 73f112a5 GlobalAlloc 4504->4558 4506 73f12574 4507 73f125f3 lstrcpynA 4506->4507 4508 73f12604 StringFromGUID2 WideCharToMultiByte 4506->4508 4509 73f12628 WideCharToMultiByte 4506->4509 4510 73f12649 wsprintfA 4506->4510 4511 73f1266d GlobalFree 4506->4511 4512 73f126a7 GlobalFree 4506->4512 4513 73f112f6 2 API calls 4506->4513 4559 73f11361 4506->4559 4507->4506 4508->4506 4509->4506 4510->4506 4511->4506 4512->4417 4513->4506 4563 73f112a5 GlobalAlloc 4515->4563 4517 73f115ee 4518 73f115fb 2 API calls 4517->4518 4519 73f115f8 4518->4519 4520 73f112f6 4519->4520 4521 73f11338 GlobalFree 4520->4521 4522 73f112ff GlobalAlloc lstrcpynA 4520->4522 4521->4427 4522->4521 4524 73f11634 lstrcpyA 4523->4524 4525 73f11607 wsprintfA 4523->4525 4528 73f1164d 4524->4528 4525->4528 4528->4430 4530 73f1253c 4529->4530 4532 73f1187f 4529->4532 4531 73f12555 GlobalFree 4530->4531 4530->4532 4531->4530 4532->4436 4532->4437 4534 73f112f6 2 API calls 4533->4534 4535 73f11593 4534->4535 4535->4439 4536->4445 4537->4449 4539 73f115e2 4538->4539 4539->4449 4546 73f112a5 GlobalAlloc 4540->4546 4542 73f112c3 lstrcpynA 4542->4460 4543->4469 4544->4468 4545->4460 4546->4542 4548 73f11344 4547->4548 4549 73f112b4 2 API calls 4548->4549 4550 73f1135f 4549->4550 4550->4477 4552 73f126e4 VirtualAlloc 4551->4552 4553 73f1273a 4551->4553 4552->4553 4553->4482 4555 73f12a7f 4554->4555 4556 73f12a84 GetLastError 4555->4556 4557 73f12a8f 4555->4557 4556->4557 4557->4489 4558->4506 4560 73f11389 4559->4560 4561 73f1136a 4559->4561 4560->4506 4561->4560 4562 73f11370 lstrcpyA 4561->4562 4562->4560 4563->4517 5821 402e25 5822 402e34 SetTimer 5821->5822 5824 402e4d 5821->5824 5822->5824 5823 402ea2 5824->5823 5825 402e67 MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 5824->5825 5825->5823 4601 402429 4602 402430 4601->4602 4603 40245b 4601->4603 4617 402c79 4602->4617 4605 402c39 17 API calls 4603->4605 4607 402462 4605->4607 4613 402cf7 4607->4613 4609 402441 4611 402c39 17 API calls 4609->4611 4610 40246f 4612 402448 RegDeleteValueA RegCloseKey 4611->4612 4612->4610 4614 402d03 4613->4614 4615 402d0a 4613->4615 4614->4610 4615->4614 4622 402d3b 4615->4622 4618 402c39 17 API calls 4617->4618 4619 402c90 4618->4619 4620 4060a7 RegOpenKeyExA 4619->4620 4621 402437 4620->4621 4621->4609 4621->4610 4623 4060a7 RegOpenKeyExA 4622->4623 4624 402d69 4623->4624 4625 402d73 4624->4625 4626 402e1e 4624->4626 4627 402d79 RegEnumValueA 4625->4627 4634 402d9c 4625->4634 4626->4614 4628 402e03 RegCloseKey 4627->4628 4627->4634 4628->4626 4629 402dd8 RegEnumKeyA 4630 402de1 RegCloseKey 4629->4630 4629->4634 4637 40662d GetModuleHandleA 4630->4637 4632 402d3b 6 API calls 4632->4634 4634->4628 4634->4629 4634->4630 4634->4632 4635 402e13 4635->4626 4636 402df5 RegDeleteKeyA 4636->4626 4638 406653 GetProcAddress 4637->4638 4639 406649 4637->4639 4641 402df1 4638->4641 4643 4065bf GetSystemDirectoryA 4639->4643 4641->4635 4641->4636 4642 40664f 4642->4638 4642->4641 4644 4065e1 wsprintfA LoadLibraryExA 4643->4644 4644->4642 5833 4027aa 5834 402c39 17 API calls 5833->5834 5835 4027b1 FindFirstFileA 5834->5835 5836 4027d4 5835->5836 5839 4027c4 5835->5839 5837 4027db 5836->5837 5841 40617f wsprintfA 5836->5841 5842 406221 lstrcpynA 5837->5842 5841->5837 5842->5839 5843 401c2e 5844 402c17 17 API calls 5843->5844 5845 401c35 5844->5845 5846 402c17 17 API calls 5845->5846 5847 401c42 5846->5847 5848 402c39 17 API calls 5847->5848 5849 401c57 5847->5849 5848->5849 5850 401c67 5849->5850 5853 402c39 17 API calls 5849->5853 5851 401c72 5850->5851 5852 401cbe 5850->5852 5854 402c17 17 API calls 5851->5854 5855 402c39 17 API calls 5852->5855 5853->5850 5856 401c77 5854->5856 5857 401cc3 5855->5857 5858 402c17 17 API calls 5856->5858 5859 402c39 17 API calls 5857->5859 5860 401c83 5858->5860 5861 401ccc FindWindowExA 5859->5861 5862 401c90 SendMessageTimeoutA 5860->5862 5863 401cae SendMessageA 5860->5863 5864 401cea 5861->5864 5862->5864 5863->5864 5865 40262e 5866 402633 5865->5866 5867 402647 5865->5867 5868 402c17 17 API calls 5866->5868 5869 402c39 17 API calls 5867->5869 5871 40263c 5868->5871 5870 40264e lstrlenA 5869->5870 5870->5871 5872 402670 5871->5872 5873 405e5b WriteFile 5871->5873 5873->5872 5874 404730 5875 40475c 5874->5875 5876 40476d 5874->5876 5935 40591b GetDlgItemTextA 5875->5935 5877 404779 GetDlgItem 5876->5877 5880 4047d8 5876->5880 5879 40478d 5877->5879 5883 4047a1 SetWindowTextA 5879->5883 5886 405c4c 4 API calls 5879->5886 5888 4062b4 17 API calls 5880->5888 5897 4048bc 5880->5897 5933 404a66 5880->5933 5881 404767 5882 4064ff 5 API calls 5881->5882 5882->5876 5887 40429e 18 API calls 5883->5887 5885 404305 8 API calls 5890 404a7a 5885->5890 5894 404797 5886->5894 5891 4047bd 5887->5891 5892 40484c SHBrowseForFolderA 5888->5892 5889 4048ec 5893 405ca1 18 API calls 5889->5893 5895 40429e 18 API calls 5891->5895 5896 404864 CoTaskMemFree 5892->5896 5892->5897 5898 4048f2 5893->5898 5894->5883 5899 405bb3 3 API calls 5894->5899 5900 4047cb 5895->5900 5901 405bb3 3 API calls 5896->5901 5897->5933 5937 40591b GetDlgItemTextA 5897->5937 5938 406221 lstrcpynA 5898->5938 5899->5883 5936 4042d3 SendMessageA 5900->5936 5904 404871 5901->5904 5906 4048a8 SetDlgItemTextA 5904->5906 5910 4062b4 17 API calls 5904->5910 5905 4047d1 5908 40662d 5 API calls 5905->5908 5906->5897 5907 404909 5909 40662d 5 API calls 5907->5909 5908->5880 5917 404910 5909->5917 5911 404890 lstrcmpiA 5910->5911 5911->5906 5913 4048a1 lstrcatA 5911->5913 5912 40494c 5939 406221 lstrcpynA 5912->5939 5913->5906 5915 404953 5916 405c4c 4 API calls 5915->5916 5918 404959 GetDiskFreeSpaceA 5916->5918 5917->5912 5921 405bfa 2 API calls 5917->5921 5922 4049a4 5917->5922 5920 40497d MulDiv 5918->5920 5918->5922 5920->5922 5921->5917 5923 404a15 5922->5923 5924 404bac 20 API calls 5922->5924 5925 404a38 5923->5925 5927 40140b 2 API calls 5923->5927 5926 404a02 5924->5926 5940 4042c0 KiUserCallbackDispatcher 5925->5940 5928 404a17 SetDlgItemTextA 5926->5928 5929 404a07 5926->5929 5927->5925 5928->5923 5931 404ae7 20 API calls 5929->5931 5931->5923 5932 404a54 5932->5933 5934 404689 SendMessageA 5932->5934 5933->5885 5934->5933 5935->5881 5936->5905 5937->5889 5938->5907 5939->5915 5940->5932 5941 73f11000 5942 73f1101b 5 API calls 5941->5942 5943 73f11019 5942->5943 4658 401932 4659 401934 4658->4659 4660 402c39 17 API calls 4659->4660 4661 401939 4660->4661 4664 4059e3 4661->4664 4704 405ca1 4664->4704 4667 405a22 4670 405b50 4667->4670 4718 406221 lstrcpynA 4667->4718 4668 405a0b DeleteFileA 4669 401942 4668->4669 4670->4669 4736 406598 FindFirstFileA 4670->4736 4672 405a48 4673 405a5b 4672->4673 4674 405a4e lstrcatA 4672->4674 4719 405bfa lstrlenA 4673->4719 4676 405a61 4674->4676 4679 405a6f lstrcatA 4676->4679 4681 405a7a lstrlenA FindFirstFileA 4676->4681 4679->4681 4680 405b78 4739 405bb3 lstrlenA CharPrevA 4680->4739 4681->4670 4686 405a9e 4681->4686 4683 405bde CharNextA 4683->4686 4685 40599b 5 API calls 4687 405b8a 4685->4687 4686->4683 4691 405b2f FindNextFileA 4686->4691 4702 405af0 4686->4702 4723 406221 lstrcpynA 4686->4723 4688 405ba4 4687->4688 4689 405b8e 4687->4689 4690 405342 24 API calls 4688->4690 4689->4669 4694 405342 24 API calls 4689->4694 4690->4669 4691->4686 4693 405b47 FindClose 4691->4693 4693->4670 4695 405b9b 4694->4695 4697 405ffa 36 API calls 4695->4697 4699 405ba2 4697->4699 4698 4059e3 60 API calls 4698->4702 4699->4669 4700 405342 24 API calls 4700->4691 4701 405342 24 API calls 4701->4702 4702->4691 4702->4698 4702->4700 4702->4701 4724 40599b 4702->4724 4732 405ffa MoveFileExA 4702->4732 4742 406221 lstrcpynA 4704->4742 4706 405cb2 4743 405c4c CharNextA CharNextA 4706->4743 4709 405a03 4709->4667 4709->4668 4710 4064ff 5 API calls 4716 405cc8 4710->4716 4711 405cf3 lstrlenA 4712 405cfe 4711->4712 4711->4716 4713 405bb3 3 API calls 4712->4713 4715 405d03 GetFileAttributesA 4713->4715 4714 406598 2 API calls 4714->4716 4715->4709 4716->4709 4716->4711 4716->4714 4717 405bfa 2 API calls 4716->4717 4717->4711 4718->4672 4720 405c07 4719->4720 4721 405c18 4720->4721 4722 405c0c CharPrevA 4720->4722 4721->4676 4722->4720 4722->4721 4723->4686 4749 405d8f GetFileAttributesA 4724->4749 4727 4059c8 4727->4702 4728 4059b6 RemoveDirectoryA 4730 4059c4 4728->4730 4729 4059be DeleteFileA 4729->4730 4730->4727 4731 4059d4 SetFileAttributesA 4730->4731 4731->4727 4733 40600e 4732->4733 4735 40601b 4732->4735 4752 405e8a 4733->4752 4735->4702 4737 405b74 4736->4737 4738 4065ae FindClose 4736->4738 4737->4669 4737->4680 4738->4737 4740 405b7e 4739->4740 4741 405bcd lstrcatA 4739->4741 4740->4685 4741->4740 4742->4706 4744 405c67 4743->4744 4747 405c77 4743->4747 4745 405c72 CharNextA 4744->4745 4744->4747 4748 405c97 4745->4748 4746 405bde CharNextA 4746->4747 4747->4746 4747->4748 4748->4709 4748->4710 4750 405da1 SetFileAttributesA 4749->4750 4751 4059a7 4749->4751 4750->4751 4751->4727 4751->4728 4751->4729 4753 405eb0 4752->4753 4754 405ed6 GetShortPathNameA 4752->4754 4779 405db4 GetFileAttributesA CreateFileA 4753->4779 4755 405ff5 4754->4755 4756 405eeb 4754->4756 4755->4735 4756->4755 4759 405ef3 wsprintfA 4756->4759 4758 405eba CloseHandle GetShortPathNameA 4758->4755 4760 405ece 4758->4760 4761 4062b4 17 API calls 4759->4761 4760->4754 4760->4755 4762 405f1b 4761->4762 4780 405db4 GetFileAttributesA CreateFileA 4762->4780 4764 405f28 4764->4755 4765 405f37 GetFileSize GlobalAlloc 4764->4765 4766 405f59 4765->4766 4767 405fee CloseHandle 4765->4767 4781 405e2c ReadFile 4766->4781 4767->4755 4772 405f78 lstrcpyA 4775 405f9a 4772->4775 4773 405f8c 4774 405d19 4 API calls 4773->4774 4774->4775 4776 405fd1 SetFilePointer 4775->4776 4788 405e5b WriteFile 4776->4788 4779->4758 4780->4764 4782 405e4a 4781->4782 4782->4767 4783 405d19 lstrlenA 4782->4783 4784 405d5a lstrlenA 4783->4784 4785 405d62 4784->4785 4786 405d33 lstrcmpiA 4784->4786 4785->4772 4785->4773 4786->4785 4787 405d51 CharNextA 4786->4787 4787->4784 4789 405e79 GlobalFree 4788->4789 4789->4767 4790 402733 4791 40273a 4790->4791 4793 402a47 4790->4793 4792 402c17 17 API calls 4791->4792 4794 402741 4792->4794 4795 402750 SetFilePointer 4794->4795 4795->4793 4796 402760 4795->4796 4798 40617f wsprintfA 4796->4798 4798->4793 5944 401e35 GetDC 5945 402c17 17 API calls 5944->5945 5946 401e47 GetDeviceCaps MulDiv ReleaseDC 5945->5946 5947 402c17 17 API calls 5946->5947 5948 401e78 5947->5948 5949 4062b4 17 API calls 5948->5949 5950 401eb5 CreateFontIndirectA 5949->5950 5951 402628 5950->5951 5952 4052b6 5953 4052c6 5952->5953 5954 4052da 5952->5954 5955 4052cc 5953->5955 5964 405323 5953->5964 5956 4052f9 5954->5956 5957 4052e2 IsWindowVisible 5954->5957 5959 4042ea SendMessageA 5955->5959 5958 405328 CallWindowProcA 5956->5958 5963 404c71 4 API calls 5956->5963 5960 4052ef 5957->5960 5957->5964 5961 4052d6 5958->5961 5959->5961 5962 404bf1 5 API calls 5960->5962 5962->5956 5963->5964 5964->5958 5965 4014b7 5966 4014bd 5965->5966 5967 401389 2 API calls 5966->5967 5968 4014c5 5967->5968 4911 4015bb 4912 402c39 17 API calls 4911->4912 4913 4015c2 4912->4913 4914 405c4c 4 API calls 4913->4914 4926 4015ca 4914->4926 4915 401624 4917 401652 4915->4917 4918 401629 4915->4918 4916 405bde CharNextA 4916->4926 4920 401423 24 API calls 4917->4920 4919 401423 24 API calls 4918->4919 4921 401630 4919->4921 4928 40164a 4920->4928 4938 406221 lstrcpynA 4921->4938 4925 40163b SetCurrentDirectoryA 4925->4928 4926->4915 4926->4916 4927 40160c GetFileAttributesA 4926->4927 4930 4058a2 4926->4930 4933 405808 CreateDirectoryA 4926->4933 4939 405885 CreateDirectoryA 4926->4939 4927->4926 4931 40662d 5 API calls 4930->4931 4932 4058a9 4931->4932 4932->4926 4934 405855 4933->4934 4935 405859 GetLastError 4933->4935 4934->4926 4935->4934 4936 405868 SetFileSecurityA 4935->4936 4936->4934 4937 40587e GetLastError 4936->4937 4937->4934 4938->4925 4940 405895 4939->4940 4941 405899 GetLastError 4939->4941 4940->4926 4941->4940 5969 4016bb 5970 402c39 17 API calls 5969->5970 5971 4016c1 GetFullPathNameA 5970->5971 5972 4016f9 5971->5972 5973 4016d8 5971->5973 5974 402ac5 5972->5974 5975 40170d GetShortPathNameA 5972->5975 5973->5972 5976 406598 2 API calls 5973->5976 5975->5974 5977 4016e9 5976->5977 5977->5972 5979 406221 lstrcpynA 5977->5979 5979->5972

                                  Executed Functions

                                  Function 0040337D Relevance: 93.2, APIs: 33, Strings: 20, Instructions: 417stringfilecomCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 40337d-4033cd SetErrorMode GetVersionExA 1 40340e 0->1 2 4033cf-4033e9 GetVersionExA 0->2 3 403415 1->3 2->3 4 4033eb-40340a 2->4 5 403417-403422 3->5 6 403439-403440 3->6 4->1 7 403424-403433 5->7 8 403435 5->8 9 403442 6->9 10 40344a-40348a 6->10 7->6 8->6 9->10 11 40348c-403494 call 40662d 10->11 12 40349d 10->12 11->12 17 403496 11->17 13 4034a2-4034b6 call 4065bf lstrlenA 12->13 19 4034b8-4034d4 call 40662d * 3 13->19 17->12 26 4034e5-403545 #17 OleInitialize SHGetFileInfoA call 406221 GetCommandLineA call 406221 19->26 27 4034d6-4034dc 19->27 34 403550-403563 call 405bde CharNextA 26->34 35 403547-40354b 26->35 27->26 31 4034de 27->31 31->26 38 403624-403628 34->38 35->34 39 403568-40356b 38->39 40 40362e 38->40 41 403573-40357a 39->41 42 40356d-403571 39->42 43 403642-40365c GetTempPathA call 40334c 40->43 45 403581-403584 41->45 46 40357c-40357d 41->46 42->41 42->42 52 4036b4-4036cc DeleteFileA call 402f0c 43->52 53 40365e-40367c GetWindowsDirectoryA lstrcatA call 40334c 43->53 48 403615-403621 call 405bde 45->48 49 40358a-40358e 45->49 46->45 48->38 67 403623 48->67 50 403590-403596 49->50 51 4035a6-4035d3 49->51 55 403598-40359a 50->55 56 40359c 50->56 57 4035e5-403613 51->57 58 4035d5-4035db 51->58 69 4036d2-4036d8 52->69 70 40375f-403770 call 40392d OleUninitialize 52->70 53->52 68 40367e-4036ae GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 40334c 53->68 55->51 55->56 56->51 57->48 65 403630-40363d call 406221 57->65 62 4035e1 58->62 63 4035dd-4035df 58->63 62->57 63->57 63->62 65->43 67->38 68->52 68->70 74 403750-403757 call 403a07 69->74 75 4036da-4036e5 call 405bde 69->75 80 403776-403785 call 405937 ExitProcess 70->80 81 403899-40389f 70->81 82 40375c 74->82 84 4036e7-403710 75->84 85 40371b-403724 75->85 87 4038a1-4038b6 GetCurrentProcess OpenProcessToken 81->87 88 403917-40391f 81->88 82->70 89 403712-403714 84->89 92 403726-403734 call 405ca1 85->92 93 40378b-40379f call 4058a2 lstrcatA 85->93 95 4038e7-4038f5 call 40662d 87->95 96 4038b8-4038e1 LookupPrivilegeValueA AdjustTokenPrivileges 87->96 90 403921 88->90 91 403924-403927 ExitProcess 88->91 89->85 97 403716-403719 89->97 90->91 92->70 104 403736-40374c call 406221 * 2 92->104 105 4037a1-4037a7 lstrcatA 93->105 106 4037ac-4037c6 lstrcatA lstrcmpiA 93->106 107 403903-40390e ExitWindowsEx 95->107 108 4038f7-403901 95->108 96->95 97->85 97->89 104->74 105->106 106->70 111 4037c8-4037cb 106->111 107->88 109 403910-403912 call 40140b 107->109 108->107 108->109 109->88 114 4037d4 call 405885 111->114 115 4037cd-4037d2 call 405808 111->115 120 4037d9-4037e7 SetCurrentDirectoryA 114->120 115->120 123 4037f4-40381f call 406221 120->123 124 4037e9-4037ef call 406221 120->124 128 403825-403842 call 4062b4 DeleteFileA 123->128 124->123 131 403882-40388b 128->131 132 403844-403854 CopyFileA 128->132 131->128 133 40388d-403894 call 405ffa 131->133 132->131 134 403856-403876 call 405ffa call 4062b4 call 4058ba 132->134 133->70 134->131 143 403878-40387f CloseHandle 134->143 143->131
                                  APIs
                                  • SetErrorMode.KERNELBASE(00008001), ref: 004033A0
                                  • GetVersionExA.KERNEL32(?), ref: 004033C9
                                  • GetVersionExA.KERNEL32(0000009C), ref: 004033E0
                                  • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034A9
                                  • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 004034E6
                                  • OleInitialize.OLE32(00000000), ref: 004034ED
                                  • SHGetFileInfoA.SHELL32(0041FCE8,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 0040350B
                                  • GetCommandLineA.KERNEL32(00423F20,NSIS Error,?,00000007,00000009,0000000B), ref: 00403520
                                  • CharNextA.USER32(00000000,"C:\Users\user\Desktop\Quotation.scr.exe",00000020,"C:\Users\user\Desktop\Quotation.scr.exe",00000000,?,00000007,00000009,0000000B), ref: 0040355A
                                  • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403653
                                  • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 00403664
                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403670
                                  • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403684
                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040368C
                                  • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040369D
                                  • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004036A5
                                  • DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 004036B9
                                  • OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 00403764
                                  • ExitProcess.KERNEL32 ref: 00403785
                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Quotation.scr.exe",00000000,?,?,00000007,00000009,0000000B), ref: 00403798
                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A14C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Quotation.scr.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004037A7
                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Quotation.scr.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004037B2
                                  • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 004037BE
                                  • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004037DA
                                  • DeleteFileA.KERNEL32(0041F8E8,0041F8E8,?,00425000,?,?,00000007,00000009,0000000B), ref: 00403837
                                  • CopyFileA.KERNEL32(C:\Users\user\Desktop\Quotation.scr.exe,0041F8E8,00000001), ref: 0040384C
                                  • CloseHandle.KERNEL32(00000000,0041F8E8,0041F8E8,?,0041F8E8,00000000,?,00000007,00000009,0000000B), ref: 00403879
                                  • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004038A7
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 004038AE
                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004038C2
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004038E1
                                  • ExitWindowsEx.USER32(00000002,80040002), ref: 00403906
                                  • ExitProcess.KERNEL32 ref: 00403927
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                  • String ID: "$"C:\Users\user\Desktop\Quotation.scr.exe"$.tmp$1033$A$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\filigraners\nonforming\gumphion$C:\Users\user\AppData\Roaming\filigraners\nonforming\gumphion\Feltbeskrivelsernes$C:\Users\user\Desktop$C:\Users\user\Desktop\Quotation.scr.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`K$v$~nsu
                                  • API String ID: 1000954069-171667620
                                  • Opcode ID: e5738f2d6d7e9ca7aa43ca6c932ed3992ead99d902028740f92a8f332b86e70c
                                  • Instruction ID: 749ca1f884a109dc3baadb633c6346e81904bebc47269a3551ed0a9903763c5b
                                  • Opcode Fuzzy Hash: e5738f2d6d7e9ca7aa43ca6c932ed3992ead99d902028740f92a8f332b86e70c
                                  • Instruction Fuzzy Hash: B6E10670A04654AADB216FB59D49B6F7EB8DF86306F0440BFE441B61D2CB7C4A01CB2E
                                  Function 00405480 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 144 405480-40549c 145 4054a2-405569 GetDlgItem * 3 call 4042d3 call 404bc4 GetClientRect GetSystemMetrics SendMessageA * 2 144->145 146 40562b-405631 144->146 168 405587-40558a 145->168 169 40556b-405585 SendMessageA * 2 145->169 148 405633-405655 GetDlgItem CreateThread CloseHandle 146->148 149 40565b-405667 146->149 148->149 151 405689-40568f 149->151 152 405669-40566f 149->152 153 405691-405697 151->153 154 4056e4-4056e7 151->154 156 405671-405684 ShowWindow * 2 call 4042d3 152->156 157 4056aa-4056b1 call 404305 152->157 158 405699-4056a5 call 404277 153->158 159 4056bd-4056cd ShowWindow 153->159 154->157 162 4056e9-4056ef 154->162 156->151 165 4056b6-4056ba 157->165 158->157 166 4056dd-4056df call 404277 159->166 167 4056cf-4056d8 call 405342 159->167 162->157 170 4056f1-405704 SendMessageA 162->170 166->154 167->166 173 40559a-4055b1 call 40429e 168->173 174 40558c-405598 SendMessageA 168->174 169->168 175 405801-405803 170->175 176 40570a-405736 CreatePopupMenu call 4062b4 AppendMenuA 170->176 183 4055b3-4055c7 ShowWindow 173->183 184 4055e7-405608 GetDlgItem SendMessageA 173->184 174->173 175->165 181 405738-405748 GetWindowRect 176->181 182 40574b-405761 TrackPopupMenu 176->182 181->182 182->175 185 405767-405781 182->185 186 4055d6 183->186 187 4055c9-4055d4 ShowWindow 183->187 184->175 188 40560e-405626 SendMessageA * 2 184->188 189 405786-4057a1 SendMessageA 185->189 190 4055dc-4055e2 call 4042d3 186->190 187->190 188->175 189->189 191 4057a3-4057c3 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 189->191 190->184 193 4057c5-4057e5 SendMessageA 191->193 193->193 194 4057e7-4057fb GlobalUnlock SetClipboardData CloseClipboard 193->194 194->175
                                  APIs
                                  • GetDlgItem.USER32(?,00000403), ref: 004054DF
                                  • GetDlgItem.USER32(?,000003EE), ref: 004054EE
                                  • GetClientRect.USER32(?,?), ref: 0040552B
                                  • GetSystemMetrics.USER32(00000002), ref: 00405532
                                  • SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405553
                                  • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405564
                                  • SendMessageA.USER32(?,00001001,00000000,?), ref: 00405577
                                  • SendMessageA.USER32(?,00001026,00000000,?), ref: 00405585
                                  • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405598
                                  • ShowWindow.USER32(00000000,?,0000001B,?), ref: 004055BA
                                  • ShowWindow.USER32(?,00000008), ref: 004055CE
                                  • GetDlgItem.USER32(?,000003EC), ref: 004055EF
                                  • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004055FF
                                  • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405618
                                  • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405624
                                  • GetDlgItem.USER32(?,000003F8), ref: 004054FD
                                    • Part of subcall function 004042D3: SendMessageA.USER32(00000028,?,00000001,00404103), ref: 004042E1
                                  • GetDlgItem.USER32(?,000003EC), ref: 00405640
                                  • CreateThread.KERNELBASE(00000000,00000000,Function_00005414,00000000), ref: 0040564E
                                  • CloseHandle.KERNELBASE(00000000), ref: 00405655
                                  • ShowWindow.USER32(00000000), ref: 00405678
                                  • ShowWindow.USER32(?,00000008), ref: 0040567F
                                  • ShowWindow.USER32(00000008), ref: 004056C5
                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004056F9
                                  • CreatePopupMenu.USER32 ref: 0040570A
                                  • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 0040571F
                                  • GetWindowRect.USER32(?,000000FF), ref: 0040573F
                                  • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405758
                                  • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405794
                                  • OpenClipboard.USER32(00000000), ref: 004057A4
                                  • EmptyClipboard.USER32 ref: 004057AA
                                  • GlobalAlloc.KERNEL32(00000042,?), ref: 004057B3
                                  • GlobalLock.KERNEL32(00000000), ref: 004057BD
                                  • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004057D1
                                  • GlobalUnlock.KERNEL32(00000000), ref: 004057EA
                                  • SetClipboardData.USER32(00000001,00000000), ref: 004057F5
                                  • CloseClipboard.USER32 ref: 004057FB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                  • String ID: (B
                                  • API String ID: 590372296-3831730363
                                  • Opcode ID: 3538998e7ac6937c35b0404c865ed8cfac61fc2dc03a073b57aa1ab5748f9a66
                                  • Instruction ID: 1128d4e7ed3dd90078e78f6d068a07dce54eda0cee9257493f96a10017d3f030
                                  • Opcode Fuzzy Hash: 3538998e7ac6937c35b0404c865ed8cfac61fc2dc03a073b57aa1ab5748f9a66
                                  • Instruction Fuzzy Hash: 8DA17B71900608BFDB119FA0DE89EAE7BB9FB48354F50403AFA04B61A0CB754E51DF68
                                  Function 004059E3 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 505 4059e3-405a09 call 405ca1 508 405a22-405a29 505->508 509 405a0b-405a1d DeleteFileA 505->509 511 405a2b-405a2d 508->511 512 405a3c-405a4c call 406221 508->512 510 405bac-405bb0 509->510 513 405a33-405a36 511->513 514 405b5a-405b5f 511->514 520 405a5b-405a5c call 405bfa 512->520 521 405a4e-405a59 lstrcatA 512->521 513->512 513->514 514->510 516 405b61-405b64 514->516 518 405b66-405b6c 516->518 519 405b6e-405b76 call 406598 516->519 518->510 519->510 528 405b78-405b8c call 405bb3 call 40599b 519->528 523 405a61-405a64 520->523 521->523 526 405a66-405a6d 523->526 527 405a6f-405a75 lstrcatA 523->527 526->527 529 405a7a-405a98 lstrlenA FindFirstFileA 526->529 527->529 544 405ba4-405ba7 call 405342 528->544 545 405b8e-405b91 528->545 531 405b50-405b54 529->531 532 405a9e-405ab5 call 405bde 529->532 531->514 535 405b56 531->535 538 405ac0-405ac3 532->538 539 405ab7-405abb 532->539 535->514 542 405ac5-405aca 538->542 543 405ad6-405ae4 call 406221 538->543 539->538 541 405abd 539->541 541->538 547 405acc-405ace 542->547 548 405b2f-405b41 FindNextFileA 542->548 555 405ae6-405aee 543->555 556 405afb-405b06 call 40599b 543->556 544->510 545->518 550 405b93-405ba2 call 405342 call 405ffa 545->550 547->543 551 405ad0-405ad4 547->551 548->532 553 405b47-405b4a FindClose 548->553 550->510 551->543 551->548 553->531 555->548 559 405af0-405af9 call 4059e3 555->559 564 405b27-405b2a call 405342 556->564 565 405b08-405b0b 556->565 559->548 564->548 567 405b0d-405b1d call 405342 call 405ffa 565->567 568 405b1f-405b25 565->568 567->548 568->548
                                  APIs
                                  • DeleteFileA.KERNELBASE(?,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.scr.exe"), ref: 00405A0C
                                  • lstrcatA.KERNEL32(00421D30,\*.*,00421D30,?,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.scr.exe"), ref: 00405A54
                                  • lstrcatA.KERNEL32(?,0040A014,?,00421D30,?,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.scr.exe"), ref: 00405A75
                                  • lstrlenA.KERNEL32(?,?,0040A014,?,00421D30,?,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.scr.exe"), ref: 00405A7B
                                  • FindFirstFileA.KERNELBASE(00421D30,?,?,?,0040A014,?,00421D30,?,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.scr.exe"), ref: 00405A8C
                                  • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405B39
                                  • FindClose.KERNEL32(00000000), ref: 00405B4A
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 004059F0
                                  • \*.*, xrefs: 00405A4E
                                  • "C:\Users\user\Desktop\Quotation.scr.exe", xrefs: 004059EC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                  • String ID: "C:\Users\user\Desktop\Quotation.scr.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                  • API String ID: 2035342205-1484654341
                                  • Opcode ID: 81882efd58b420d6b16d2905d63c031d3fb1324cac7cf7011ae359e44b083396
                                  • Instruction ID: d2507ff3931bdc038cadedc74e547574789c879394a39327d485f1673ab882f2
                                  • Opcode Fuzzy Hash: 81882efd58b420d6b16d2905d63c031d3fb1324cac7cf7011ae359e44b083396
                                  • Instruction Fuzzy Hash: F651CF30904A54AADB21AB658C85BBF7AB8DF42314F14417FF442B21D2C77CA942DF6E
                                  Function 00406921 Relevance: 9.4, APIs: 4, Strings: 2, Instructions: 382COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 726 406921-406926 727 406997-4069b5 726->727 728 406928-406957 726->728 729 406f8d-406fa2 727->729 730 406959-40695c 728->730 731 40695e-406962 728->731 735 406fa4-406fba 729->735 736 406fbc-406fd2 729->736 732 40696e-406971 730->732 733 406964-406968 731->733 734 40696a 731->734 738 406973-40697c 732->738 739 40698f-406992 732->739 733->732 734->732 737 406fd5-406fdc 735->737 736->737 740 407003-40700f 737->740 741 406fde-406fe2 737->741 742 406981-40698d 738->742 743 40697e 738->743 744 406b64-406b82 739->744 751 4067a5-4067ae 740->751 745 407191-40719b 741->745 746 406fe8-407000 741->746 747 4069f7-406a25 742->747 743->742 749 406b84-406b98 744->749 750 406b9a-406bac 744->750 754 4071a7-4071ba 745->754 746->740 752 406a41-406a5b 747->752 753 406a27-406a3f 747->753 755 406baf-406bb9 749->755 750->755 758 4067b4 751->758 759 4071bc 751->759 757 406a5e-406a68 752->757 753->757 756 4071bf-4071c3 754->756 760 406bbb 755->760 761 406b5c-406b62 755->761 765 406a6e 757->765 766 4069df-4069e5 757->766 767 406860-406864 758->767 768 4068d0-4068d4 758->768 769 4067bb-4067bf 758->769 770 4068fb-40691c 758->770 759->756 762 406b37-406b3b 760->762 763 406ccc-406cd9 760->763 761->744 764 406b00-406b0a 761->764 777 406b41-406b59 762->777 778 407143-40714d 762->778 763->751 773 406b10-406b32 764->773 774 40714f-407159 764->774 787 4069c4-4069dc 765->787 788 40712b-407135 765->788 775 406a98-406a9e 766->775 776 4069eb-4069f1 766->776 779 407110-40711a 767->779 780 40686a-406883 767->780 771 4068da-4068ee 768->771 772 40711f-407129 768->772 769->754 782 4067c5-4067d2 769->782 770->729 786 4068f1-4068f9 771->786 772->754 773->763 774->754 783 406aa0-406abe 775->783 784 406afc 775->784 776->747 776->784 777->761 778->754 779->754 789 406886-40688a 780->789 782->759 785 4067d8-40681e 782->785 790 406ac0-406ad4 783->790 791 406ad6-406ae8 783->791 784->764 792 406820-406824 785->792 793 406846-406848 785->793 786->768 786->770 787->766 788->754 789->767 794 40688c-406892 789->794 795 406aeb-406af5 790->795 791->795 796 406826-406829 GlobalFree 792->796 797 40682f-40683d GlobalAlloc 792->797 798 406856-40685e 793->798 799 40684a-406854 793->799 800 406894-40689b 794->800 801 4068bc-4068ce 794->801 795->775 802 406af7 795->802 796->797 797->759 803 406843 797->803 798->789 799->798 799->799 804 4068a6-4068b6 GlobalAlloc 800->804 805 40689d-4068a0 GlobalFree 800->805 801->786 807 407137-407141 802->807 808 406a7d-406a95 802->808 803->793 804->759 804->801 805->804 807->754 808->775
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8A$8A
                                  • API String ID: 0-94555818
                                  • Opcode ID: fe9b0a565e49353f50a2384f82503882e27d956ec4bd13b35c59e002b2bd0f03
                                  • Instruction ID: 4a96d3ccc9c27ea4b8989396041a4e940746824c9dc582c1df0a06103c2f4d94
                                  • Opcode Fuzzy Hash: fe9b0a565e49353f50a2384f82503882e27d956ec4bd13b35c59e002b2bd0f03
                                  • Instruction Fuzzy Hash: 7DF17571D04229CBDF18CFA8C8946ADBBB1FF44305F25816ED856BB281D7386A86CF45
                                  Function 00406598 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileA.KERNELBASE(76233410,00422578,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,00405CE4,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,76233410,?,C:\Users\user\AppData\Local\Temp\,00405A03,?,76233410,C:\Users\user\AppData\Local\Temp\), ref: 004065A3
                                  • FindClose.KERNEL32(00000000), ref: 004065AF
                                  Strings
                                  • x%B, xrefs: 00406599
                                  • C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp, xrefs: 00406598
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: Find$CloseFileFirst
                                  • String ID: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp$x%B
                                  • API String ID: 2295610775-1211582002
                                  • Opcode ID: f29c590cbb4ae7880d615934e2c411517b6bf54f8089bedae6efd123f54e346e
                                  • Instruction ID: 4346e421b4c9efdfb94f659af05368f623b37152ca2cb3c45517a618c063f3b6
                                  • Opcode Fuzzy Hash: f29c590cbb4ae7880d615934e2c411517b6bf54f8089bedae6efd123f54e346e
                                  • Instruction Fuzzy Hash: 0ED0C935944120BBC2411A387E0C86B7A589F163313619B36F566E22A4CB7888629698
                                  Function 00403DA4 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 195 403da4-403db6 196 403dbc-403dc2 195->196 197 403f1d-403f2c 195->197 196->197 198 403dc8-403dd1 196->198 199 403f7b-403f90 197->199 200 403f2e-403f76 GetDlgItem * 2 call 40429e SetClassLongA call 40140b 197->200 203 403dd3-403de0 SetWindowPos 198->203 204 403de6-403ded 198->204 201 403fd0-403fd5 call 4042ea 199->201 202 403f92-403f95 199->202 200->199 214 403fda-403ff5 201->214 206 403f97-403fa2 call 401389 202->206 207 403fc8-403fca 202->207 203->204 209 403e31-403e37 204->209 210 403def-403e09 ShowWindow 204->210 206->207 231 403fa4-403fc3 SendMessageA 206->231 207->201 213 40426b 207->213 217 403e50-403e53 209->217 218 403e39-403e4b DestroyWindow 209->218 215 403f0a-403f18 call 404305 210->215 216 403e0f-403e22 GetWindowLongA 210->216 227 40426d-404274 213->227 224 403ff7-403ff9 call 40140b 214->224 225 403ffe-404004 214->225 215->227 216->215 226 403e28-403e2b ShowWindow 216->226 220 403e55-403e61 SetWindowLongA 217->220 221 403e66-403e6c 217->221 228 404248-40424e 218->228 220->227 221->215 230 403e72-403e81 GetDlgItem 221->230 224->225 235 404229-404242 DestroyWindow EndDialog 225->235 236 40400a-404015 225->236 226->209 228->213 234 404250-404256 228->234 237 403ea0-403ea3 230->237 238 403e83-403e9a SendMessageA IsWindowEnabled 230->238 231->227 234->213 239 404258-404261 ShowWindow 234->239 235->228 236->235 240 40401b-404068 call 4062b4 call 40429e * 3 GetDlgItem 236->240 241 403ea5-403ea6 237->241 242 403ea8-403eab 237->242 238->213 238->237 239->213 267 404072-4040ae ShowWindow KiUserCallbackDispatcher call 4042c0 EnableWindow 240->267 268 40406a-40406f 240->268 245 403ed6-403edb call 404277 241->245 246 403eb9-403ebe 242->246 247 403ead-403eb3 242->247 245->215 250 403ef4-403f04 SendMessageA 246->250 252 403ec0-403ec6 246->252 247->250 251 403eb5-403eb7 247->251 250->215 251->245 255 403ec8-403ece call 40140b 252->255 256 403edd-403ee6 call 40140b 252->256 265 403ed4 255->265 256->215 264 403ee8-403ef2 256->264 264->265 265->245 271 4040b0-4040b1 267->271 272 4040b3 267->272 268->267 273 4040b5-4040e3 GetSystemMenu EnableMenuItem SendMessageA 271->273 272->273 274 4040e5-4040f6 SendMessageA 273->274 275 4040f8 273->275 276 4040fe-404138 call 4042d3 call 403d85 call 406221 lstrlenA call 4062b4 SetWindowTextA call 401389 274->276 275->276 276->214 287 40413e-404140 276->287 287->214 288 404146-40414a 287->288 289 404169-40417d DestroyWindow 288->289 290 40414c-404152 288->290 289->228 291 404183-4041b0 CreateDialogParamA 289->291 290->213 292 404158-40415e 290->292 291->228 293 4041b6-40420d call 40429e GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 291->293 292->214 294 404164 292->294 293->213 299 40420f-404222 ShowWindow call 4042ea 293->299 294->213 301 404227 299->301 301->228
                                  APIs
                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403DE0
                                  • ShowWindow.USER32(?), ref: 00403E00
                                  • GetWindowLongA.USER32(?,000000F0), ref: 00403E12
                                  • ShowWindow.USER32(?,00000004), ref: 00403E2B
                                  • DestroyWindow.USER32 ref: 00403E3F
                                  • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403E58
                                  • GetDlgItem.USER32(?,?), ref: 00403E77
                                  • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403E8B
                                  • IsWindowEnabled.USER32(00000000), ref: 00403E92
                                  • GetDlgItem.USER32(?,00000001), ref: 00403F3D
                                  • GetDlgItem.USER32(?,00000002), ref: 00403F47
                                  • SetClassLongA.USER32(?,000000F2,?), ref: 00403F61
                                  • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403FB2
                                  • GetDlgItem.USER32(?,00000003), ref: 00404058
                                  • ShowWindow.USER32(00000000,?), ref: 00404079
                                  • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040408B
                                  • EnableWindow.USER32(?,?), ref: 004040A6
                                  • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004040BC
                                  • EnableMenuItem.USER32(00000000), ref: 004040C3
                                  • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 004040DB
                                  • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 004040EE
                                  • lstrlenA.KERNEL32(idrtsanlgget: Installing,?,idrtsanlgget: Installing,00000000), ref: 00404118
                                  • SetWindowTextA.USER32(?,idrtsanlgget: Installing), ref: 00404127
                                  • ShowWindow.USER32(?,0000000A), ref: 0040425B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                  • String ID: idrtsanlgget: Installing
                                  • API String ID: 121052019-1312311147
                                  • Opcode ID: cf6f8fefcd9c0567f5dab7afb62f1ef5db462d302044b3f309ddb9ded271f886
                                  • Instruction ID: c2a56449c41b7cc77cfa33be594cb230360cd5d78b06aa9253df86e9e70b3bc9
                                  • Opcode Fuzzy Hash: cf6f8fefcd9c0567f5dab7afb62f1ef5db462d302044b3f309ddb9ded271f886
                                  • Instruction Fuzzy Hash: 6DC111B1A00205BFCB206F61EE45E2B3AB8FB85346F51053EF651B11F0CBB958429B6D
                                  Function 00403A07 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 302 403a07-403a1f call 40662d 305 403a21-403a31 call 40617f 302->305 306 403a33-403a64 call 406108 302->306 314 403a87-403ab0 call 403ccc call 405ca1 305->314 310 403a66-403a77 call 406108 306->310 311 403a7c-403a82 lstrcatA 306->311 310->311 311->314 320 403ab6-403abb 314->320 321 403b37-403b3f call 405ca1 314->321 320->321 322 403abd-403ad5 call 406108 320->322 327 403b41-403b48 call 4062b4 321->327 328 403b4d-403b72 LoadImageA 321->328 326 403ada-403ae1 322->326 326->321 332 403ae3-403ae5 326->332 327->328 330 403bf3-403bfb call 40140b 328->330 331 403b74-403ba4 RegisterClassA 328->331 345 403c05-403c10 call 403ccc 330->345 346 403bfd-403c00 330->346 333 403cc2 331->333 334 403baa-403bee SystemParametersInfoA CreateWindowExA 331->334 336 403af6-403b02 lstrlenA 332->336 337 403ae7-403af4 call 405bde 332->337 339 403cc4-403ccb 333->339 334->330 340 403b04-403b12 lstrcmpiA 336->340 341 403b2a-403b32 call 405bb3 call 406221 336->341 337->336 340->341 344 403b14-403b1e GetFileAttributesA 340->344 341->321 348 403b20-403b22 344->348 349 403b24-403b25 call 405bfa 344->349 355 403c16-403c30 ShowWindow call 4065bf 345->355 356 403c99-403c9a call 405414 345->356 346->339 348->341 348->349 349->341 363 403c32-403c37 call 4065bf 355->363 364 403c3c-403c4e GetClassInfoA 355->364 359 403c9f-403ca1 356->359 361 403ca3-403ca9 359->361 362 403cbb-403cbd call 40140b 359->362 361->346 367 403caf-403cb6 call 40140b 361->367 362->333 363->364 365 403c50-403c60 GetClassInfoA RegisterClassA 364->365 366 403c66-403c89 DialogBoxParamA call 40140b 364->366 365->366 372 403c8e-403c97 call 403957 366->372 367->346 372->339
                                  APIs
                                    • Part of subcall function 0040662D: GetModuleHandleA.KERNEL32(?,00000000,?,004034BF,0000000B), ref: 0040663F
                                    • Part of subcall function 0040662D: GetProcAddress.KERNEL32(00000000,?), ref: 0040665A
                                  • lstrcatA.KERNEL32(1033,idrtsanlgget: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,idrtsanlgget: Installing,00000000,00000002,76233410,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\Quotation.scr.exe",00000009,0000000B), ref: 00403A82
                                  • lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\filigraners\nonforming\gumphion,1033,idrtsanlgget: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,idrtsanlgget: Installing,00000000,00000002,76233410), ref: 00403AF7
                                  • lstrcmpiA.KERNEL32(?,.exe), ref: 00403B0A
                                  • GetFileAttributesA.KERNEL32(Call,?,"C:\Users\user\Desktop\Quotation.scr.exe",00000009,0000000B), ref: 00403B15
                                  • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\filigraners\nonforming\gumphion), ref: 00403B5E
                                    • Part of subcall function 0040617F: wsprintfA.USER32 ref: 0040618C
                                  • RegisterClassA.USER32(00423EC0), ref: 00403B9B
                                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403BB3
                                  • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403BE8
                                  • ShowWindow.USER32(00000005,00000000,?,"C:\Users\user\Desktop\Quotation.scr.exe",00000009,0000000B), ref: 00403C1E
                                  • GetClassInfoA.USER32(00000000,RichEdit20A,00423EC0), ref: 00403C4A
                                  • GetClassInfoA.USER32(00000000,RichEdit,00423EC0), ref: 00403C57
                                  • RegisterClassA.USER32(00423EC0), ref: 00403C60
                                  • DialogBoxParamA.USER32(?,00000000,00403DA4,00000000), ref: 00403C7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                  • String ID: "C:\Users\user\Desktop\Quotation.scr.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\filigraners\nonforming\gumphion$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$idrtsanlgget: Installing
                                  • API String ID: 1975747703-1857590413
                                  • Opcode ID: 1e36438da59a27c02f09cb44cc73aaf7a7425e1f06fb85e6544bb80df6095a8d
                                  • Instruction ID: fcd685ab68d6fc3f0e9ddc4412ad7aa3311bf697761245dedcdb905dd55f18bc
                                  • Opcode Fuzzy Hash: 1e36438da59a27c02f09cb44cc73aaf7a7425e1f06fb85e6544bb80df6095a8d
                                  • Instruction Fuzzy Hash: C261D5703042446EE720AF65AD45F273ABCEB8570EF40443EF951B62E3DB7C99028A2D
                                  Function 00402F0C Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 376 402f0c-402f5a GetTickCount GetModuleFileNameA call 405db4 379 402f66-402f94 call 406221 call 405bfa call 406221 GetFileSize 376->379 380 402f5c-402f61 376->380 388 402f9a 379->388 389 40307f-40308d call 402ea8 379->389 381 40313c-403140 380->381 391 402f9f-402fb6 388->391 395 4030e2-4030e7 389->395 396 40308f-403092 389->396 393 402fb8 391->393 394 402fba-402fc3 call 40331f 391->394 393->394 403 4030e9-4030f1 call 402ea8 394->403 404 402fc9-402fd0 394->404 395->381 398 403094-4030ac call 403335 call 40331f 396->398 399 4030b6-4030e0 GlobalAlloc call 403335 call 403143 396->399 398->395 426 4030ae-4030b4 398->426 399->395 425 4030f3-403104 399->425 403->395 408 402fd2-402fe6 call 405d6f 404->408 409 40304c-403050 404->409 415 40305a-403060 408->415 423 402fe8-402fef 408->423 414 403052-403059 call 402ea8 409->414 409->415 414->415 416 403062-40306c call 4066e4 415->416 417 40306f-403077 415->417 416->417 417->391 424 40307d 417->424 423->415 429 402ff1-402ff8 423->429 424->389 430 403106 425->430 431 40310c-403111 425->431 426->395 426->399 429->415 432 402ffa-403001 429->432 430->431 433 403112-403118 431->433 432->415 434 403003-40300a 432->434 433->433 435 40311a-403135 SetFilePointer call 405d6f 433->435 434->415 436 40300c-40302c 434->436 439 40313a 435->439 436->395 438 403032-403036 436->438 440 403038-40303c 438->440 441 40303e-403046 438->441 439->381 440->424 440->441 441->415 442 403048-40304a 441->442 442->415
                                  APIs
                                  • GetTickCount.KERNEL32 ref: 00402F1D
                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Quotation.scr.exe,00000400,?,?,004036C7,?,?,00000007,00000009,0000000B), ref: 00402F39
                                    • Part of subcall function 00405DB4: GetFileAttributesA.KERNELBASE(00000003,00402F4C,C:\Users\user\Desktop\Quotation.scr.exe,80000000,00000003,?,?,004036C7,?,?,00000007,00000009,0000000B), ref: 00405DB8
                                    • Part of subcall function 00405DB4: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,004036C7,?,?,00000007,00000009,0000000B), ref: 00405DDA
                                  • GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Quotation.scr.exe,C:\Users\user\Desktop\Quotation.scr.exe,80000000,00000003,?,?,004036C7,?,?,00000007), ref: 00402F85
                                  • GlobalAlloc.KERNELBASE(00000040,00000007,?,?,004036C7,?,?,00000007,00000009,0000000B), ref: 004030BB
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00402F13
                                  • C:\Users\user\Desktop\Quotation.scr.exe, xrefs: 00402F23, 00402F32, 00402F46, 00402F66
                                  • soft, xrefs: 00402FFA
                                  • C:\Users\user\Desktop, xrefs: 00402F67, 00402F6C, 00402F72
                                  • Null, xrefs: 00403003
                                  • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004030E2
                                  • Error launching installer, xrefs: 00402F5C
                                  • "C:\Users\user\Desktop\Quotation.scr.exe", xrefs: 00402F12
                                  • Inst, xrefs: 00402FF1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                  • String ID: "C:\Users\user\Desktop\Quotation.scr.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Quotation.scr.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                  • API String ID: 2803837635-934966844
                                  • Opcode ID: b48610ce61f2dfe27a90e7189157576f511a878d6bf6d582587e7beedd0b4215
                                  • Instruction ID: 6f91d6cf9aea781f2be777d95fc4c6a88526e1456e8e2f8669b761a6c70a7297
                                  • Opcode Fuzzy Hash: b48610ce61f2dfe27a90e7189157576f511a878d6bf6d582587e7beedd0b4215
                                  • Instruction Fuzzy Hash: BD51E131A01209ABDB20AF64DD85B9E7EACEB45356F10813BF504B62C1C77C9E418B9C
                                  Function 004062B4 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 198stringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 443 4062b4-4062bf 444 4062c1-4062d0 443->444 445 4062d2-4062e8 443->445 444->445 446 4064dc-4064e0 445->446 447 4062ee-4062f9 445->447 449 4064e6-4064f0 446->449 450 40630b-406315 446->450 447->446 448 4062ff-406306 447->448 448->446 452 4064f2-4064f6 call 406221 449->452 453 4064fb-4064fc 449->453 450->449 451 40631b-406322 450->451 454 406328-40635c 451->454 455 4064cf 451->455 452->453 457 406362-40636c 454->457 458 40647c-40647f 454->458 459 4064d1-4064d7 455->459 460 4064d9-4064db 455->460 461 406389 457->461 462 40636e-406377 457->462 463 406481-406484 458->463 464 4064af-4064b2 458->464 459->446 460->446 470 406390-406397 461->470 462->461 467 406379-40637c 462->467 468 406494-4064a0 call 406221 463->468 469 406486-406492 call 40617f 463->469 465 4064c0-4064cd lstrlenA 464->465 466 4064b4-4064bb call 4062b4 464->466 465->446 466->465 467->461 475 40637e-406381 467->475 479 4064a5-4064ab 468->479 469->479 471 406399-40639b 470->471 472 40639c-40639e 470->472 471->472 477 4063a0-4063bb call 406108 472->477 478 4063d7-4063da 472->478 475->461 480 406383-406387 475->480 486 4063c0-4063c3 477->486 484 4063ea-4063ed 478->484 485 4063dc-4063e8 GetSystemDirectoryA 478->485 479->465 483 4064ad 479->483 480->470 487 406474-40647a call 4064ff 483->487 489 40645a-40645c 484->489 490 4063ef-4063fd GetWindowsDirectoryA 484->490 488 40645e-406461 485->488 491 406463-406467 486->491 492 4063c9-4063d2 call 4062b4 486->492 487->465 488->487 488->491 489->488 493 4063ff-406409 489->493 490->489 491->487 496 406469-40646f lstrcatA 491->496 492->488 498 406423-406439 SHGetSpecialFolderLocation 493->498 499 40640b-40640e 493->499 496->487 500 406457 498->500 501 40643b-406455 SHGetPathFromIDListA CoTaskMemFree 498->501 499->498 503 406410-406417 499->503 500->489 501->488 501->500 504 40641f-406421 503->504 504->488 504->498
                                  APIs
                                  • GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 004063E2
                                  • GetWindowsDirectoryA.KERNEL32(Call,00000400,?,Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,00000000,0040537A,Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,00000000), ref: 004063F5
                                  • SHGetSpecialFolderLocation.SHELL32(zS@,00000000,?,Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,00000000,0040537A,Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,00000000), ref: 00406431
                                  • SHGetPathFromIDListA.SHELL32(0040A198,Call), ref: 0040643F
                                  • CoTaskMemFree.OLE32(0040A198), ref: 0040644B
                                  • lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040646F
                                  • lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,00000000,0040537A,Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,00000000,00000000,004178E0,00000000), ref: 004064C1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                  • String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$zS@$xA
                                  • API String ID: 717251189-2595104263
                                  • Opcode ID: 01e735fbfeec6794f63d69a39ac74ca258d58b417a693da21f5017f4f3d90d82
                                  • Instruction ID: 1e05e4755be7b120762156ffed826769e18ab9363051d8dbb2c276a51f26afb7
                                  • Opcode Fuzzy Hash: 01e735fbfeec6794f63d69a39ac74ca258d58b417a693da21f5017f4f3d90d82
                                  • Instruction Fuzzy Hash: 41612571900114AEDF21AF24CC94BBA3BA4EB55314F12413FE957BA2D1C73D49A2CB5E
                                  Function 00403143 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 155COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 574 403143-403157 575 403160-403168 574->575 576 403159 574->576 577 40316a 575->577 578 40316f-403174 575->578 576->575 577->578 579 403184-403191 call 40331f 578->579 580 403176-40317f call 403335 578->580 584 4032d6 579->584 585 403197-40319b 579->585 580->579 588 4032d8-4032d9 584->588 586 4031a1-4031c1 GetTickCount call 406752 585->586 587 4032bf-4032c1 585->587 598 403315 586->598 600 4031c7-4031cf 586->600 589 4032c3-4032c6 587->589 590 40330a-40330e 587->590 592 403318-40331c 588->592 593 4032c8 589->593 594 4032cb-4032d4 call 40331f 589->594 595 403310 590->595 596 4032db-4032e1 590->596 593->594 594->584 607 403312 594->607 595->598 601 4032e3 596->601 602 4032e6-4032f4 call 40331f 596->602 598->592 604 4031d1 600->604 605 4031d4-4031e2 call 40331f 600->605 601->602 602->584 611 4032f6-403302 call 405e5b 602->611 604->605 605->584 613 4031e8-4031f1 605->613 607->598 616 403304-403307 611->616 617 4032bb-4032bd 611->617 615 4031f7-403214 call 406772 613->615 620 4032b7-4032b9 615->620 621 40321a-403231 GetTickCount 615->621 616->590 617->588 620->588 622 403233-40323b 621->622 623 403276-403278 621->623 624 403243-40326e MulDiv wsprintfA call 405342 622->624 625 40323d-403241 622->625 626 40327a-40327e 623->626 627 4032ab-4032af 623->627 632 403273 624->632 625->623 625->624 629 403280-403285 call 405e5b 626->629 630 403293-403299 626->630 627->600 631 4032b5 627->631 635 40328a-40328c 629->635 634 40329f-4032a3 630->634 631->598 632->623 634->615 636 4032a9 634->636 635->617 637 40328e-403291 635->637 636->598 637->634
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: CountTick$wsprintf
                                  • String ID: ... %d%%$8A$8A$xA$xA
                                  • API String ID: 551687249-266981132
                                  • Opcode ID: 49586b874982cde46689b0ed450687e0bc51153ef6effa0955f47770bd6c66e7
                                  • Instruction ID: 4a1ea8bb3fd3a26c9f0e8db2dd68ad5c224ef75e8aedfb631eb52dece37c6ef1
                                  • Opcode Fuzzy Hash: 49586b874982cde46689b0ed450687e0bc51153ef6effa0955f47770bd6c66e7
                                  • Instruction Fuzzy Hash: A1515831900219ABCB10DF65DA44AAF3BACEB44766F14417BFC10B72D0DB389E41CBA9
                                  Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 638 401759-40177c call 402c39 call 405c20 643 401786-401798 call 406221 call 405bb3 lstrcatA 638->643 644 40177e-401784 call 406221 638->644 649 40179d-4017a3 call 4064ff 643->649 644->649 654 4017a8-4017ac 649->654 655 4017ae-4017b8 call 406598 654->655 656 4017df-4017e2 654->656 663 4017ca-4017dc 655->663 664 4017ba-4017c8 CompareFileTime 655->664 658 4017e4-4017e5 call 405d8f 656->658 659 4017ea-401806 call 405db4 656->659 658->659 666 401808-40180b 659->666 667 40187e-4018a7 call 405342 call 403143 659->667 663->656 664->663 668 401860-40186a call 405342 666->668 669 40180d-40184f call 406221 * 2 call 4062b4 call 406221 call 405937 666->669 679 4018a9-4018ad 667->679 680 4018af-4018bb SetFileTime 667->680 681 401873-401879 668->681 669->654 701 401855-401856 669->701 679->680 684 4018c1-4018cc CloseHandle 679->684 680->684 685 402ace 681->685 687 4018d2-4018d5 684->687 688 402ac5-402ac8 684->688 689 402ad0-402ad4 685->689 691 4018d7-4018e8 call 4062b4 lstrcatA 687->691 692 4018ea-4018ed call 4062b4 687->692 688->685 698 4018f2-40238a 691->698 692->698 702 40238f-402394 698->702 703 40238a call 405937 698->703 701->681 704 401858-401859 701->704 702->689 703->702 704->668
                                  APIs
                                  • lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\filigraners\nonforming\gumphion\Feltbeskrivelsernes,00000000,00000000,00000031), ref: 00401798
                                  • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\filigraners\nonforming\gumphion\Feltbeskrivelsernes,00000000,00000000,00000031), ref: 004017C2
                                    • Part of subcall function 00406221: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,00403520,00423F20,NSIS Error,?,00000007,00000009,0000000B), ref: 0040622E
                                    • Part of subcall function 00405342: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,00000000,004178E0,00000000,?,?,?,?,?,?,?,?,?,00403273,00000000,?), ref: 0040537B
                                    • Part of subcall function 00405342: lstrlenA.KERNEL32(s2@,Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,00000000,004178E0,00000000,?,?,?,?,?,?,?,?,?,00403273,00000000), ref: 0040538B
                                    • Part of subcall function 00405342: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,00000020,s2@,Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,00000000,004178E0,00000000), ref: 0040539E
                                    • Part of subcall function 00405342: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll), ref: 004053B0
                                    • Part of subcall function 00405342: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004053D6
                                    • Part of subcall function 00405342: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004053F0
                                    • Part of subcall function 00405342: SendMessageA.USER32(?,00001013,?,00000000), ref: 004053FE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                  • String ID: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp$C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll$C:\Users\user\AppData\Roaming\filigraners\nonforming\gumphion\Feltbeskrivelsernes$Call
                                  • API String ID: 1941528284-1697047108
                                  • Opcode ID: 716cf2c98c50e63f02de7df4755c8ad091205c6cfb3a7261408329e88e32f6da
                                  • Instruction ID: a49298dc389347cb5e4136975bc6968088af8b90c3e5070666150344fe261676
                                  • Opcode Fuzzy Hash: 716cf2c98c50e63f02de7df4755c8ad091205c6cfb3a7261408329e88e32f6da
                                  • Instruction Fuzzy Hash: 0341B631900515BBCF107BA5DC45DAF36A9DF45368B60863FF522F10E1CB7C8A528A6D
                                  Function 00405342 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 73stringwindowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 705 405342-405357 706 40540d-405411 705->706 707 40535d-40536f 705->707 708 405371-405375 call 4062b4 707->708 709 40537a-405386 lstrlenA 707->709 708->709 711 4053a3-4053a7 709->711 712 405388-405398 lstrlenA 709->712 714 4053b6-4053ba 711->714 715 4053a9-4053b0 SetWindowTextA 711->715 712->706 713 40539a-40539e lstrcatA 712->713 713->711 716 405400-405402 714->716 717 4053bc-4053fe SendMessageA * 3 714->717 715->714 716->706 718 405404-405407 716->718 717->716 718->706
                                  APIs
                                  • lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,00000000,004178E0,00000000,?,?,?,?,?,?,?,?,?,00403273,00000000,?), ref: 0040537B
                                  • lstrlenA.KERNEL32(s2@,Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,00000000,004178E0,00000000,?,?,?,?,?,?,?,?,?,00403273,00000000), ref: 0040538B
                                  • lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,00000020,s2@,Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,00000000,004178E0,00000000), ref: 0040539E
                                  • SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll), ref: 004053B0
                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004053D6
                                  • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004053F0
                                  • SendMessageA.USER32(?,00001013,?,00000000), ref: 004053FE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                  • String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll$s2@
                                  • API String ID: 2531174081-3142979832
                                  • Opcode ID: 91f1efd3482e6739620321cee1f63e33c0cd268ebde5a23d9a6f3fc96e6ff2ec
                                  • Instruction ID: a40a8891f3c6fb39099cc520ce66c34ee7eda12957dc0ac63e91bc1771a185f3
                                  • Opcode Fuzzy Hash: 91f1efd3482e6739620321cee1f63e33c0cd268ebde5a23d9a6f3fc96e6ff2ec
                                  • Instruction Fuzzy Hash: 9B21AE71E00118BACF119FA4DD80ADEBFB9EF05354F10807AF944B2291C7798A818F58
                                  Function 004065BF Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 719 4065bf-4065df GetSystemDirectoryA 720 4065e1 719->720 721 4065e3-4065e5 719->721 720->721 722 4065f5-4065f7 721->722 723 4065e7-4065ef 721->723 725 4065f8-40662a wsprintfA LoadLibraryExA 722->725 723->722 724 4065f1-4065f3 723->724 724->725
                                  APIs
                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004065D6
                                  • wsprintfA.USER32 ref: 0040660F
                                  • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406623
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: DirectoryLibraryLoadSystemwsprintf
                                  • String ID: %s%s.dll$UXTHEME$\
                                  • API String ID: 2200240437-4240819195
                                  • Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
                                  • Instruction ID: 538f9e1140f634cc693cd8b5114f1eb04e7fa205d41a6ae1d1a54bee0fdb4feb
                                  • Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
                                  • Instruction Fuzzy Hash: 97F0FC7054020977DB159768ED0DFEB365CAB08344F14007EA586E10C1EA78D5258B59
                                  Function 00406D56 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 236COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 809 406d56-406d5c 810 406d61-406d7f 809->810 811 406d5e-406d60 809->811 812 407052-40705f 810->812 813 406f8d-406fa2 810->813 811->810 814 407089-40708d 812->814 815 406fa4-406fba 813->815 816 406fbc-406fd2 813->816 818 4070ed-407100 814->818 819 40708f-4070b0 814->819 817 406fd5-406fdc 815->817 816->817 820 407003 817->820 821 406fde-406fe2 817->821 822 407009-40700f 818->822 823 4070b2-4070c7 819->823 824 4070c9-4070dc 819->824 820->822 825 407191-40719b 821->825 826 406fe8-407000 821->826 830 4067b4 822->830 831 4071bc 822->831 828 4070df-4070e6 823->828 824->828 829 4071a7-4071ba 825->829 826->820 832 407086 828->832 833 4070e8 828->833 834 4071bf-4071c3 829->834 835 406860-406864 830->835 836 4068d0-4068d4 830->836 837 4067bb-4067bf 830->837 838 4068fb-40691c 830->838 831->834 832->814 842 40706b-407083 833->842 843 40719d 833->843 844 407110-40711a 835->844 845 40686a-406883 835->845 840 4068da-4068ee 836->840 841 40711f-407129 836->841 837->829 846 4067c5-4067d2 837->846 838->813 848 4068f1-4068f9 840->848 841->829 842->832 843->829 844->829 849 406886-40688a 845->849 846->831 847 4067d8-40681e 846->847 850 406820-406824 847->850 851 406846-406848 847->851 848->836 848->838 849->835 852 40688c-406892 849->852 853 406826-406829 GlobalFree 850->853 854 40682f-40683d GlobalAlloc 850->854 855 406856-40685e 851->855 856 40684a-406854 851->856 857 406894-40689b 852->857 858 4068bc-4068ce 852->858 853->854 854->831 859 406843 854->859 855->849 856->855 856->856 860 4068a6-4068b6 GlobalAlloc 857->860 861 40689d-4068a0 GlobalFree 857->861 858->848 859->851 860->831 860->858 861->860
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8A$8A
                                  • API String ID: 0-94555818
                                  • Opcode ID: ee0a66abc84fbff8a3b0562d50ee9ce362ada632bf606ba14af57fbf3dd32506
                                  • Instruction ID: 037ff468ded25cb3c88aec1f84f9f4857d7a6ad91ff327d5d0ae411a19d76476
                                  • Opcode Fuzzy Hash: ee0a66abc84fbff8a3b0562d50ee9ce362ada632bf606ba14af57fbf3dd32506
                                  • Instruction Fuzzy Hash: 28A14471E04229CBDF28CFA8C8446ADBBB1FF44305F14816ED856BB281D7786A86DF45
                                  Function 00406F57 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 208COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 862 406f57-406f5b 863 406f7d-406f8a 862->863 864 406f5d-40705f 862->864 866 406f8d-406fa2 863->866 874 407089-40708d 864->874 868 406fa4-406fba 866->868 869 406fbc-406fd2 866->869 871 406fd5-406fdc 868->871 869->871 872 407003 871->872 873 406fde-406fe2 871->873 877 407009-40700f 872->877 875 407191-40719b 873->875 876 406fe8-407000 873->876 878 4070ed-407100 874->878 879 40708f-4070b0 874->879 883 4071a7-4071ba 875->883 876->872 885 4067b4 877->885 886 4071bc 877->886 878->877 881 4070b2-4070c7 879->881 882 4070c9-4070dc 879->882 887 4070df-4070e6 881->887 882->887 884 4071bf-4071c3 883->884 888 406860-406864 885->888 889 4068d0-4068d4 885->889 890 4067bb-4067bf 885->890 891 4068fb-40691c 885->891 886->884 892 407086 887->892 893 4070e8 887->893 896 407110-40711a 888->896 897 40686a-406883 888->897 894 4068da-4068ee 889->894 895 40711f-407129 889->895 890->883 898 4067c5-4067d2 890->898 891->866 892->874 902 40706b-407083 893->902 903 40719d 893->903 901 4068f1-4068f9 894->901 895->883 896->883 904 406886-40688a 897->904 898->886 900 4067d8-40681e 898->900 905 406820-406824 900->905 906 406846-406848 900->906 901->889 901->891 902->892 903->883 904->888 907 40688c-406892 904->907 908 406826-406829 GlobalFree 905->908 909 40682f-40683d GlobalAlloc 905->909 910 406856-40685e 906->910 911 40684a-406854 906->911 912 406894-40689b 907->912 913 4068bc-4068ce 907->913 908->909 909->886 914 406843 909->914 910->904 911->910 911->911 915 4068a6-4068b6 GlobalAlloc 912->915 916 40689d-4068a0 GlobalFree 912->916 913->901 914->906 915->886 915->913 916->915
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8A$8A
                                  • API String ID: 0-94555818
                                  • Opcode ID: d0b43d5488c7e2c26a294e11fe090dff0f107ad8aedaa34487cdf01caaacf563
                                  • Instruction ID: a73c48897ffc0e9d3498e68073e6b44f80268223d7085c4a5482f13f1ca9caf4
                                  • Opcode Fuzzy Hash: d0b43d5488c7e2c26a294e11fe090dff0f107ad8aedaa34487cdf01caaacf563
                                  • Instruction Fuzzy Hash: EF912F71D04229CBDB28CF98C844BADBBB1FF44305F14816AD856BB281D7786986DF45
                                  Function 00406C6D Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 205COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 917 406c6d-406c71 918 406c77-406c7b 917->918 919 406d28-406d37 917->919 920 406c81-406c95 918->920 921 4071bc 918->921 925 406f8d-406fa2 919->925 922 40715b-407165 920->922 923 406c9b-406ca4 920->923 924 4071bf-4071c3 921->924 926 4071a7-4071ba 922->926 927 406ca6 923->927 928 406ca9-406cd9 923->928 929 406fa4-406fba 925->929 930 406fbc-406fd2 925->930 926->924 927->928 935 4067a5-4067ae 928->935 932 406fd5-406fdc 929->932 930->932 933 407003-40700f 932->933 934 406fde-406fe2 932->934 933->935 936 407191-40719b 934->936 937 406fe8-407000 934->937 935->921 939 4067b4 935->939 936->926 937->933 940 406860-406864 939->940 941 4068d0-4068d4 939->941 942 4067bb-4067bf 939->942 943 4068fb-40691c 939->943 946 407110-40711a 940->946 947 40686a-406883 940->947 944 4068da-4068ee 941->944 945 40711f-407129 941->945 942->926 948 4067c5-4067d2 942->948 943->925 950 4068f1-4068f9 944->950 945->926 946->926 951 406886-40688a 947->951 948->921 949 4067d8-40681e 948->949 952 406820-406824 949->952 953 406846-406848 949->953 950->941 950->943 951->940 954 40688c-406892 951->954 955 406826-406829 GlobalFree 952->955 956 40682f-40683d GlobalAlloc 952->956 957 406856-40685e 953->957 958 40684a-406854 953->958 959 406894-40689b 954->959 960 4068bc-4068ce 954->960 955->956 956->921 961 406843 956->961 957->951 958->957 958->958 962 4068a6-4068b6 GlobalAlloc 959->962 963 40689d-4068a0 GlobalFree 959->963 960->950 961->953 962->921 962->960 963->962
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8A$8A
                                  • API String ID: 0-94555818
                                  • Opcode ID: 27d758ba2e9164d47a258d41aa73e0c97a0bd6746090d9f017883f84c38c946a
                                  • Instruction ID: c0a3756ab12810a6b67a1498c3beec823cc207d0bf1bda0cb9a0b3647e7974e6
                                  • Opcode Fuzzy Hash: 27d758ba2e9164d47a258d41aa73e0c97a0bd6746090d9f017883f84c38c946a
                                  • Instruction Fuzzy Hash: 67814371D04228CFDF24CFA8C884BADBBB1FB44305F25816AD856BB281D7385986DF55
                                  Function 00406772 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 198COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8A$8A
                                  • API String ID: 0-94555818
                                  • Opcode ID: ecba1b00a85e47345dc69ec8d885cdfd664a56a6485a647ad591f58f92d474cb
                                  • Instruction ID: 09cf3fc1b9d43e75a42459bd17fe95ac1a928afd5f071cbc7f258809f6501e4b
                                  • Opcode Fuzzy Hash: ecba1b00a85e47345dc69ec8d885cdfd664a56a6485a647ad591f58f92d474cb
                                  • Instruction Fuzzy Hash: DE816531D04228DBDB24CFA8C844BADBBB1FF44305F14816AD856BB2C1D7786A86DF55
                                  Function 00406BC0 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 180COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8A$8A
                                  • API String ID: 0-94555818
                                  • Opcode ID: 38c42ada44feaf990178e3f166c4b4d4f911815dd0bac596eb60bd23cae92c85
                                  • Instruction ID: 96954663c125a07816217da5b30ac29d1b305f4fbf3c5a1d1f830ff9544548ba
                                  • Opcode Fuzzy Hash: 38c42ada44feaf990178e3f166c4b4d4f911815dd0bac596eb60bd23cae92c85
                                  • Instruction Fuzzy Hash: B6712271E04228CBDF28CF98C944BADBBB1FF48305F15806AD856BB281D7385996DF54
                                  Function 00406CDE Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 170COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8A$8A
                                  • API String ID: 0-94555818
                                  • Opcode ID: 92e139c7710f874f749617861add3edefc3e5ff4ea805fab1350bc2bd0e5f84c
                                  • Instruction ID: 85d1e85e82457aea8d489b254ea9ec13bc69610cb60fcf4fde03a4c14b8da4dd
                                  • Opcode Fuzzy Hash: 92e139c7710f874f749617861add3edefc3e5ff4ea805fab1350bc2bd0e5f84c
                                  • Instruction Fuzzy Hash: F9714231E04228CBDB28CF98C844BADBBB1FF48305F15806AD856BB281C7785992DF54
                                  Function 00406C2A Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 168COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8A$8A
                                  • API String ID: 0-94555818
                                  • Opcode ID: 3052d11cfd0f0d65917b5f5a187ce4d710c9ac819c1ea066de4bed354f12028d
                                  • Instruction ID: 29e5a1585bc0f4f3cb8f82ad36b57cc1e6d58c26c9e7a120a17255b8eb917391
                                  • Opcode Fuzzy Hash: 3052d11cfd0f0d65917b5f5a187ce4d710c9ac819c1ea066de4bed354f12028d
                                  • Instruction Fuzzy Hash: 40713431E04229DBEF28CF98C844BADBBB1FF44305F15806AD856BB281D7786996DF44
                                  Function 00405808 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateDirectoryA.KERNELBASE(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 0040584B
                                  • GetLastError.KERNEL32 ref: 0040585F
                                  • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405874
                                  • GetLastError.KERNEL32 ref: 0040587E
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 0040582E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: ErrorLast$CreateDirectoryFileSecurity
                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                  • API String ID: 3449924974-3936084776
                                  • Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
                                  • Instruction ID: e7000bac75bd85e85fedcbc16c632dc4ea60951c5aa934c9adfad969d4cd0ac4
                                  • Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
                                  • Instruction Fuzzy Hash: CD010872C00219EADF00ABA0C948BEFBBB8EF14354F00803AD944B6190D7789658CBA9
                                  Function 00402D3B Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D8F
                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DDB
                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DE4
                                  • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402DFB
                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 00402E06
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: CloseEnum$DeleteValue
                                  • String ID:
                                  • API String ID: 1354259210-0
                                  • Opcode ID: d3065a1495d08a70ee0ec73ce03137b35b959529f7d494a5279a47c727d8abac
                                  • Instruction ID: 16bb82b538d3471b68f9dca9ce152012d8840a018b595784ed89a15ed233c330
                                  • Opcode Fuzzy Hash: d3065a1495d08a70ee0ec73ce03137b35b959529f7d494a5279a47c727d8abac
                                  • Instruction Fuzzy Hash: 2221487150010CBBDF129F90CE89EEB7B7DEF44344F10007AFA15B11A0D7B49EA4AAA8
                                  Function 73F1176B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 73F11B28: GlobalFree.KERNEL32(?), ref: 73F11D99
                                    • Part of subcall function 73F11B28: GlobalFree.KERNEL32(?), ref: 73F11D9E
                                    • Part of subcall function 73F11B28: GlobalFree.KERNEL32(?), ref: 73F11DA3
                                  • GlobalFree.KERNEL32(00000000), ref: 73F11816
                                  • FreeLibrary.KERNEL32(?), ref: 73F11899
                                  • GlobalFree.KERNEL32(00000000), ref: 73F118BE
                                    • Part of subcall function 73F1233F: GlobalAlloc.KERNEL32(00000040,?), ref: 73F12370
                                    • Part of subcall function 73F12742: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,73F117E7,00000000), ref: 73F12812
                                    • Part of subcall function 73F115FB: wsprintfA.USER32 ref: 73F11629
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4590269433.0000000073F11000.00000020.00000001.01000000.00000006.sdmp, Offset: 73F10000, based on PE: true
                                  • Associated: 00000000.00000002.4590249257.0000000073F10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.4590287407.0000000073F14000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.4590303574.0000000073F16000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_73f10000_Quotation.jbxd
                                  Similarity
                                  • API ID: Global$Free$Alloc$Librarywsprintf
                                  • String ID:
                                  • API String ID: 3962662361-3916222277
                                  • Opcode ID: b6790789fa05964c816792caf73be369b72d796566676002310f42d53e32b458
                                  • Instruction ID: dc71b272c73f6a6061dc936754467beb8063bcd7d9629ce475dd5a84513c1986
                                  • Opcode Fuzzy Hash: b6790789fa05964c816792caf73be369b72d796566676002310f42d53e32b458
                                  • Instruction Fuzzy Hash: E441857240070BDBDB05AFB5BD94B9A37ECBF012A0F188475E90B9A1D6DBB48165C7A0
                                  Function 00405DE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTickCount.KERNEL32 ref: 00405DF7
                                  • GetTempFileNameA.KERNELBASE(0000000B,?,00000000,?,?,0040337B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365A,?,00000007), ref: 00405E11
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: CountFileNameTempTick
                                  • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                  • API String ID: 1716503409-1857211195
                                  • Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
                                  • Instruction ID: 7aa3ad67aa4529e57ce4351cce480232e94573974a8ae4f31fb92fe583ae73db
                                  • Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
                                  • Instruction Fuzzy Hash: DEF08236308208ABEB119F56ED04B9B7B9CDF91750F10C03BFA84DA180D6B499558798
                                  Function 004020A5 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020D0
                                    • Part of subcall function 00405342: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,00000000,004178E0,00000000,?,?,?,?,?,?,?,?,?,00403273,00000000,?), ref: 0040537B
                                    • Part of subcall function 00405342: lstrlenA.KERNEL32(s2@,Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,00000000,004178E0,00000000,?,?,?,?,?,?,?,?,?,00403273,00000000), ref: 0040538B
                                    • Part of subcall function 00405342: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,00000020,s2@,Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,00000000,004178E0,00000000), ref: 0040539E
                                    • Part of subcall function 00405342: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll), ref: 004053B0
                                    • Part of subcall function 00405342: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004053D6
                                    • Part of subcall function 00405342: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004053F0
                                    • Part of subcall function 00405342: SendMessageA.USER32(?,00001013,?,00000000), ref: 004053FE
                                  • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020E0
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 004020F0
                                  • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040215A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                  • String ID:
                                  • API String ID: 2987980305-0
                                  • Opcode ID: 0037d7d2046a917e6037eca758434f9656d9c7954a0e4372cea429370dde13ec
                                  • Instruction ID: 1a52d5c9bd73350e094fb72bc7beb8bf898658989635d2370106f249bf00f81b
                                  • Opcode Fuzzy Hash: 0037d7d2046a917e6037eca758434f9656d9c7954a0e4372cea429370dde13ec
                                  • Instruction Fuzzy Hash: BB210831900114E7CF206FA48E4DAAF3A60AF44358F60413BF611B61E0DBBD49819A6E
                                  Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00405C4C: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,0000000B,00405CB8,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,76233410,?,C:\Users\user\AppData\Local\Temp\,00405A03,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.scr.exe"), ref: 00405C5A
                                    • Part of subcall function 00405C4C: CharNextA.USER32(00000000), ref: 00405C5F
                                    • Part of subcall function 00405C4C: CharNextA.USER32(00000000), ref: 00405C73
                                  • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                    • Part of subcall function 00405808: CreateDirectoryA.KERNELBASE(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 0040584B
                                  • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\filigraners\nonforming\gumphion\Feltbeskrivelsernes,00000000,00000000,000000F0), ref: 0040163C
                                  Strings
                                  • C:\Users\user\AppData\Roaming\filigraners\nonforming\gumphion\Feltbeskrivelsernes, xrefs: 00401631
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                  • String ID: C:\Users\user\AppData\Roaming\filigraners\nonforming\gumphion\Feltbeskrivelsernes
                                  • API String ID: 1892508949-1301576671
                                  • Opcode ID: b8761c13d4d58ea24ee1ab41bf759954ee7a60a9a146c2b8ea91f5c3afb9ff69
                                  • Instruction ID: acd8ba20fbedb82e1422436755e6237bfe0e1992c50ae5100f83efac7f75c8d1
                                  • Opcode Fuzzy Hash: b8761c13d4d58ea24ee1ab41bf759954ee7a60a9a146c2b8ea91f5c3afb9ff69
                                  • Instruction Fuzzy Hash: DC110831508141EBDB307FA54D409BF37B4DA96314B28453FE991B22E2DA3D4D426A3E
                                  Function 00406108 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,Call,?,?,?,?,00000002,Call,?,004063C0,80000002), ref: 0040614E
                                  • RegCloseKey.KERNELBASE(?,?,004063C0,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll), ref: 00406159
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: CloseQueryValue
                                  • String ID: Call
                                  • API String ID: 3356406503-1824292864
                                  • Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                  • Instruction ID: 7bedfd3445a0ca791873298ccdffca82a3224a885595b05fb2430154289eefdc
                                  • Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                  • Instruction Fuzzy Hash: C2015A76500209AADF228F61CC09FDB3BB8EF55364F01803AF956A6191D278D964DBA4
                                  Function 00401B87 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GlobalFree.KERNEL32(00000000), ref: 00401BF6
                                  • GlobalAlloc.KERNELBASE(00000040,00000404), ref: 00401C08
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: Global$AllocFree
                                  • String ID: Call
                                  • API String ID: 3394109436-1824292864
                                  • Opcode ID: 043a84b3ed8b52ff5fa0192b31219d7a0eb60f4d564ce27d7880b6a743d6c67a
                                  • Instruction ID: 8a889a8b9b1bbfdac6a011722749f163816b4b5ef25c7beac0f6e1428faa3867
                                  • Opcode Fuzzy Hash: 043a84b3ed8b52ff5fa0192b31219d7a0eb60f4d564ce27d7880b6a743d6c67a
                                  • Instruction Fuzzy Hash: 95216372600101ABDB20FBA49E89D5E77E8DB48318725453BF602B32E1DB7CA8518B6D
                                  Function 00402590 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C2
                                  • RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025D5
                                  • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,00000000,00000011,00000002), ref: 004025ED
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: Enum$CloseValue
                                  • String ID:
                                  • API String ID: 397863658-0
                                  • Opcode ID: 2d177007df504b80bfd5759d57faf9979bbb0a471d47af169327b32658962f8f
                                  • Instruction ID: a1ca305be459c48fd71a82ec126b3fde0aed68a0a4ef6fcc11af1263137764e2
                                  • Opcode Fuzzy Hash: 2d177007df504b80bfd5759d57faf9979bbb0a471d47af169327b32658962f8f
                                  • Instruction Fuzzy Hash: B3017571904104FFE7158F549E88ABF7BACEB81358F20443EF101A61C0DAB44E449679
                                  Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                  • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID:
                                  • API String ID: 3850602802-0
                                  • Opcode ID: 3989e8558a6d49e6d3ddd2008f45815a676c7388d5b74ef965f71d255d6c3b81
                                  • Instruction ID: 5d55f291ab777a43d3e607683c349b975c1cd97fe7e7a19d5b62972dfd7fa7c2
                                  • Opcode Fuzzy Hash: 3989e8558a6d49e6d3ddd2008f45815a676c7388d5b74ef965f71d255d6c3b81
                                  • Instruction Fuzzy Hash: A201F431B242109FE7194B389E05B2A36A8E710315F11823FF951F65F1D778CC129B4C
                                  Function 00402429 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 0040244A
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00402453
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: CloseDeleteValue
                                  • String ID:
                                  • API String ID: 2831762973-0
                                  • Opcode ID: 50bcbcaccac07d49133e63288154d8480d3766cb5563da52c62cd3a825a8d262
                                  • Instruction ID: 5df8e70ae2623052d4c73f66a3f2fc78df54693110283231853cca4ef2da1c87
                                  • Opcode Fuzzy Hash: 50bcbcaccac07d49133e63288154d8480d3766cb5563da52c62cd3a825a8d262
                                  • Instruction Fuzzy Hash: 74F09C32A041209BE710ABB55B4D96E6294DB80314F25443FF601B71C1D9F84D41566D
                                  Function 00401EC5 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • ShowWindow.USER32(00000000,00000000), ref: 00401EE3
                                  • EnableWindow.USER32(00000000,00000000), ref: 00401EEE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: Window$EnableShow
                                  • String ID:
                                  • API String ID: 1136574915-0
                                  • Opcode ID: 4d2184584f850d12cfcd49bd899fdf2321ee0006cae71fcf0f803f94c02f0bd8
                                  • Instruction ID: 94a5f36ec3a0165d99ee88131f66a60225a302d7e02cacf1c2213f37cf390b0f
                                  • Opcode Fuzzy Hash: 4d2184584f850d12cfcd49bd899fdf2321ee0006cae71fcf0f803f94c02f0bd8
                                  • Instruction Fuzzy Hash: F2E01272A082009FD714EBA5AA8956EB7B4EBC1365B20443FF101F11D1DB7858418A69
                                  Function 004058BA Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422530,00000009,00000009,0000000B), ref: 004058E3
                                  • CloseHandle.KERNEL32(?), ref: 004058F0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: CloseCreateHandleProcess
                                  • String ID:
                                  • API String ID: 3712363035-0
                                  • Opcode ID: c3c80266f92bd9d667c92bf3182b136ee7f32a01548fe2ad44771ad24a16863f
                                  • Instruction ID: 8e6136513a08a66e78f16ac7a026f690b6bc1d80c1548d9dd7598bcc78e5bb00
                                  • Opcode Fuzzy Hash: c3c80266f92bd9d667c92bf3182b136ee7f32a01548fe2ad44771ad24a16863f
                                  • Instruction Fuzzy Hash: CEE04FB4A003097FEB009B60ED05F7B77ACEB04204F408431BD40F2150E77498148A78
                                  Function 0040662D Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(?,00000000,?,004034BF,0000000B), ref: 0040663F
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 0040665A
                                    • Part of subcall function 004065BF: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004065D6
                                    • Part of subcall function 004065BF: wsprintfA.USER32 ref: 0040660F
                                    • Part of subcall function 004065BF: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406623
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                  • String ID:
                                  • API String ID: 2547128583-0
                                  • Opcode ID: b12ffe7be00a10b97de861747ec59dbd41b3c1b34775c1b4ed269191f8b45ceb
                                  • Instruction ID: 36c8f48bfefc0862be278522e96f91fae8f979fd2c9ea5eb7e0295e900d20fac
                                  • Opcode Fuzzy Hash: b12ffe7be00a10b97de861747ec59dbd41b3c1b34775c1b4ed269191f8b45ceb
                                  • Instruction Fuzzy Hash: C6E08632604210A7D3106770AE04D3B73AC9E94750302483EF546F2250DB399C31966D
                                  Function 00405DB4 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesA.KERNELBASE(00000003,00402F4C,C:\Users\user\Desktop\Quotation.scr.exe,80000000,00000003,?,?,004036C7,?,?,00000007,00000009,0000000B), ref: 00405DB8
                                  • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,004036C7,?,?,00000007,00000009,0000000B), ref: 00405DDA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: File$AttributesCreate
                                  • String ID:
                                  • API String ID: 415043291-0
                                  • Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
                                  • Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
                                  • Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
                                  • Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19
                                  Function 00405885 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateDirectoryA.KERNELBASE(?,00000000,00403370,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365A,?,00000007,00000009,0000000B), ref: 0040588B
                                  • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405899
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: CreateDirectoryErrorLast
                                  • String ID:
                                  • API String ID: 1375471231-0
                                  • Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
                                  • Instruction ID: a0b30dcb60550ff0739693ddf281084dce77ea0a02e9d7d5b9741d8c2cff1943
                                  • Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
                                  • Instruction Fuzzy Hash: 71C04C71214501AED6516B209E08B1B7A90AB50741F1AC43DA556E00A0DA388465D92D
                                  Function 73F12AC8 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadFile.KERNELBASE(00000000), ref: 73F12B87
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4590269433.0000000073F11000.00000020.00000001.01000000.00000006.sdmp, Offset: 73F10000, based on PE: true
                                  • Associated: 00000000.00000002.4590249257.0000000073F10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.4590287407.0000000073F14000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.4590303574.0000000073F16000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_73f10000_Quotation.jbxd
                                  Similarity
                                  • API ID: FileRead
                                  • String ID:
                                  • API String ID: 2738559852-0
                                  • Opcode ID: 9430e8b96141a4dca9ea5d96257905f32fc530be2cdc8e5d78258a11b5d34d28
                                  • Instruction ID: 60eff4e23d41d6d286bcaaf04e00f3a75fe6125b92f750748c6b25349aebb31b
                                  • Opcode Fuzzy Hash: 9430e8b96141a4dca9ea5d96257905f32fc530be2cdc8e5d78258a11b5d34d28
                                  • Instruction Fuzzy Hash: 3C417FB250020BFFEB21EFE9FC90B4A37B9EB143D4F254829D50AC7260D63595618B91
                                  Function 00402675 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: wsprintf
                                  • String ID:
                                  • API String ID: 2111968516-0
                                  • Opcode ID: 0119c933f620c4f8f7031c459ced4d937c0452823e42acf217e7eb90320b7a58
                                  • Instruction ID: 8324140bae0bedb839c70a34aa8ea112e9db0b3a01fb2d154999a2919394717c
                                  • Opcode Fuzzy Hash: 0119c933f620c4f8f7031c459ced4d937c0452823e42acf217e7eb90320b7a58
                                  • Instruction Fuzzy Hash: CD210730C04285BEDF328F5886485AEBBB49F41304F14447FE491B73C5C6BD89858B2A
                                  Function 00402733 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402751
                                    • Part of subcall function 0040617F: wsprintfA.USER32 ref: 0040618C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: FilePointerwsprintf
                                  • String ID:
                                  • API String ID: 327478801-0
                                  • Opcode ID: f42d9311bd38e891cab7c9a48034642640f41c78525ff0f16b2709c522664675
                                  • Instruction ID: 58dceb810ad8c47cc2381e6bb9ee9bbb5695489f6ed32c3706823f25b5b7881d
                                  • Opcode Fuzzy Hash: f42d9311bd38e891cab7c9a48034642640f41c78525ff0f16b2709c522664675
                                  • Instruction Fuzzy Hash: B0E09271A00100BED710EB94AA898AE77B8DBC5314B20043BF102F50C1DA7848424A3D
                                  Function 00405E5B Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000007,?,00403300,00000000,004138E0,00000007,004138E0,00000007,000000FF,00000004,00000000), ref: 00405E6F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                  • Instruction ID: d970b9ef04ac51cd86295d8305d97160bc67491923717357e46394c61e9114dd
                                  • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                  • Instruction Fuzzy Hash: 0AE0BF32154559AFDF105F55DC00ABB775CEB05650F004836BD59E2150D631E921DBE4
                                  Function 00405E2C Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403332,00000000,00000000,0040318F,000000FF,00000004,00000000,00000000,00000000), ref: 00405E40
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: FileRead
                                  • String ID:
                                  • API String ID: 2738559852-0
                                  • Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
                                  • Instruction ID: d39b69fc0fd55a8baf3fd840a6c97f1f552af94dc5523f24b2737b086746c888
                                  • Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
                                  • Instruction Fuzzy Hash: 32E0463220021AABCF10AF54DC00BAB3B6CEB00660F044432B998E6080D230E9649AE8
                                  Function 73F129B1 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualProtect.KERNELBASE(73F1504C,00000004,00000040,73F1503C), ref: 73F129CF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4590269433.0000000073F11000.00000020.00000001.01000000.00000006.sdmp, Offset: 73F10000, based on PE: true
                                  • Associated: 00000000.00000002.4590249257.0000000073F10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.4590287407.0000000073F14000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.4590303574.0000000073F16000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_73f10000_Quotation.jbxd
                                  Similarity
                                  • API ID: ProtectVirtual
                                  • String ID:
                                  • API String ID: 544645111-0
                                  • Opcode ID: 30dd55be23ae31e07656727f0bb82333c3c9bd1f6415c5e5b8482d982b7677ba
                                  • Instruction ID: 9603d135fc2266122d399c1f3485155905f9d47ef2a9d2e0c1319c0caf601896
                                  • Opcode Fuzzy Hash: 30dd55be23ae31e07656727f0bb82333c3c9bd1f6415c5e5b8482d982b7677ba
                                  • Instruction Fuzzy Hash: 15F0ACF2514243DEC3A0EFAFE4647053BF0B7243D4B22452AE55ED7261E33441448F91
                                  Function 004060A7 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00406135,?,?,?,?,00000002,Call), ref: 004060CB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                  • Instruction ID: 9dd0bd35023c3b2089757dd8991b5c3bf4bbd414cff839449b7414e8962b4693
                                  • Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                  • Instruction Fuzzy Hash: 7AD0123204020EBBDF11AF909D01FAB3B5DAB08310F014426FE06A5091D776D530A725
                                  Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: eaaf8967800335113431e6cb0bb5ae79c7c0ed54a5fa1219dc08aecfb877f275
                                  • Instruction ID: 0f0ef67ae6f22a0ba946cca6ba47bc13d0e36b28fe5b1bd08674e4c3da35916c
                                  • Opcode Fuzzy Hash: eaaf8967800335113431e6cb0bb5ae79c7c0ed54a5fa1219dc08aecfb877f275
                                  • Instruction Fuzzy Hash: BFD0C232B04104DBDB10CFA4AB0898E73A4DB80324B308437E101F21C0D6B999005B2D
                                  Function 004042EA Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageA.USER32(00010418,00000000,00000000,00000000), ref: 004042FC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID:
                                  • API String ID: 3850602802-0
                                  • Opcode ID: 9a349a504fb0886c84c083efb4d5a0f9bf7be7ebc5d16bd7850478614cc17ce1
                                  • Instruction ID: abd785ffa7d0faf4bfdafb51a737d8bcdd335a29f90b107954c731786bf38ad8
                                  • Opcode Fuzzy Hash: 9a349a504fb0886c84c083efb4d5a0f9bf7be7ebc5d16bd7850478614cc17ce1
                                  • Instruction Fuzzy Hash: 96C09B717447017FDA208F609E4AF0777686750701F6584797750F60D0C6F4D810D71C
                                  Function 00403335 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,004030D1,?,?,?,004036C7,?,?,00000007,00000009,0000000B), ref: 00403343
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                  • Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
                                  • Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                  • Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D
                                  Function 004042D3 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageA.USER32(00000028,?,00000001,00404103), ref: 004042E1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID:
                                  • API String ID: 3850602802-0
                                  • Opcode ID: 4b8775389032d73bb0cdc78c7cec40c6840668cae09c009f0c0f7bab9180220a
                                  • Instruction ID: 12fa0bd368318515ea3e07217fdd1357908c491f7ba982cdf3d5e787ac9e46f9
                                  • Opcode Fuzzy Hash: 4b8775389032d73bb0cdc78c7cec40c6840668cae09c009f0c0f7bab9180220a
                                  • Instruction Fuzzy Hash: C5B09236284A00ABDE218B10DE09F457AA2E7A8742F028028B240240B0CAB200A1EB08
                                  Function 004042C0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                  Download Yara Rule
                                  APIs
                                  • KiUserCallbackDispatcher.NTDLL(?,0040409C), ref: 004042CA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: CallbackDispatcherUser
                                  • String ID:
                                  • API String ID: 2492992576-0
                                  • Opcode ID: 36152b0dcf1d80259a477477ce8a6ba5700b6154f7d802f5e94468563093d619
                                  • Instruction ID: f56e5b77852c123102009bf48c8e97640dd16861c460b72fc417a08543d31c29
                                  • Opcode Fuzzy Hash: 36152b0dcf1d80259a477477ce8a6ba5700b6154f7d802f5e94468563093d619
                                  • Instruction Fuzzy Hash: 5AA01132000000AFCA02AB80EF08C0ABBB2ABA8300B008838A280800328B322820EB08
                                  Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00405342: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,00000000,004178E0,00000000,?,?,?,?,?,?,?,?,?,00403273,00000000,?), ref: 0040537B
                                    • Part of subcall function 00405342: lstrlenA.KERNEL32(s2@,Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,00000000,004178E0,00000000,?,?,?,?,?,?,?,?,?,00403273,00000000), ref: 0040538B
                                    • Part of subcall function 00405342: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,00000020,s2@,Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,00000000,004178E0,00000000), ref: 0040539E
                                    • Part of subcall function 00405342: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll), ref: 004053B0
                                    • Part of subcall function 00405342: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004053D6
                                    • Part of subcall function 00405342: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004053F0
                                    • Part of subcall function 00405342: SendMessageA.USER32(?,00001013,?,00000000), ref: 004053FE
                                    • Part of subcall function 004058BA: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422530,00000009,00000009,0000000B), ref: 004058E3
                                    • Part of subcall function 004058BA: CloseHandle.KERNEL32(?), ref: 004058F0
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0
                                    • Part of subcall function 004066A2: WaitForSingleObject.KERNEL32(?,00000064), ref: 004066B3
                                    • Part of subcall function 004066A2: GetExitCodeProcess.KERNEL32(?,?), ref: 004066D5
                                    • Part of subcall function 0040617F: wsprintfA.USER32 ref: 0040618C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                  • String ID:
                                  • API String ID: 2972824698-0
                                  • Opcode ID: 6eb9e3398cf465c9512d2e174c190d760210a61291e6dc41f2e0216d7b65c4e4
                                  • Instruction ID: 5718a2d5686dfb0023de871151281f308b816711e5e4bbad6a58eb1297ac444a
                                  • Opcode Fuzzy Hash: 6eb9e3398cf465c9512d2e174c190d760210a61291e6dc41f2e0216d7b65c4e4
                                  • Instruction Fuzzy Hash: 63F0B432905121DBDB20AFA18D849EFB2B4DF41318B25463FF502B21D1CB7C4E424AAE

                                  Non-executed Functions

                                  Function 00404730 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDlgItem.USER32(?,000003FB), ref: 0040477F
                                  • SetWindowTextA.USER32(00000000,?), ref: 004047A9
                                  • SHBrowseForFolderA.SHELL32(?,00420100,?), ref: 0040485A
                                  • CoTaskMemFree.OLE32(00000000), ref: 00404865
                                  • lstrcmpiA.KERNEL32(Call,idrtsanlgget: Installing), ref: 00404897
                                  • lstrcatA.KERNEL32(?,Call), ref: 004048A3
                                  • SetDlgItemTextA.USER32(?,000003FB,?), ref: 004048B5
                                    • Part of subcall function 0040591B: GetDlgItemTextA.USER32(?,?,00000400,004048EC), ref: 0040592E
                                    • Part of subcall function 004064FF: CharNextA.USER32(0000000B,*?|<>/":,00000000,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.scr.exe",00403358,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365A,?,00000007,00000009,0000000B), ref: 00406557
                                    • Part of subcall function 004064FF: CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.scr.exe",00403358,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365A,?,00000007,00000009,0000000B), ref: 00406564
                                    • Part of subcall function 004064FF: CharNextA.USER32(0000000B,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.scr.exe",00403358,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365A,?,00000007,00000009,0000000B), ref: 00406569
                                    • Part of subcall function 004064FF: CharPrevA.USER32(0000000B,0000000B,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.scr.exe",00403358,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365A,?,00000007,00000009,0000000B), ref: 00406579
                                  • GetDiskFreeSpaceA.KERNEL32(0041FCF8,?,?,0000040F,?,0041FCF8,0041FCF8,?,00000001,0041FCF8,?,?,000003FB,?), ref: 00404973
                                  • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040498E
                                    • Part of subcall function 00404AE7: lstrlenA.KERNEL32(idrtsanlgget: Installing,idrtsanlgget: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A02,000000DF,00000000,00000400,?), ref: 00404B85
                                    • Part of subcall function 00404AE7: wsprintfA.USER32 ref: 00404B8D
                                    • Part of subcall function 00404AE7: SetDlgItemTextA.USER32(?,idrtsanlgget: Installing), ref: 00404BA0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                  • String ID: A$C:\Users\user\AppData\Roaming\filigraners\nonforming\gumphion$Call$idrtsanlgget: Installing
                                  • API String ID: 2624150263-2326844613
                                  • Opcode ID: e76a4948ef658972b7673bd0f97ca2c2cbbd141a14644bd013b1bb39cbb64012
                                  • Instruction ID: e753fbc9938ab1d63947c0daeacc1ab728496816c11f43441145cd959f33a516
                                  • Opcode Fuzzy Hash: e76a4948ef658972b7673bd0f97ca2c2cbbd141a14644bd013b1bb39cbb64012
                                  • Instruction Fuzzy Hash: 17A162F1A00219ABDB11EFA5C945AAF77B8EF84314F10843BF601B62D1D77C9A418F69
                                  Function 73F11B28 Relevance: 20.1, APIs: 13, Instructions: 591stringlibrarymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 73F112A5: GlobalAlloc.KERNEL32(00000040,73F112C3,?,73F1135F,-73F1504B,73F111C0,-000000A0), ref: 73F112AD
                                  • GlobalAlloc.KERNEL32(00000040,000014A4), ref: 73F11C54
                                  • lstrcpyA.KERNEL32(00000008,?), ref: 73F11C9C
                                  • lstrcpyA.KERNEL32(00000408,?), ref: 73F11CA6
                                  • GlobalFree.KERNEL32(00000000), ref: 73F11CB9
                                  • GlobalFree.KERNEL32(?), ref: 73F11D99
                                  • GlobalFree.KERNEL32(?), ref: 73F11D9E
                                  • GlobalFree.KERNEL32(?), ref: 73F11DA3
                                  • GlobalFree.KERNEL32(00000000), ref: 73F11F8A
                                  • lstrcpyA.KERNEL32(?,?), ref: 73F12128
                                  • GetModuleHandleA.KERNEL32(00000008), ref: 73F121A4
                                  • LoadLibraryA.KERNEL32(00000008), ref: 73F121B5
                                  • GetProcAddress.KERNEL32(?,?), ref: 73F1220E
                                  • lstrlenA.KERNEL32(00000408), ref: 73F12228
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4590269433.0000000073F11000.00000020.00000001.01000000.00000006.sdmp, Offset: 73F10000, based on PE: true
                                  • Associated: 00000000.00000002.4590249257.0000000073F10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.4590287407.0000000073F14000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.4590303574.0000000073F16000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_73f10000_Quotation.jbxd
                                  Similarity
                                  • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                  • String ID:
                                  • API String ID: 245916457-0
                                  • Opcode ID: 5feeff151e7afcaa9d9728959d6638b9127a2e74d1441d24f7d468b256ce67f3
                                  • Instruction ID: 520e8420442c0f8a4db5a580cfe2d980d07358dc2867dbad8a1bb1f878aad32e
                                  • Opcode Fuzzy Hash: 5feeff151e7afcaa9d9728959d6638b9127a2e74d1441d24f7d468b256ce67f3
                                  • Instruction Fuzzy Hash: 5C22BC72D14A4BEFDB12CFA4E8807EEBBF5BB04384F14852ED196A3290D77495A1CB50
                                  Function 00402173 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoCreateInstance.OLE32(00408418,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8
                                  • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AA
                                  Strings
                                  • C:\Users\user\AppData\Roaming\filigraners\nonforming\gumphion\Feltbeskrivelsernes, xrefs: 00402238
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: ByteCharCreateInstanceMultiWide
                                  • String ID: C:\Users\user\AppData\Roaming\filigraners\nonforming\gumphion\Feltbeskrivelsernes
                                  • API String ID: 123533781-1301576671
                                  • Opcode ID: b0aae12e9e80e7278f167df31a08d1e1ff520427b0bd22927559853b09e1289d
                                  • Instruction ID: 9a6e13a84768a97fe35f9fbd9e741d12faf01c6f9269aab775f91d282ceb3430
                                  • Opcode Fuzzy Hash: b0aae12e9e80e7278f167df31a08d1e1ff520427b0bd22927559853b09e1289d
                                  • Instruction Fuzzy Hash: 52513575A00208AFDF10DFE4CA88A9DBBB5EF48314F2045BAF505EB2D1DA799981CB54
                                  Function 004027AA Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: FileFindFirst
                                  • String ID:
                                  • API String ID: 1974802433-0
                                  • Opcode ID: 76c609cce9e9f4d3a544545c7546735dc994a36159f1b8e2332398bbe03192ae
                                  • Instruction ID: c7ee1f3f889fce3ed268d9e5a3e6a13119a7ec2743a27e162eef32eb1a6f732b
                                  • Opcode Fuzzy Hash: 76c609cce9e9f4d3a544545c7546735dc994a36159f1b8e2332398bbe03192ae
                                  • Instruction Fuzzy Hash: 70F0A072A08104AFD710EBA49A49AEEB7A89F51314F60047BF142B20C1DAB889459B2A
                                  Function 00404CA3 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDlgItem.USER32(?,000003F9), ref: 00404CBA
                                  • GetDlgItem.USER32(?,00000408), ref: 00404CC7
                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 00404D16
                                  • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404D2D
                                  • SetWindowLongA.USER32(?,000000FC,004052B6), ref: 00404D47
                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D59
                                  • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404D6D
                                  • SendMessageA.USER32(?,00001109,00000002), ref: 00404D83
                                  • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404D8F
                                  • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404D9F
                                  • DeleteObject.GDI32(00000110), ref: 00404DA4
                                  • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404DCF
                                  • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404DDB
                                  • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404E75
                                  • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404EA5
                                    • Part of subcall function 004042D3: SendMessageA.USER32(00000028,?,00000001,00404103), ref: 004042E1
                                  • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404EB9
                                  • GetWindowLongA.USER32(?,000000F0), ref: 00404EE7
                                  • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404EF5
                                  • ShowWindow.USER32(?,00000005), ref: 00404F05
                                  • SendMessageA.USER32(?,00000419,00000000,?), ref: 00405000
                                  • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00405065
                                  • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 0040507A
                                  • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 0040509E
                                  • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 004050BE
                                  • ImageList_Destroy.COMCTL32(00000000), ref: 004050D3
                                  • GlobalFree.KERNEL32(00000000), ref: 004050E3
                                  • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 0040515C
                                  • SendMessageA.USER32(?,00001102,?,?), ref: 00405205
                                  • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00405214
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0040523F
                                  • ShowWindow.USER32(?,00000000), ref: 0040528D
                                  • GetDlgItem.USER32(?,000003FE), ref: 00405298
                                  • ShowWindow.USER32(00000000), ref: 0040529F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                  • String ID: $M$N
                                  • API String ID: 2564846305-813528018
                                  • Opcode ID: 794a881554aa8ee5c03984d67aba1b946bc09460173a88b24fed42e0447ecfda
                                  • Instruction ID: eaf97ba40d1a8a68e59669e27dec6a45f45a0f9c145d9977960b59e902c3d2a8
                                  • Opcode Fuzzy Hash: 794a881554aa8ee5c03984d67aba1b946bc09460173a88b24fed42e0447ecfda
                                  • Instruction Fuzzy Hash: 4A024CB0A00209AFDB20DF94DD45AAE7BB5FB84354F10817AF610BA2E1C7799D52CF58
                                  Function 00404409 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404494
                                  • GetDlgItem.USER32(00000000,000003E8), ref: 004044A8
                                  • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004044C6
                                  • GetSysColor.USER32(?), ref: 004044D7
                                  • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004044E6
                                  • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004044F5
                                  • lstrlenA.KERNEL32(?), ref: 004044F8
                                  • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404507
                                  • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040451C
                                  • GetDlgItem.USER32(?,0000040A), ref: 0040457E
                                  • SendMessageA.USER32(00000000), ref: 00404581
                                  • GetDlgItem.USER32(?,000003E8), ref: 004045AC
                                  • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004045EC
                                  • LoadCursorA.USER32(00000000,00007F02), ref: 004045FB
                                  • SetCursor.USER32(00000000), ref: 00404604
                                  • LoadCursorA.USER32(00000000,00007F00), ref: 0040461A
                                  • SetCursor.USER32(00000000), ref: 0040461D
                                  • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404649
                                  • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040465D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                  • String ID: Call$N
                                  • API String ID: 3103080414-3438112850
                                  • Opcode ID: 21b32bc18747278c3fc9abe704871c7eb255863afb6518fb253cc5974840fda6
                                  • Instruction ID: 19dd9b89fe194ce799d0bd63e24487b59783ad6daf98ac57737cf63793bd87c2
                                  • Opcode Fuzzy Hash: 21b32bc18747278c3fc9abe704871c7eb255863afb6518fb253cc5974840fda6
                                  • Instruction Fuzzy Hash: 3161D1B1A00209BFDB109F60DD41F6A7B69FB84714F10843AFB01BA2D1D7B9A951CF98
                                  Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                  Download Yara Rule
                                  APIs
                                  • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                  • BeginPaint.USER32(?,?), ref: 00401047
                                  • GetClientRect.USER32(?,?), ref: 0040105B
                                  • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                  • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                  • DeleteObject.GDI32(?), ref: 004010ED
                                  • CreateFontIndirectA.GDI32(?), ref: 00401105
                                  • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                  • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                  • SelectObject.GDI32(00000000,?), ref: 00401140
                                  • DrawTextA.USER32(00000000,00423F20,000000FF,00000010,00000820), ref: 00401156
                                  • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                  • DeleteObject.GDI32(?), ref: 00401165
                                  • EndPaint.USER32(?,?), ref: 0040116E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                  • String ID: F
                                  • API String ID: 941294808-1304234792
                                  • Opcode ID: b799dd1a971940b4fc8ca4173c10a8ae55f420b38ef2044293a40ca8625a1840
                                  • Instruction ID: a6f893611d91958757d7abdb39a5a5a621d211be569e4afefe4ad678f372ba43
                                  • Opcode Fuzzy Hash: b799dd1a971940b4fc8ca4173c10a8ae55f420b38ef2044293a40ca8625a1840
                                  • Instruction Fuzzy Hash: 2A419D71800209AFCF058FA5DE459AF7FB9FF45315F00802AF591AA1A0CB34DA55DFA4
                                  Function 00405E8A Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,0040601B,?,?), ref: 00405EBB
                                  • GetShortPathNameA.KERNEL32(?,00422AB8,00000400), ref: 00405EC4
                                    • Part of subcall function 00405D19: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F74,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D29
                                    • Part of subcall function 00405D19: lstrlenA.KERNEL32(00000000,?,00000000,00405F74,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5B
                                  • GetShortPathNameA.KERNEL32(?,00422EB8,00000400), ref: 00405EE1
                                  • wsprintfA.USER32 ref: 00405EFF
                                  • GetFileSize.KERNEL32(00000000,00000000,00422EB8,C0000000,00000004,00422EB8,?,?,?,?,?), ref: 00405F3A
                                  • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F49
                                  • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F81
                                  • SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,004226B8,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 00405FD7
                                  • GlobalFree.KERNEL32(00000000), ref: 00405FE8
                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405FEF
                                    • Part of subcall function 00405DB4: GetFileAttributesA.KERNELBASE(00000003,00402F4C,C:\Users\user\Desktop\Quotation.scr.exe,80000000,00000003,?,?,004036C7,?,?,00000007,00000009,0000000B), ref: 00405DB8
                                    • Part of subcall function 00405DB4: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,004036C7,?,?,00000007,00000009,0000000B), ref: 00405DDA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                  • String ID: %s=%s$[Rename]
                                  • API String ID: 2171350718-1727408572
                                  • Opcode ID: b061847358bae32614ae3fbb20bf7e9975ad391bf9d527a1c58370104a7af2fb
                                  • Instruction ID: 88c5e5407a43b54e41deaa229ccbccef9ced89fb1ce45320c39bc213381e5d83
                                  • Opcode Fuzzy Hash: b061847358bae32614ae3fbb20bf7e9975ad391bf9d527a1c58370104a7af2fb
                                  • Instruction Fuzzy Hash: 6D31E571601B16BBC2206B65AE48F6B3A5CDF45754F14003BBA41F72C2EB7CD8018AAD
                                  Function 004064FF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  • CharNextA.USER32(0000000B,*?|<>/":,00000000,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.scr.exe",00403358,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365A,?,00000007,00000009,0000000B), ref: 00406557
                                  • CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.scr.exe",00403358,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365A,?,00000007,00000009,0000000B), ref: 00406564
                                  • CharNextA.USER32(0000000B,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.scr.exe",00403358,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365A,?,00000007,00000009,0000000B), ref: 00406569
                                  • CharPrevA.USER32(0000000B,0000000B,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.scr.exe",00403358,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365A,?,00000007,00000009,0000000B), ref: 00406579
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00406500
                                  • *?|<>/":, xrefs: 00406547
                                  • "C:\Users\user\Desktop\Quotation.scr.exe", xrefs: 004064FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: Char$Next$Prev
                                  • String ID: "C:\Users\user\Desktop\Quotation.scr.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                  • API String ID: 589700163-2121895730
                                  • Opcode ID: 28daa348592e837642e08a63fb50167dd7553375ed6c1e47afa6a3256008987e
                                  • Instruction ID: 5f7c3b98dc591c7ba51bc7d2f92361dd06d972f432d341123973b40cc294b26e
                                  • Opcode Fuzzy Hash: 28daa348592e837642e08a63fb50167dd7553375ed6c1e47afa6a3256008987e
                                  • Instruction Fuzzy Hash: BD11E2618047A539EB3206383C44B7BBFD84B57760F19407BE8C2722CAE67C5DA2826D
                                  Function 00404305 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowLongA.USER32(?,000000EB), ref: 00404322
                                  • GetSysColor.USER32(00000000), ref: 00404360
                                  • SetTextColor.GDI32(?,00000000), ref: 0040436C
                                  • SetBkMode.GDI32(?,?), ref: 00404378
                                  • GetSysColor.USER32(?), ref: 0040438B
                                  • SetBkColor.GDI32(?,?), ref: 0040439B
                                  • DeleteObject.GDI32(?), ref: 004043B5
                                  • CreateBrushIndirect.GDI32(?), ref: 004043BF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                  • String ID:
                                  • API String ID: 2320649405-0
                                  • Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                                  • Instruction ID: cbb63c24786ddac73b6e2c7cadba0d935618cf0fa9c5825f710cbfd685b967e9
                                  • Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                                  • Instruction Fuzzy Hash: C52165716007049FCB309F68D908B5BBBF8AF41714B049A3EFD96A26E0C734E914CB54
                                  Function 73F12568 Relevance: 10.6, APIs: 7, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 73F112A5: GlobalAlloc.KERNEL32(00000040,73F112C3,?,73F1135F,-73F1504B,73F111C0,-000000A0), ref: 73F112AD
                                  • GlobalFree.KERNEL32(?), ref: 73F1266E
                                  • GlobalFree.KERNEL32(00000000), ref: 73F126A8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4590269433.0000000073F11000.00000020.00000001.01000000.00000006.sdmp, Offset: 73F10000, based on PE: true
                                  • Associated: 00000000.00000002.4590249257.0000000073F10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.4590287407.0000000073F14000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.4590303574.0000000073F16000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_73f10000_Quotation.jbxd
                                  Similarity
                                  • API ID: Global$Free$Alloc
                                  • String ID:
                                  • API String ID: 1780285237-0
                                  • Opcode ID: 6300a8cec9430d2fd674837d796bb241540e7bd6f377c92a80cb31736000c4a7
                                  • Instruction ID: 018cb53b3d95cd305a4a25d0bfa25a0e2bafc5b0c900bd2996f717a2ec7d576e
                                  • Opcode Fuzzy Hash: 6300a8cec9430d2fd674837d796bb241540e7bd6f377c92a80cb31736000c4a7
                                  • Instruction Fuzzy Hash: 1041FE7212424BFFD702AF95FCA4E2E77FAFB852C0B154529F546871A0D7319824CB61
                                  Function 00404BF1 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404C0C
                                  • GetMessagePos.USER32 ref: 00404C14
                                  • ScreenToClient.USER32(?,?), ref: 00404C2E
                                  • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404C40
                                  • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404C66
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: Message$Send$ClientScreen
                                  • String ID: f
                                  • API String ID: 41195575-1993550816
                                  • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                  • Instruction ID: 93109a8e724f31e93e0d54bf25cae36486e14b8225363ffb07e64e962ae03204
                                  • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                  • Instruction Fuzzy Hash: A9019E71900218BAEB00DBA4DD85BFFBBBCAF94B11F10012BBA01F61C0C7B499018BA4
                                  Function 00401E35 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDC.USER32(?), ref: 00401E38
                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
                                  • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
                                  • ReleaseDC.USER32(?,00000000), ref: 00401E6B
                                  • CreateFontIndirectA.GDI32(0040B808), ref: 00401EBA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: CapsCreateDeviceFontIndirectRelease
                                  • String ID: Times New Roman
                                  • API String ID: 3808545654-927190056
                                  • Opcode ID: dc4986470ccc1e885ab6304a393f4fc351a1beac63bd6d4e5a91924cbf728a71
                                  • Instruction ID: 78bc72d8b84ad67ba28d95cca09b36b8d676801cdfa06d30d46d0d336fc021b3
                                  • Opcode Fuzzy Hash: dc4986470ccc1e885ab6304a393f4fc351a1beac63bd6d4e5a91924cbf728a71
                                  • Instruction Fuzzy Hash: 94018072545240AEE7007BA0AE4AA997FE8DB95305F108879F241B62E2CB7804858BAC
                                  Function 00402E25 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E40
                                  • MulDiv.KERNEL32(00063649,00000064,0006364D), ref: 00402E6B
                                  • wsprintfA.USER32 ref: 00402E7B
                                  • SetWindowTextA.USER32(?,?), ref: 00402E8B
                                  • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E9D
                                  Strings
                                  • verifying installer: %d%%, xrefs: 00402E75
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: Text$ItemTimerWindowwsprintf
                                  • String ID: verifying installer: %d%%
                                  • API String ID: 1451636040-82062127
                                  • Opcode ID: 2387a686b3b1868cd92a13c0d2e980d3c860b1c7e3fdee4f6c2790c96e5fb89f
                                  • Instruction ID: 4e34671f6ad7519bbf5f6dc156f4cbc88be2f864d54f027ec7db53c8ecd7e5c4
                                  • Opcode Fuzzy Hash: 2387a686b3b1868cd92a13c0d2e980d3c860b1c7e3fdee4f6c2790c96e5fb89f
                                  • Instruction Fuzzy Hash: C6016271640209FBEF10AF60DE09EEE37A9EB44344F008039FA06B51D0DBB89A55CF59
                                  Function 73F12381 Relevance: 9.1, APIs: 6, Instructions: 140memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GlobalFree.KERNEL32(00000000), ref: 73F124D7
                                    • Part of subcall function 73F112B4: lstrcpynA.KERNEL32(00000000,?,73F1135F,-73F1504B,73F111C0,-000000A0), ref: 73F112C4
                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 73F12452
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 73F12467
                                  • GlobalAlloc.KERNEL32(00000040,00000010), ref: 73F12478
                                  • CLSIDFromString.OLE32(00000000,00000000), ref: 73F12486
                                  • GlobalFree.KERNEL32(00000000), ref: 73F1248D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4590269433.0000000073F11000.00000020.00000001.01000000.00000006.sdmp, Offset: 73F10000, based on PE: true
                                  • Associated: 00000000.00000002.4590249257.0000000073F10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.4590287407.0000000073F14000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.4590303574.0000000073F16000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_73f10000_Quotation.jbxd
                                  Similarity
                                  • API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
                                  • String ID:
                                  • API String ID: 3730416702-0
                                  • Opcode ID: 4307348f1fc1f4964a3d82cea720edf8efeeab012136836930d398cd5bc471bc
                                  • Instruction ID: ffdf38b94fd891e9d7f1ca0ebb3f2b1cd75ba9d07410ab080f0ff2dd2b12ffc2
                                  • Opcode Fuzzy Hash: 4307348f1fc1f4964a3d82cea720edf8efeeab012136836930d398cd5bc471bc
                                  • Instruction Fuzzy Hash: CF41ADB250430BEFE3119FA5BC44F2AB7F8FB40391F10492AE54ACB581EB709564CB61
                                  Function 004027E8 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402849
                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402865
                                  • GlobalFree.KERNEL32(?), ref: 004028A4
                                  • GlobalFree.KERNEL32(00000000), ref: 004028B7
                                  • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028D3
                                  • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028E6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: Global$AllocFree$CloseDeleteFileHandle
                                  • String ID:
                                  • API String ID: 2667972263-0
                                  • Opcode ID: acc099840e9607f503e710369c762ba45212ae4652965a23db4686c54a72cba8
                                  • Instruction ID: 8632efffce6a08cefdb0cfd556c512b85b55bf4b4fc6fb5f4450e668879817f3
                                  • Opcode Fuzzy Hash: acc099840e9607f503e710369c762ba45212ae4652965a23db4686c54a72cba8
                                  • Instruction Fuzzy Hash: 0431AD32800128BBDF206FA5DE88D9E7A79FF08324F14423AF551762E1CB798D419B68
                                  Function 00404AE7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlenA.KERNEL32(idrtsanlgget: Installing,idrtsanlgget: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A02,000000DF,00000000,00000400,?), ref: 00404B85
                                  • wsprintfA.USER32 ref: 00404B8D
                                  • SetDlgItemTextA.USER32(?,idrtsanlgget: Installing), ref: 00404BA0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: ItemTextlstrlenwsprintf
                                  • String ID: %u.%u%s%s$idrtsanlgget: Installing
                                  • API String ID: 3540041739-1909175859
                                  • Opcode ID: 8b1ef967b5b00d02d6caa54b4d9d803dba6c75d78853161841dcb3146d3338a9
                                  • Instruction ID: f44851e3edde3faf6d7f52d360daa71fec4d247360b3acd862e229950198d803
                                  • Opcode Fuzzy Hash: 8b1ef967b5b00d02d6caa54b4d9d803dba6c75d78853161841dcb3146d3338a9
                                  • Instruction Fuzzy Hash: 4B11B7736041286BDB00766D9C41EAE32DCDB85374F26023BFA26F31D2E978DC1285A9
                                  Function 73F118C7 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4590269433.0000000073F11000.00000020.00000001.01000000.00000006.sdmp, Offset: 73F10000, based on PE: true
                                  • Associated: 00000000.00000002.4590249257.0000000073F10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.4590287407.0000000073F14000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.4590303574.0000000073F16000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_73f10000_Quotation.jbxd
                                  Similarity
                                  • API ID: FreeGlobal
                                  • String ID:
                                  • API String ID: 2979337801-0
                                  • Opcode ID: 9df85fef2ab153c023f00e18ea44c076479cbf933837b2716f59a221e02087d2
                                  • Instruction ID: f9c4e3b90fcc87b4254e07f04b2ebd6ab986a1299ca533470233644bb49150e6
                                  • Opcode Fuzzy Hash: 9df85fef2ab153c023f00e18ea44c076479cbf933837b2716f59a221e02087d2
                                  • Instruction Fuzzy Hash: 1A51C072D14D1FEBEB129FB4B95076DBFFAAB453C0F08016AD407E3184C6319AA187A1
                                  Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDlgItem.USER32(?,?), ref: 00401D7E
                                  • GetClientRect.USER32(?,?), ref: 00401DCC
                                  • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
                                  • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
                                  • DeleteObject.GDI32(00000000), ref: 00401E20
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                  • String ID:
                                  • API String ID: 1849352358-0
                                  • Opcode ID: d28cbb5eda08e771adb109fb75cc135253c4c6798ae45942146c48eb1f3332cd
                                  • Instruction ID: 166fbd332a9bfc0cbe575961a26d2f7de32a708cb4bfa95e9fb96a6f934cc0d1
                                  • Opcode Fuzzy Hash: d28cbb5eda08e771adb109fb75cc135253c4c6798ae45942146c48eb1f3332cd
                                  • Instruction Fuzzy Hash: 39213B72E00109AFDF15DFA4DD85AAEBBB5EB88300F24407EF911F62A0DB389941DB54
                                  Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
                                  • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: MessageSend$Timeout
                                  • String ID: !
                                  • API String ID: 1777923405-2657877971
                                  • Opcode ID: db2acdc13556941c9656f9311d636ddd353e6d1dedc92fc6a701a87acdf3cd67
                                  • Instruction ID: 8efc05d96505a2d0f77a22297702c6146484586f10b4035423ddbf39008941fb
                                  • Opcode Fuzzy Hash: db2acdc13556941c9656f9311d636ddd353e6d1dedc92fc6a701a87acdf3cd67
                                  • Instruction Fuzzy Hash: E0218271948208BEEB059FF5DA8AAAD7FB4EF84304F20447EF101B61D1D7B989819B18
                                  Function 0040247E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,00000023,00000011,00000002), ref: 004024C9
                                  • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,00000000,00000011,00000002), ref: 00402509
                                  • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,00000000,00000011,00000002), ref: 004025ED
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: CloseValuelstrlen
                                  • String ID: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp
                                  • API String ID: 2655323295-1947775540
                                  • Opcode ID: c03baa2e5d6f7389340f2db8ffb6109b7a87ada7a837ae82fb4f7dc30b9973d5
                                  • Instruction ID: 190854678252c7ae699d8d730a6501125d28a80e007e472a4f2f409cdc8177a1
                                  • Opcode Fuzzy Hash: c03baa2e5d6f7389340f2db8ffb6109b7a87ada7a837ae82fb4f7dc30b9973d5
                                  • Instruction Fuzzy Hash: DD118171E04208AFEB10AFA5DE49AAE7A74EB84714F21843AF504B71C1D6B94D409B68
                                  Function 00405CA1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00406221: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,00403520,00423F20,NSIS Error,?,00000007,00000009,0000000B), ref: 0040622E
                                    • Part of subcall function 00405C4C: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,0000000B,00405CB8,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,76233410,?,C:\Users\user\AppData\Local\Temp\,00405A03,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.scr.exe"), ref: 00405C5A
                                    • Part of subcall function 00405C4C: CharNextA.USER32(00000000), ref: 00405C5F
                                    • Part of subcall function 00405C4C: CharNextA.USER32(00000000), ref: 00405C73
                                  • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,76233410,?,C:\Users\user\AppData\Local\Temp\,00405A03,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.scr.exe"), ref: 00405CF4
                                  • GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,76233410,?,C:\Users\user\AppData\Local\Temp\,00405A03,?,76233410,C:\Users\user\AppData\Local\Temp\), ref: 00405D04
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                  • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp
                                  • API String ID: 3248276644-2411592231
                                  • Opcode ID: 05241cbe2983c15fb16c5db64315655786cdd63146abf389be85c150195ec36b
                                  • Instruction ID: 5ab6a02976ddcdb736d880722f98471683130cd3bc6ac039ae5d360b48fe5916
                                  • Opcode Fuzzy Hash: 05241cbe2983c15fb16c5db64315655786cdd63146abf389be85c150195ec36b
                                  • Instruction Fuzzy Hash: 65F0283110AF6126F62233391D45E9F2A44CD87724B16053FF893B12D2DB3C8853A97E
                                  Function 00405BB3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040336A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365A,?,00000007,00000009,0000000B), ref: 00405BB9
                                  • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040336A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365A,?,00000007,00000009,0000000B), ref: 00405BC2
                                  • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405BD3
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BB3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: CharPrevlstrcatlstrlen
                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                  • API String ID: 2659869361-3936084776
                                  • Opcode ID: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                                  • Instruction ID: b86567b4ee66a8209c9d9c21eccc7ced3f9bb51a136e3b6b5cf747e4579768d6
                                  • Opcode Fuzzy Hash: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                                  • Instruction Fuzzy Hash: FBD0A7E25015307AD20137194C05DCB29088F12301705046AF100B2191C73C5C1247FE
                                  Function 00405C4C Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                  Download Yara Rule
                                  APIs
                                  • CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,0000000B,00405CB8,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp,76233410,?,C:\Users\user\AppData\Local\Temp\,00405A03,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.scr.exe"), ref: 00405C5A
                                  • CharNextA.USER32(00000000), ref: 00405C5F
                                  • CharNextA.USER32(00000000), ref: 00405C73
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp, xrefs: 00405C4D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: CharNext
                                  • String ID: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp
                                  • API String ID: 3213498283-1947775540
                                  • Opcode ID: 316c3355a28f754ee8ac0e81cdef43e8e77e46aced88bc4ffefd33f9dabad7a9
                                  • Instruction ID: a7fbbe87204c24d7d6cb5328c2ebf38284c160ed137a729cdb158871e3abfbcf
                                  • Opcode Fuzzy Hash: 316c3355a28f754ee8ac0e81cdef43e8e77e46aced88bc4ffefd33f9dabad7a9
                                  • Instruction Fuzzy Hash: C1F0F69190CF542AFB325A240C48B775B8CCB56315F14017BE5807A2C1C27D4C418FAA
                                  Function 00402EA8 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                  • DestroyWindow.USER32(00000000,00000000,00403086,00000001,?,?,004036C7,?,?,00000007,00000009,0000000B), ref: 00402EBB
                                  • GetTickCount.KERNEL32 ref: 00402ED9
                                  • CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402EF6
                                  • ShowWindow.USER32(00000000,00000005,?,?,004036C7,?,?,00000007,00000009,0000000B), ref: 00402F04
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: Window$CountCreateDestroyDialogParamShowTick
                                  • String ID:
                                  • API String ID: 2102729457-0
                                  • Opcode ID: a9c2853ddcd1656e7817f0d5388c48bc4b44f27495d9f2d304638d827323b041
                                  • Instruction ID: 3d9954c0eee0c06c8e9eeac24af80258685528ff6c953594b0b57335f720365d
                                  • Opcode Fuzzy Hash: a9c2853ddcd1656e7817f0d5388c48bc4b44f27495d9f2d304638d827323b041
                                  • Instruction Fuzzy Hash: FEF08230641620AFCA21BBA0FE4C99B7BA4F744B92711493EF105B11E5CB7408878BEC
                                  Function 004052B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • IsWindowVisible.USER32(?), ref: 004052E5
                                  • CallWindowProcA.USER32(?,?,?,?), ref: 00405336
                                    • Part of subcall function 004042EA: SendMessageA.USER32(00010418,00000000,00000000,00000000), ref: 004042FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: Window$CallMessageProcSendVisible
                                  • String ID:
                                  • API String ID: 3748168415-3916222277
                                  • Opcode ID: 3571107e61fb0c95499abe12c62524c8ca61ab5f39c6c483d2e3bb4747d79c88
                                  • Instruction ID: bfbe8dc1bf67acc38286ff3f407fa9b744a8d5c942e012c28e7a3ee07d6728e2
                                  • Opcode Fuzzy Hash: 3571107e61fb0c95499abe12c62524c8ca61ab5f39c6c483d2e3bb4747d79c88
                                  • Instruction Fuzzy Hash: ED01B131200B08ABDF204F11ED84A5B3765EB88390F60003BFE00761D1C7B99D529F2D
                                  Function 00403972 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  • FreeLibrary.KERNEL32(?,76233410,00000000,C:\Users\user\AppData\Local\Temp\,0040394A,00403764,?,?,00000007,00000009,0000000B), ref: 0040398C
                                  • GlobalFree.KERNEL32(00665C10), ref: 00403993
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00403972
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: Free$GlobalLibrary
                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                  • API String ID: 1100898210-3936084776
                                  • Opcode ID: d577bf8b0ad620a88e67a325e5e326df37630095cafad59fd52e64b4463e9122
                                  • Instruction ID: 7fcd8f2a76792aaf65c7a7a410b35961c4f4b24c3bdde611e9105fedf7b4f224
                                  • Opcode Fuzzy Hash: d577bf8b0ad620a88e67a325e5e326df37630095cafad59fd52e64b4463e9122
                                  • Instruction Fuzzy Hash: D8E0C2339015209BC621AF45EE0475ABB6C7F89B22F02403BEC80BB2608BB41C438FCC
                                  Function 00405BFA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F78,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Quotation.scr.exe,C:\Users\user\Desktop\Quotation.scr.exe,80000000,00000003,?,?,004036C7,?,?,00000007,00000009), ref: 00405C00
                                  • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F78,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Quotation.scr.exe,C:\Users\user\Desktop\Quotation.scr.exe,80000000,00000003,?,?,004036C7,?), ref: 00405C0E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: CharPrevlstrlen
                                  • String ID: C:\Users\user\Desktop
                                  • API String ID: 2709904686-3125694417
                                  • Opcode ID: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                                  • Instruction ID: ccc0835048b4db58876b5cdb573ff3971575dcca65adb0de3259b21bb5a5f044
                                  • Opcode Fuzzy Hash: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                                  • Instruction Fuzzy Hash: 5FD0A9B240CAB06EF30362148C00B8F6A88CF23300F0A00A6E180A21A1C3784C828BFE
                                  Function 73F110E0 Relevance: 5.1, APIs: 4, Instructions: 144memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 73F1116B
                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 73F111D8
                                  • GlobalFree.KERNEL32(?), ref: 73F11286
                                  • GlobalFree.KERNEL32(00000000), ref: 73F1129B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4590269433.0000000073F11000.00000020.00000001.01000000.00000006.sdmp, Offset: 73F10000, based on PE: true
                                  • Associated: 00000000.00000002.4590249257.0000000073F10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.4590287407.0000000073F14000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.4590303574.0000000073F16000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_73f10000_Quotation.jbxd
                                  Similarity
                                  • API ID: Global$AllocFree
                                  • String ID:
                                  • API String ID: 3394109436-0
                                  • Opcode ID: efffea6737d5673917f7fd6c8ca68a4b44f3a62cfcfe4993a5545ddcfef60557
                                  • Instruction ID: ad5dd144ba68687f8b8df39df995eae5ee21509f2ff79788e1ced4e7d47f20a4
                                  • Opcode Fuzzy Hash: efffea6737d5673917f7fd6c8ca68a4b44f3a62cfcfe4993a5545ddcfef60557
                                  • Instruction Fuzzy Hash: 4151AFB2514B47DFD341DFA9E8A4B29BBF8FB493C0B190459E54BD7264E7309820CB51
                                  Function 00405D19 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F74,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D29
                                  • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D41
                                  • CharNextA.USER32(00000000,?,00000000,00405F74,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D52
                                  • lstrlenA.KERNEL32(00000000,?,00000000,00405F74,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4582641253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4582595935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582662075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582681506.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4582774449.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                  Similarity
                                  • API ID: lstrlen$CharNextlstrcmpi
                                  • String ID:
                                  • API String ID: 190613189-0
                                  • Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
                                  • Instruction ID: 90130a3543624645d11f2bc918893db112b14c99f7b5f0f5ae8e3e94e5344734
                                  • Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
                                  • Instruction Fuzzy Hash: 9FF0F631100914FFCB12DFA4CD44D9EBBA8EF56350B2580BAE840F7210D674DE029BA8