Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Quotation.exe

Overview

General Information

Sample name:Quotation.exe
Analysis ID:1546656
MD5:fbd9ee316d3beb79ca69987ddc7563a3
SHA1:9330cd86914cc967b3757cfd56e261661a207358
SHA256:dd15fe7ea08743edcf83e3511206a76569d339d9c6e10a99e7d977f911131b76
Tags:exeuser-TeamDreier
Infos:

Detection

FormBook, GuLoader
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected GuLoader
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Quotation.exe (PID: 7460 cmdline: "C:\Users\user\Desktop\Quotation.exe" MD5: FBD9EE316D3BEB79CA69987DDC7563A3)
    • Quotation.exe (PID: 7904 cmdline: "C:\Users\user\Desktop\Quotation.exe" MD5: FBD9EE316D3BEB79CA69987DDC7563A3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2282815600.0000000035660000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.2282815600.0000000035660000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bec0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13f4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000000.00000002.2045391530.000000000592C000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-01T12:07:17.375917+010020229301A Network Trojan was detected4.175.87.197443192.168.2.449730TCP
      2024-11-01T12:07:40.421570+010020229301A Network Trojan was detected20.109.210.53443192.168.2.459643TCP
      2024-11-01T12:07:41.838078+010020229301A Network Trojan was detected20.109.210.53443192.168.2.459644TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-01T12:07:48.379430+010028032702Potentially Bad Traffic192.168.2.459645142.250.186.174443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: Quotation.exeReversingLabs: Detection: 44%
      Yara detected FormBook
      Source: Yara matchFile source: 00000004.00000002.2282815600.0000000035660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Source: Quotation.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.4:59645 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.4:59646 version: TLS 1.2
      Source: Quotation.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: mshtml.pdb source: Quotation.exe, 00000004.00000001.2043874157.0000000000649000.00000020.00000001.01000000.00000008.sdmp
      Source: Binary string: wntdll.pdbUGP source: Quotation.exe, 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2224464006.000000003581E000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2222345921.0000000035660000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: Quotation.exe, Quotation.exe, 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2224464006.000000003581E000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2222345921.0000000035660000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: mshtml.pdbUGP source: Quotation.exe, 00000004.00000001.2043874157.0000000000649000.00000020.00000001.01000000.00000008.sdmp
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_004066F7 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004066F7
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_004065AD FindFirstFileW,FindClose,0_2_004065AD
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:59643
      Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49730
      Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:59644
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:59645 -> 142.250.186.174:443
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1l5psgXqmdwL1ZJzDGG3LfEbvUw5V8LIP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=1l5psgXqmdwL1ZJzDGG3LfEbvUw5V8LIP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1l5psgXqmdwL1ZJzDGG3LfEbvUw5V8LIP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=1l5psgXqmdwL1ZJzDGG3LfEbvUw5V8LIP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
      Source: global trafficDNS traffic detected: DNS query: 50.23.12.20.in-addr.arpa
      Source: global trafficDNS traffic detected: DNS query: drive.google.com
      Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
      Source: Quotation.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error...
      Source: Quotation.exe, 00000004.00000001.2043874157.0000000000649000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.ftp.ftp://ftp.gopher.
      Source: Quotation.exe, 00000004.00000001.2043874157.00000000005F2000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
      Source: Quotation.exe, 00000004.00000001.2043874157.00000000005F2000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
      Source: Quotation.exe, 00000004.00000003.2169438323.00000000057FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
      Source: Quotation.exe, 00000004.00000002.2262040393.0000000005748000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
      Source: Quotation.exe, 00000004.00000002.2262040393.0000000005748000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/r
      Source: Quotation.exe, 00000004.00000002.2282531159.0000000034D60000.00000004.00001000.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2262040393.0000000005784000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1l5psgXqmdwL1ZJzDGG3LfEbvUw5V8LIP
      Source: Quotation.exe, 00000004.00000002.2262040393.0000000005748000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1l5psgXqmdwL1ZJzDGG3LfEbvUw5V8LIPLo
      Source: Quotation.exe, 00000004.00000002.2262040393.0000000005748000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1l5psgXqmdwL1ZJzDGG3LfEbvUw5V8LIPRo
      Source: Quotation.exe, 00000004.00000002.2262193150.00000000057BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
      Source: Quotation.exe, 00000004.00000003.2215204628.00000000057BD000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2222512329.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2222784659.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2222813842.000000000579E000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2169438323.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2262103359.000000000579E000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2262193150.00000000057BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1l5psgXqmdwL1ZJzDGG3LfEbvUw5V8LIP&export=download
      Source: Quotation.exe, 00000004.00000003.2215204628.00000000057BD000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2222512329.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2222784659.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2262193150.00000000057BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1l5psgXqmdwL1ZJzDGG3LfEbvUw5V8LIP&export=download$
      Source: Quotation.exe, 00000004.00000003.2222813842.000000000579E000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2262103359.000000000579E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1l5psgXqmdwL1ZJzDGG3LfEbvUw5V8LIP&export=downloadl
      Source: Quotation.exe, 00000004.00000001.2043874157.0000000000649000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
      Source: Quotation.exe, 00000004.00000003.2169438323.00000000057FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
      Source: Quotation.exe, 00000004.00000003.2169438323.00000000057FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
      Source: Quotation.exe, 00000004.00000003.2169438323.00000000057FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
      Source: Quotation.exe, 00000004.00000003.2169438323.00000000057FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
      Source: Quotation.exe, 00000004.00000003.2169438323.00000000057FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
      Source: unknownNetwork traffic detected: HTTP traffic on port 59646 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59646
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59645
      Source: unknownNetwork traffic detected: HTTP traffic on port 59645 -> 443
      Source: unknownHTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.4:59645 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.4:59646 version: TLS 1.2

      E-Banking Fraud

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000004.00000002.2282815600.0000000035660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 00000004.00000002.2282815600.0000000035660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Initial sample is a PE file and has a suspicious name
      Source: initial sampleStatic PE information: Filename: Quotation.exe
      Source: C:\Users\user\Desktop\Quotation.exeProcess Stats: CPU usage > 49%
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A435C0 NtCreateMutant,LdrInitializeThunk,4_2_35A435C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_35A42DF0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A43090 NtSetValueKey,4_2_35A43090
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A43010 NtOpenDirectoryObject,4_2_35A43010
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A43D10 NtOpenProcessToken,4_2_35A43D10
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A43D70 NtOpenThread,4_2_35A43D70
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A439B0 NtGetContextThread,4_2_35A439B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A44650 NtSuspendThread,4_2_35A44650
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A44340 NtSetContextThread,4_2_35A44340
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42DB0 NtEnumerateKey,4_2_35A42DB0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42DD0 NtDelayExecution,4_2_35A42DD0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42D30 NtUnmapViewOfSection,4_2_35A42D30
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42D00 NtSetInformationFile,4_2_35A42D00
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42D10 NtMapViewOfSection,4_2_35A42D10
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42CA0 NtQueryInformationToken,4_2_35A42CA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42CF0 NtOpenProcess,4_2_35A42CF0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42CC0 NtQueryVirtualMemory,4_2_35A42CC0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42C00 NtQueryInformationProcess,4_2_35A42C00
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42C60 NtCreateKey,4_2_35A42C60
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42C70 NtFreeVirtualMemory,4_2_35A42C70
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42FA0 NtQuerySection,4_2_35A42FA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42FB0 NtResumeThread,4_2_35A42FB0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42F90 NtProtectVirtualMemory,4_2_35A42F90
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42FE0 NtCreateFile,4_2_35A42FE0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42F30 NtCreateSection,4_2_35A42F30
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42F60 NtCreateProcessEx,4_2_35A42F60
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42EA0 NtAdjustPrivilegesToken,4_2_35A42EA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42E80 NtReadVirtualMemory,4_2_35A42E80
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42EE0 NtQueueApcThread,4_2_35A42EE0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42E30 NtWriteVirtualMemory,4_2_35A42E30
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42BA0 NtEnumerateValueKey,4_2_35A42BA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42B80 NtQueryInformationFile,4_2_35A42B80
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42BE0 NtQueryValueKey,4_2_35A42BE0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42BF0 NtAllocateVirtualMemory,4_2_35A42BF0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42B60 NtClose,4_2_35A42B60
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42AB0 NtWaitForSingleObject,4_2_35A42AB0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42AF0 NtWriteFile,4_2_35A42AF0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A42AD0 NtReadFile,4_2_35A42AD0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_004036DA EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,LdrInitializeThunk,CharNextW,LdrInitializeThunk,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,0_2_004036DA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_734023510_2_73402351
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AAD5B04_2_35AAD5B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD95C34_2_35AD95C3
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC75714_2_35AC7571
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ACF43F4_2_35ACF43F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A014604_2_35A01460
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ACF7B04_2_35ACF7B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A017EC4_2_35A017EC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1B7304_2_35A1B730
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC16CC4_2_35AC16CC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A556304_2_35A55630
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1B1B04_2_35A1B1B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A4516C4_2_35A4516C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF1724_2_359FF172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC70E94_2_35AC70E9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ACF0E04_2_35ACF0E0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABF0CC4_2_35ABF0CC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A5739A4_2_35A5739A
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC132D4_2_35AC132D
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FD34C4_2_359FD34C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A152A04_2_35A152A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB12ED4_2_35AB12ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2D2F04_2_35A2D2F0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359D1D264_2_359D1D26
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC7D734_2_35AC7D73
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC1D5A4_2_35AC1D5A
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ACFCF24_2_35ACFCF2
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A29C204_2_35A29C20
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ACFFB14_2_35ACFFB1
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11F924_2_35A11F92
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359D3FD54_2_359D3FD5
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359D3FD24_2_359D3FD2
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ACFF094_2_35ACFF09
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A19EB04_2_35A19EB0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AA59104_2_35AA5910
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2B9504_2_35A2B950
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A138E04_2_35A138E0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A7D8004_2_35A7D800
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A85BF04_2_35A85BF0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A4DBF94_2_35A4DBF9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ACFB764_2_35ACFB76
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A55AA04_2_35A55AA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AADAAC4_2_35AADAAC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB1AA34_2_35AB1AA3
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABDAC64_2_35ABDAC6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A83A6C4_2_35A83A6C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ACFA494_2_35ACFA49
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC7A464_2_35AC7A46
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD05914_2_35AD0591
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A105354_2_35A10535
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB44204_2_35AB4420
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC24464_2_35AC2446
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A0C7C04_2_35A0C7C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A107704_2_35A10770
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A347504_2_35A34750
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2C6E04_2_35A2C6E0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD21AE4_2_35AD21AE
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD01AA4_2_35AD01AA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC41A24_2_35AC41A2
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC81CC4_2_35AC81CC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A001004_2_35A00100
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AAA1184_2_35AAA118
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A981584_2_35A98158
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AA20004_2_35AA2000
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD03E64_2_35AD03E6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1E3F04_2_35A1E3F0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ACA3524_2_35ACA352
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A902C04_2_35A902C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB02744_2_35AB0274
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A28DBF4_2_35A28DBF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1AD004_2_35A1AD00
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AACD1F4_2_35AACD1F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB0CB54_2_35AB0CB5
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A00CF24_2_35A00CF2
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A10C004_2_35A10C00
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1EC604_2_35A1EC60
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A8EFA04_2_35A8EFA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1CFE04_2_35A1CFE0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A02FC84_2_35A02FC8
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A52F284_2_35A52F28
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A30F304_2_35A30F30
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB2F304_2_35AB2F30
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A84F404_2_35A84F40
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A22E904_2_35A22E90
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ACCE934_2_35ACCE93
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ACEEDB4_2_35ACEEDB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ACEE264_2_35ACEE26
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A10E594_2_35A10E59
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A129A04_2_35A129A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A269624_2_35A26962
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F68B84_2_359F68B8
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3E8F04_2_35A3E8F0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1A8404_2_35A1A840
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A128404_2_35A12840
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ACEB894_2_35ACEB89
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC6BD74_2_35AC6BD7
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ACAB404_2_35ACAB40
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A0EA804_2_35A0EA80
      Source: C:\Users\user\Desktop\Quotation.exeCode function: String function: 35A45130 appears 56 times
      Source: C:\Users\user\Desktop\Quotation.exeCode function: String function: 35A8F290 appears 100 times
      Source: C:\Users\user\Desktop\Quotation.exeCode function: String function: 359FB970 appears 247 times
      Source: C:\Users\user\Desktop\Quotation.exeCode function: String function: 35A7EA12 appears 70 times
      Source: C:\Users\user\Desktop\Quotation.exeCode function: String function: 35A57E54 appears 103 times
      Source: Quotation.exeStatic PE information: invalid certificate
      Source: Quotation.exe, 00000004.00000003.2224464006.000000003594B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe
      Source: Quotation.exe, 00000004.00000002.2282846569.0000000035CA1000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe
      Source: Quotation.exe, 00000004.00000003.2222345921.0000000035783000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe
      Source: Quotation.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 00000004.00000002.2282815600.0000000035660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: classification engineClassification label: mal88.troj.evad.winEXE@3/12@4/2
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_004036DA EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,LdrInitializeThunk,CharNextW,LdrInitializeThunk,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,0_2_004036DA
      Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\user\overlaysJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\user\AppData\Local\Temp\nsi1716.tmpJump to behavior
      Source: Quotation.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Quotation.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Quotation.exeReversingLabs: Detection: 44%
      Source: C:\Users\user\Desktop\Quotation.exeFile read: C:\Users\user\Desktop\Quotation.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"
      Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"
      Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"Jump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeFile written: C:\Users\user\Music\antithetic.iniJump to behavior
      Source: Quotation.exeStatic file information: File size 1189752 > 1048576
      Source: Quotation.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: mshtml.pdb source: Quotation.exe, 00000004.00000001.2043874157.0000000000649000.00000020.00000001.01000000.00000008.sdmp
      Source: Binary string: wntdll.pdbUGP source: Quotation.exe, 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2224464006.000000003581E000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2222345921.0000000035660000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: Quotation.exe, Quotation.exe, 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2224464006.000000003581E000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2222345921.0000000035660000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: mshtml.pdbUGP source: Quotation.exe, 00000004.00000001.2043874157.0000000000649000.00000020.00000001.01000000.00000008.sdmp

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000000.00000002.2045391530.000000000592C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_73402351 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleW,LdrInitializeThunk,LoadLibraryW,GetProcAddress,lstrlenW,0_2_73402351
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359D1368 push eax; iretd 4_2_359D1369
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359D27FA pushad ; ret 4_2_359D27F9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359D225F pushad ; ret 4_2_359D27F9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A009AD push ecx; mov dword ptr [esp], ecx4_2_35A009B6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359D283D push eax; iretd 4_2_359D2858
      Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Desktop\Quotation.exeAPI/Special instruction interceptor: Address: 5FBF2E9
      Source: C:\Users\user\Desktop\Quotation.exeAPI/Special instruction interceptor: Address: 285F2E9
      Tries to detect virtualization through RDTSC time measurements
      Source: C:\Users\user\Desktop\Quotation.exeRDTSC instruction interceptor: First address: 5F693CE second address: 5F693CE instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F772CBCD574h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 test edx, 4B77E884h 0x0000000e rdtsc
      Source: C:\Users\user\Desktop\Quotation.exeRDTSC instruction interceptor: First address: 28093CE second address: 28093CE instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F772CBDCE84h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 test edx, 4B77E884h 0x0000000e rdtsc
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD16A6 rdtsc 4_2_35AD16A6
      Source: C:\Users\user\Desktop\Quotation.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\Quotation.exeEvaded block: after key decisiongraph_0-2971
      Source: C:\Users\user\Desktop\Quotation.exeAPI coverage: 0.1 %
      Source: C:\Users\user\Desktop\Quotation.exe TID: 8024Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_004066F7 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004066F7
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_004065AD FindFirstFileW,FindClose,0_2_004065AD
      Source: Quotation.exe, 00000004.00000002.2262103359.00000000057AB000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2223028388.00000000057AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: Quotation.exe, 00000004.00000002.2262040393.0000000005748000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Users\user\Desktop\Quotation.exeAPI call chain: ExitProcess graph end nodegraph_0-2858
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD16A6 rdtsc 4_2_35AD16A6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_00403148 LdrInitializeThunk,GetTickCount,GetTickCount,LdrInitializeThunk,MulDiv,wsprintfW,LdrInitializeThunk,0_2_00403148
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_73402351 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleW,LdrInitializeThunk,LoadLibraryW,GetProcAddress,lstrlenW,0_2_73402351
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A215A9 mov eax, dword ptr fs:[00000030h]4_2_35A215A9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A215A9 mov eax, dword ptr fs:[00000030h]4_2_35A215A9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A215A9 mov eax, dword ptr fs:[00000030h]4_2_35A215A9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A215A9 mov eax, dword ptr fs:[00000030h]4_2_35A215A9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A215A9 mov eax, dword ptr fs:[00000030h]4_2_35A215A9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F758F mov eax, dword ptr fs:[00000030h]4_2_359F758F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F758F mov eax, dword ptr fs:[00000030h]4_2_359F758F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F758F mov eax, dword ptr fs:[00000030h]4_2_359F758F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2F5B0 mov eax, dword ptr fs:[00000030h]4_2_35A2F5B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2F5B0 mov eax, dword ptr fs:[00000030h]4_2_35A2F5B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2F5B0 mov eax, dword ptr fs:[00000030h]4_2_35A2F5B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2F5B0 mov eax, dword ptr fs:[00000030h]4_2_35A2F5B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2F5B0 mov eax, dword ptr fs:[00000030h]4_2_35A2F5B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2F5B0 mov eax, dword ptr fs:[00000030h]4_2_35A2F5B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2F5B0 mov eax, dword ptr fs:[00000030h]4_2_35A2F5B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2F5B0 mov eax, dword ptr fs:[00000030h]4_2_35A2F5B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2F5B0 mov eax, dword ptr fs:[00000030h]4_2_35A2F5B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A935BA mov eax, dword ptr fs:[00000030h]4_2_35A935BA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A935BA mov eax, dword ptr fs:[00000030h]4_2_35A935BA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A935BA mov eax, dword ptr fs:[00000030h]4_2_35A935BA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A935BA mov eax, dword ptr fs:[00000030h]4_2_35A935BA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABF5BE mov eax, dword ptr fs:[00000030h]4_2_35ABF5BE
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A9D5B0 mov eax, dword ptr fs:[00000030h]4_2_35A9D5B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A9D5B0 mov eax, dword ptr fs:[00000030h]4_2_35A9D5B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD35B6 mov eax, dword ptr fs:[00000030h]4_2_35AD35B6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A8B594 mov eax, dword ptr fs:[00000030h]4_2_35A8B594
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A8B594 mov eax, dword ptr fs:[00000030h]4_2_35A8B594
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A215F4 mov eax, dword ptr fs:[00000030h]4_2_35A215F4
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A215F4 mov eax, dword ptr fs:[00000030h]4_2_35A215F4
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A215F4 mov eax, dword ptr fs:[00000030h]4_2_35A215F4
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A215F4 mov eax, dword ptr fs:[00000030h]4_2_35A215F4
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A215F4 mov eax, dword ptr fs:[00000030h]4_2_35A215F4
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A215F4 mov eax, dword ptr fs:[00000030h]4_2_35A215F4
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A355C0 mov eax, dword ptr fs:[00000030h]4_2_35A355C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD55C9 mov eax, dword ptr fs:[00000030h]4_2_35AD55C9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A7D5D0 mov eax, dword ptr fs:[00000030h]4_2_35A7D5D0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A7D5D0 mov ecx, dword ptr fs:[00000030h]4_2_35A7D5D0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A295DA mov eax, dword ptr fs:[00000030h]4_2_35A295DA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD35D7 mov eax, dword ptr fs:[00000030h]4_2_35AD35D7
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD35D7 mov eax, dword ptr fs:[00000030h]4_2_35AD35D7
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD35D7 mov eax, dword ptr fs:[00000030h]4_2_35AD35D7
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABB52F mov eax, dword ptr fs:[00000030h]4_2_35ABB52F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3D530 mov eax, dword ptr fs:[00000030h]4_2_35A3D530
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3D530 mov eax, dword ptr fs:[00000030h]4_2_35A3D530
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A0D534 mov eax, dword ptr fs:[00000030h]4_2_35A0D534
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A0D534 mov eax, dword ptr fs:[00000030h]4_2_35A0D534
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A0D534 mov eax, dword ptr fs:[00000030h]4_2_35A0D534
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A0D534 mov eax, dword ptr fs:[00000030h]4_2_35A0D534
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A0D534 mov eax, dword ptr fs:[00000030h]4_2_35A0D534
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A0D534 mov eax, dword ptr fs:[00000030h]4_2_35A0D534
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD5537 mov eax, dword ptr fs:[00000030h]4_2_35AD5537
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A37505 mov eax, dword ptr fs:[00000030h]4_2_35A37505
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A37505 mov ecx, dword ptr fs:[00000030h]4_2_35A37505
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3B570 mov eax, dword ptr fs:[00000030h]4_2_35A3B570
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3B570 mov eax, dword ptr fs:[00000030h]4_2_35A3B570
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AAB550 mov eax, dword ptr fs:[00000030h]4_2_35AAB550
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AAB550 mov eax, dword ptr fs:[00000030h]4_2_35AAB550
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AAB550 mov eax, dword ptr fs:[00000030h]4_2_35AAB550
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FB562 mov eax, dword ptr fs:[00000030h]4_2_359FB562
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A334B0 mov eax, dword ptr fs:[00000030h]4_2_35A334B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AA74B0 mov eax, dword ptr fs:[00000030h]4_2_35AA74B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FB480 mov eax, dword ptr fs:[00000030h]4_2_359FB480
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A09486 mov eax, dword ptr fs:[00000030h]4_2_35A09486
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A09486 mov eax, dword ptr fs:[00000030h]4_2_35A09486
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F74B0 mov eax, dword ptr fs:[00000030h]4_2_359F74B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F74B0 mov eax, dword ptr fs:[00000030h]4_2_359F74B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AA94E0 mov eax, dword ptr fs:[00000030h]4_2_35AA94E0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD14F6 mov eax, dword ptr fs:[00000030h]4_2_35AD14F6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD14F6 mov eax, dword ptr fs:[00000030h]4_2_35AD14F6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD54DB mov eax, dword ptr fs:[00000030h]4_2_35AD54DB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2340D mov eax, dword ptr fs:[00000030h]4_2_35A2340D
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A87410 mov eax, dword ptr fs:[00000030h]4_2_35A87410
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A01460 mov eax, dword ptr fs:[00000030h]4_2_35A01460
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A01460 mov eax, dword ptr fs:[00000030h]4_2_35A01460
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A01460 mov eax, dword ptr fs:[00000030h]4_2_35A01460
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A01460 mov eax, dword ptr fs:[00000030h]4_2_35A01460
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A01460 mov eax, dword ptr fs:[00000030h]4_2_35A01460
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1F460 mov eax, dword ptr fs:[00000030h]4_2_35A1F460
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1F460 mov eax, dword ptr fs:[00000030h]4_2_35A1F460
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1F460 mov eax, dword ptr fs:[00000030h]4_2_35A1F460
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1F460 mov eax, dword ptr fs:[00000030h]4_2_35A1F460
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1F460 mov eax, dword ptr fs:[00000030h]4_2_35A1F460
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1F460 mov eax, dword ptr fs:[00000030h]4_2_35A1F460
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD547F mov eax, dword ptr fs:[00000030h]4_2_35AD547F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABF453 mov eax, dword ptr fs:[00000030h]4_2_35ABF453
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AAB450 mov eax, dword ptr fs:[00000030h]4_2_35AAB450
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AAB450 mov eax, dword ptr fs:[00000030h]4_2_35AAB450
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AAB450 mov eax, dword ptr fs:[00000030h]4_2_35AAB450
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AAB450 mov eax, dword ptr fs:[00000030h]4_2_35AAB450
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A897A9 mov eax, dword ptr fs:[00000030h]4_2_35A897A9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A8F7AF mov eax, dword ptr fs:[00000030h]4_2_35A8F7AF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A8F7AF mov eax, dword ptr fs:[00000030h]4_2_35A8F7AF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A8F7AF mov eax, dword ptr fs:[00000030h]4_2_35A8F7AF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A8F7AF mov eax, dword ptr fs:[00000030h]4_2_35A8F7AF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A8F7AF mov eax, dword ptr fs:[00000030h]4_2_35A8F7AF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2D7B0 mov eax, dword ptr fs:[00000030h]4_2_35A2D7B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD37B6 mov eax, dword ptr fs:[00000030h]4_2_35AD37B6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABD7B0 mov eax, dword ptr fs:[00000030h]4_2_35ABD7B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABD7B0 mov eax, dword ptr fs:[00000030h]4_2_35ABD7B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABF78A mov eax, dword ptr fs:[00000030h]4_2_35ABF78A
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF7BA mov eax, dword ptr fs:[00000030h]4_2_359FF7BA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF7BA mov eax, dword ptr fs:[00000030h]4_2_359FF7BA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF7BA mov eax, dword ptr fs:[00000030h]4_2_359FF7BA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF7BA mov eax, dword ptr fs:[00000030h]4_2_359FF7BA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF7BA mov eax, dword ptr fs:[00000030h]4_2_359FF7BA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF7BA mov eax, dword ptr fs:[00000030h]4_2_359FF7BA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF7BA mov eax, dword ptr fs:[00000030h]4_2_359FF7BA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF7BA mov eax, dword ptr fs:[00000030h]4_2_359FF7BA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF7BA mov eax, dword ptr fs:[00000030h]4_2_359FF7BA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A0D7E0 mov ecx, dword ptr fs:[00000030h]4_2_35A0D7E0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A017EC mov eax, dword ptr fs:[00000030h]4_2_35A017EC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A017EC mov eax, dword ptr fs:[00000030h]4_2_35A017EC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A017EC mov eax, dword ptr fs:[00000030h]4_2_35A017EC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A057C0 mov eax, dword ptr fs:[00000030h]4_2_35A057C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A057C0 mov eax, dword ptr fs:[00000030h]4_2_35A057C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A057C0 mov eax, dword ptr fs:[00000030h]4_2_35A057C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A03720 mov eax, dword ptr fs:[00000030h]4_2_35A03720
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1F720 mov eax, dword ptr fs:[00000030h]4_2_35A1F720
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1F720 mov eax, dword ptr fs:[00000030h]4_2_35A1F720
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1F720 mov eax, dword ptr fs:[00000030h]4_2_35A1F720
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABF72E mov eax, dword ptr fs:[00000030h]4_2_35ABF72E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC972B mov eax, dword ptr fs:[00000030h]4_2_35AC972B
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ADB73C mov eax, dword ptr fs:[00000030h]4_2_35ADB73C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ADB73C mov eax, dword ptr fs:[00000030h]4_2_35ADB73C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ADB73C mov eax, dword ptr fs:[00000030h]4_2_35ADB73C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ADB73C mov eax, dword ptr fs:[00000030h]4_2_35ADB73C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1B730 mov ecx, dword ptr fs:[00000030h]4_2_35A1B730
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1B730 mov eax, dword ptr fs:[00000030h]4_2_35A1B730
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1B730 mov eax, dword ptr fs:[00000030h]4_2_35A1B730
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1B730 mov eax, dword ptr fs:[00000030h]4_2_35A1B730
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1B730 mov eax, dword ptr fs:[00000030h]4_2_35A1B730
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A35734 mov eax, dword ptr fs:[00000030h]4_2_35A35734
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A05702 mov eax, dword ptr fs:[00000030h]4_2_35A05702
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A05702 mov eax, dword ptr fs:[00000030h]4_2_35A05702
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A07703 mov eax, dword ptr fs:[00000030h]4_2_35A07703
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F9730 mov eax, dword ptr fs:[00000030h]4_2_359F9730
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F9730 mov eax, dword ptr fs:[00000030h]4_2_359F9730
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3F71F mov eax, dword ptr fs:[00000030h]4_2_35A3F71F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3F71F mov eax, dword ptr fs:[00000030h]4_2_35A3F71F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD3749 mov eax, dword ptr fs:[00000030h]4_2_35AD3749
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AA375F mov eax, dword ptr fs:[00000030h]4_2_35AA375F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AA375F mov eax, dword ptr fs:[00000030h]4_2_35AA375F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AA375F mov eax, dword ptr fs:[00000030h]4_2_35AA375F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AA375F mov eax, dword ptr fs:[00000030h]4_2_35AA375F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AA375F mov eax, dword ptr fs:[00000030h]4_2_35AA375F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FB765 mov eax, dword ptr fs:[00000030h]4_2_359FB765
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FB765 mov eax, dword ptr fs:[00000030h]4_2_359FB765
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FB765 mov eax, dword ptr fs:[00000030h]4_2_359FB765
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FB765 mov eax, dword ptr fs:[00000030h]4_2_359FB765
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F76B2 mov eax, dword ptr fs:[00000030h]4_2_359F76B2
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F76B2 mov eax, dword ptr fs:[00000030h]4_2_359F76B2
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F76B2 mov eax, dword ptr fs:[00000030h]4_2_359F76B2
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FD6AA mov eax, dword ptr fs:[00000030h]4_2_359FD6AA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FD6AA mov eax, dword ptr fs:[00000030h]4_2_359FD6AA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2D6E0 mov eax, dword ptr fs:[00000030h]4_2_35A2D6E0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2D6E0 mov eax, dword ptr fs:[00000030h]4_2_35A2D6E0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABD6F0 mov eax, dword ptr fs:[00000030h]4_2_35ABD6F0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A0B6C0 mov eax, dword ptr fs:[00000030h]4_2_35A0B6C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A0B6C0 mov eax, dword ptr fs:[00000030h]4_2_35A0B6C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A0B6C0 mov eax, dword ptr fs:[00000030h]4_2_35A0B6C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A0B6C0 mov eax, dword ptr fs:[00000030h]4_2_35A0B6C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A0B6C0 mov eax, dword ptr fs:[00000030h]4_2_35A0B6C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A0B6C0 mov eax, dword ptr fs:[00000030h]4_2_35A0B6C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC16CC mov eax, dword ptr fs:[00000030h]4_2_35AC16CC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC16CC mov eax, dword ptr fs:[00000030h]4_2_35AC16CC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC16CC mov eax, dword ptr fs:[00000030h]4_2_35AC16CC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC16CC mov eax, dword ptr fs:[00000030h]4_2_35AC16CC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABF6C7 mov eax, dword ptr fs:[00000030h]4_2_35ABF6C7
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A316CF mov eax, dword ptr fs:[00000030h]4_2_35A316CF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD5636 mov eax, dword ptr fs:[00000030h]4_2_35AD5636
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3F603 mov eax, dword ptr fs:[00000030h]4_2_35A3F603
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A31607 mov eax, dword ptr fs:[00000030h]4_2_35A31607
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A03616 mov eax, dword ptr fs:[00000030h]4_2_35A03616
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A03616 mov eax, dword ptr fs:[00000030h]4_2_35A03616
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF626 mov eax, dword ptr fs:[00000030h]4_2_359FF626
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF626 mov eax, dword ptr fs:[00000030h]4_2_359FF626
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF626 mov eax, dword ptr fs:[00000030h]4_2_359FF626
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF626 mov eax, dword ptr fs:[00000030h]4_2_359FF626
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF626 mov eax, dword ptr fs:[00000030h]4_2_359FF626
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF626 mov eax, dword ptr fs:[00000030h]4_2_359FF626
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF626 mov eax, dword ptr fs:[00000030h]4_2_359FF626
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF626 mov eax, dword ptr fs:[00000030h]4_2_359FF626
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF626 mov eax, dword ptr fs:[00000030h]4_2_359FF626
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A39660 mov eax, dword ptr fs:[00000030h]4_2_35A39660
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A39660 mov eax, dword ptr fs:[00000030h]4_2_35A39660
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A9D660 mov eax, dword ptr fs:[00000030h]4_2_35A9D660
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB11A4 mov eax, dword ptr fs:[00000030h]4_2_35AB11A4
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB11A4 mov eax, dword ptr fs:[00000030h]4_2_35AB11A4
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB11A4 mov eax, dword ptr fs:[00000030h]4_2_35AB11A4
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB11A4 mov eax, dword ptr fs:[00000030h]4_2_35AB11A4
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1B1B0 mov eax, dword ptr fs:[00000030h]4_2_35A1B1B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB5180 mov eax, dword ptr fs:[00000030h]4_2_35AB5180
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB5180 mov eax, dword ptr fs:[00000030h]4_2_35AB5180
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A57190 mov eax, dword ptr fs:[00000030h]4_2_35A57190
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD31E1 mov eax, dword ptr fs:[00000030h]4_2_35AD31E1
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h]4_2_35A251EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h]4_2_35A251EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h]4_2_35A251EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h]4_2_35A251EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h]4_2_35A251EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h]4_2_35A251EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h]4_2_35A251EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h]4_2_35A251EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h]4_2_35A251EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h]4_2_35A251EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h]4_2_35A251EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h]4_2_35A251EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h]4_2_35A251EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A051ED mov eax, dword ptr fs:[00000030h]4_2_35A051ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AA71F9 mov esi, dword ptr fs:[00000030h]4_2_35AA71F9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD51CB mov eax, dword ptr fs:[00000030h]4_2_35AD51CB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3D1D0 mov eax, dword ptr fs:[00000030h]4_2_35A3D1D0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3D1D0 mov ecx, dword ptr fs:[00000030h]4_2_35A3D1D0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD7120 mov eax, dword ptr fs:[00000030h]4_2_35AD7120
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A01131 mov eax, dword ptr fs:[00000030h]4_2_35A01131
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A01131 mov eax, dword ptr fs:[00000030h]4_2_35A01131
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FB136 mov eax, dword ptr fs:[00000030h]4_2_359FB136
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FB136 mov eax, dword ptr fs:[00000030h]4_2_359FB136
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FB136 mov eax, dword ptr fs:[00000030h]4_2_359FB136
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FB136 mov eax, dword ptr fs:[00000030h]4_2_359FB136
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A99179 mov eax, dword ptr fs:[00000030h]4_2_35A99179
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F9148 mov eax, dword ptr fs:[00000030h]4_2_359F9148
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F9148 mov eax, dword ptr fs:[00000030h]4_2_359F9148
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F9148 mov eax, dword ptr fs:[00000030h]4_2_359F9148
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F9148 mov eax, dword ptr fs:[00000030h]4_2_359F9148
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A93140 mov eax, dword ptr fs:[00000030h]4_2_35A93140
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A93140 mov eax, dword ptr fs:[00000030h]4_2_35A93140
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A93140 mov eax, dword ptr fs:[00000030h]4_2_35A93140
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h]4_2_359FF172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h]4_2_359FF172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h]4_2_359FF172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h]4_2_359FF172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h]4_2_359FF172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h]4_2_359FF172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h]4_2_359FF172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h]4_2_359FF172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h]4_2_359FF172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h]4_2_359FF172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h]4_2_359FF172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h]4_2_359FF172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h]4_2_359FF172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h]4_2_359FF172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h]4_2_359FF172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h]4_2_359FF172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h]4_2_359FF172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h]4_2_359FF172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h]4_2_359FF172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h]4_2_359FF172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h]4_2_359FF172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A07152 mov eax, dword ptr fs:[00000030h]4_2_35A07152
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD5152 mov eax, dword ptr fs:[00000030h]4_2_35AD5152
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FD08D mov eax, dword ptr fs:[00000030h]4_2_359FD08D
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A8D080 mov eax, dword ptr fs:[00000030h]4_2_35A8D080
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A8D080 mov eax, dword ptr fs:[00000030h]4_2_35A8D080
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2D090 mov eax, dword ptr fs:[00000030h]4_2_35A2D090
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2D090 mov eax, dword ptr fs:[00000030h]4_2_35A2D090
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A05096 mov eax, dword ptr fs:[00000030h]4_2_35A05096
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3909C mov eax, dword ptr fs:[00000030h]4_2_35A3909C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A250E4 mov eax, dword ptr fs:[00000030h]4_2_35A250E4
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A250E4 mov ecx, dword ptr fs:[00000030h]4_2_35A250E4
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A7D0C0 mov eax, dword ptr fs:[00000030h]4_2_35A7D0C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A7D0C0 mov eax, dword ptr fs:[00000030h]4_2_35A7D0C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD50D9 mov eax, dword ptr fs:[00000030h]4_2_35AD50D9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A290DB mov eax, dword ptr fs:[00000030h]4_2_35A290DB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC903E mov eax, dword ptr fs:[00000030h]4_2_35AC903E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC903E mov eax, dword ptr fs:[00000030h]4_2_35AC903E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC903E mov eax, dword ptr fs:[00000030h]4_2_35AC903E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC903E mov eax, dword ptr fs:[00000030h]4_2_35AC903E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A8106E mov eax, dword ptr fs:[00000030h]4_2_35A8106E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD5060 mov eax, dword ptr fs:[00000030h]4_2_35AD5060
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h]4_2_35A11070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11070 mov ecx, dword ptr fs:[00000030h]4_2_35A11070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h]4_2_35A11070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h]4_2_35A11070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h]4_2_35A11070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h]4_2_35A11070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h]4_2_35A11070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h]4_2_35A11070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h]4_2_35A11070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h]4_2_35A11070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h]4_2_35A11070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h]4_2_35A11070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h]4_2_35A11070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A7D070 mov ecx, dword ptr fs:[00000030h]4_2_35A7D070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2B052 mov eax, dword ptr fs:[00000030h]4_2_35A2B052
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A333A0 mov eax, dword ptr fs:[00000030h]4_2_35A333A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A333A0 mov eax, dword ptr fs:[00000030h]4_2_35A333A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A233A5 mov eax, dword ptr fs:[00000030h]4_2_35A233A5
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AA13B9 mov eax, dword ptr fs:[00000030h]4_2_35AA13B9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AA13B9 mov eax, dword ptr fs:[00000030h]4_2_35AA13B9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AA13B9 mov eax, dword ptr fs:[00000030h]4_2_35AA13B9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD539D mov eax, dword ptr fs:[00000030h]4_2_35AD539D
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A5739A mov eax, dword ptr fs:[00000030h]4_2_35A5739A
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A5739A mov eax, dword ptr fs:[00000030h]4_2_35A5739A
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABF3E6 mov eax, dword ptr fs:[00000030h]4_2_35ABF3E6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD53FC mov eax, dword ptr fs:[00000030h]4_2_35AD53FC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABB3D0 mov ecx, dword ptr fs:[00000030h]4_2_35ABB3D0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC132D mov eax, dword ptr fs:[00000030h]4_2_35AC132D
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC132D mov eax, dword ptr fs:[00000030h]4_2_35AC132D
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2F32A mov eax, dword ptr fs:[00000030h]4_2_35A2F32A
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A8930B mov eax, dword ptr fs:[00000030h]4_2_35A8930B
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A8930B mov eax, dword ptr fs:[00000030h]4_2_35A8930B
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A8930B mov eax, dword ptr fs:[00000030h]4_2_35A8930B
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F7330 mov eax, dword ptr fs:[00000030h]4_2_359F7330
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F9353 mov eax, dword ptr fs:[00000030h]4_2_359F9353
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F9353 mov eax, dword ptr fs:[00000030h]4_2_359F9353
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABF367 mov eax, dword ptr fs:[00000030h]4_2_35ABF367
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A07370 mov eax, dword ptr fs:[00000030h]4_2_35A07370
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A07370 mov eax, dword ptr fs:[00000030h]4_2_35A07370
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A07370 mov eax, dword ptr fs:[00000030h]4_2_35A07370
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FD34C mov eax, dword ptr fs:[00000030h]4_2_359FD34C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FD34C mov eax, dword ptr fs:[00000030h]4_2_359FD34C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AA3370 mov eax, dword ptr fs:[00000030h]4_2_35AA3370
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD5341 mov eax, dword ptr fs:[00000030h]4_2_35AD5341
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A152A0 mov eax, dword ptr fs:[00000030h]4_2_35A152A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A152A0 mov eax, dword ptr fs:[00000030h]4_2_35A152A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A152A0 mov eax, dword ptr fs:[00000030h]4_2_35A152A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A152A0 mov eax, dword ptr fs:[00000030h]4_2_35A152A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A972A0 mov eax, dword ptr fs:[00000030h]4_2_35A972A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A972A0 mov eax, dword ptr fs:[00000030h]4_2_35A972A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC92A6 mov eax, dword ptr fs:[00000030h]4_2_35AC92A6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC92A6 mov eax, dword ptr fs:[00000030h]4_2_35AC92A6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC92A6 mov eax, dword ptr fs:[00000030h]4_2_35AC92A6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC92A6 mov eax, dword ptr fs:[00000030h]4_2_35AC92A6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A892BC mov eax, dword ptr fs:[00000030h]4_2_35A892BC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A892BC mov eax, dword ptr fs:[00000030h]4_2_35A892BC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A892BC mov ecx, dword ptr fs:[00000030h]4_2_35A892BC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A892BC mov ecx, dword ptr fs:[00000030h]4_2_35A892BC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD5283 mov eax, dword ptr fs:[00000030h]4_2_35AD5283
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3329E mov eax, dword ptr fs:[00000030h]4_2_35A3329E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3329E mov eax, dword ptr fs:[00000030h]4_2_35A3329E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h]4_2_35AB12ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h]4_2_35AB12ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h]4_2_35AB12ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h]4_2_35AB12ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h]4_2_35AB12ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h]4_2_35AB12ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h]4_2_35AB12ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h]4_2_35AB12ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h]4_2_35AB12ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h]4_2_35AB12ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h]4_2_35AB12ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h]4_2_35AB12ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h]4_2_35AB12ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h]4_2_35AB12ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FB2D3 mov eax, dword ptr fs:[00000030h]4_2_359FB2D3
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FB2D3 mov eax, dword ptr fs:[00000030h]4_2_359FB2D3
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FB2D3 mov eax, dword ptr fs:[00000030h]4_2_359FB2D3
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD52E2 mov eax, dword ptr fs:[00000030h]4_2_35AD52E2
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABF2F8 mov eax, dword ptr fs:[00000030h]4_2_35ABF2F8
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AAB2F0 mov eax, dword ptr fs:[00000030h]4_2_35AAB2F0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AAB2F0 mov eax, dword ptr fs:[00000030h]4_2_35AAB2F0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F92FF mov eax, dword ptr fs:[00000030h]4_2_359F92FF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A092C5 mov eax, dword ptr fs:[00000030h]4_2_35A092C5
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A092C5 mov eax, dword ptr fs:[00000030h]4_2_35A092C5
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2F2D0 mov eax, dword ptr fs:[00000030h]4_2_35A2F2D0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2F2D0 mov eax, dword ptr fs:[00000030h]4_2_35A2F2D0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD5227 mov eax, dword ptr fs:[00000030h]4_2_35AD5227
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A37208 mov eax, dword ptr fs:[00000030h]4_2_35A37208
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A37208 mov eax, dword ptr fs:[00000030h]4_2_35A37208
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ACD26B mov eax, dword ptr fs:[00000030h]4_2_35ACD26B
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ACD26B mov eax, dword ptr fs:[00000030h]4_2_35ACD26B
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A41270 mov eax, dword ptr fs:[00000030h]4_2_35A41270
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A41270 mov eax, dword ptr fs:[00000030h]4_2_35A41270
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A29274 mov eax, dword ptr fs:[00000030h]4_2_35A29274
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F9240 mov eax, dword ptr fs:[00000030h]4_2_359F9240
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F9240 mov eax, dword ptr fs:[00000030h]4_2_359F9240
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3724D mov eax, dword ptr fs:[00000030h]4_2_35A3724D
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABB256 mov eax, dword ptr fs:[00000030h]4_2_35ABB256
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABB256 mov eax, dword ptr fs:[00000030h]4_2_35ABB256
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F9D96 mov eax, dword ptr fs:[00000030h]4_2_359F9D96
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F9D96 mov eax, dword ptr fs:[00000030h]4_2_359F9D96
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F9D96 mov ecx, dword ptr fs:[00000030h]4_2_359F9D96
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A95DA0 mov eax, dword ptr fs:[00000030h]4_2_35A95DA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A95DA0 mov eax, dword ptr fs:[00000030h]4_2_35A95DA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A95DA0 mov eax, dword ptr fs:[00000030h]4_2_35A95DA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A95DA0 mov ecx, dword ptr fs:[00000030h]4_2_35A95DA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A39DAF mov eax, dword ptr fs:[00000030h]4_2_35A39DAF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1DDB1 mov eax, dword ptr fs:[00000030h]4_2_35A1DDB1
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1DDB1 mov eax, dword ptr fs:[00000030h]4_2_35A1DDB1
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A1DDB1 mov eax, dword ptr fs:[00000030h]4_2_35A1DDB1
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A8DDB1 mov eax, dword ptr fs:[00000030h]4_2_35A8DDB1
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FFD80 mov eax, dword ptr fs:[00000030h]4_2_359FFD80
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A8DDC0 mov eax, dword ptr fs:[00000030h]4_2_35A8DDC0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ACDDC6 mov eax, dword ptr fs:[00000030h]4_2_35ACDDC6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABDDC7 mov eax, dword ptr fs:[00000030h]4_2_35ABDDC7
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A03DD0 mov eax, dword ptr fs:[00000030h]4_2_35A03DD0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A03DD0 mov eax, dword ptr fs:[00000030h]4_2_35A03DD0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A13D20 mov eax, dword ptr fs:[00000030h]4_2_35A13D20
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A8FD2A mov eax, dword ptr fs:[00000030h]4_2_35A8FD2A
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A8FD2A mov eax, dword ptr fs:[00000030h]4_2_35A8FD2A
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A13D00 mov eax, dword ptr fs:[00000030h]4_2_35A13D00
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A07D75 mov eax, dword ptr fs:[00000030h]4_2_35A07D75
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A07D75 mov eax, dword ptr fs:[00000030h]4_2_35A07D75
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB9D70 mov eax, dword ptr fs:[00000030h]4_2_35AB9D70
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AB9D70 mov eax, dword ptr fs:[00000030h]4_2_35AB9D70
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F7D41 mov eax, dword ptr fs:[00000030h]4_2_359F7D41
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3BD4E mov eax, dword ptr fs:[00000030h]4_2_35A3BD4E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3BD4E mov eax, dword ptr fs:[00000030h]4_2_35A3BD4E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A8DD47 mov eax, dword ptr fs:[00000030h]4_2_35A8DD47
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC1D5A mov eax, dword ptr fs:[00000030h]4_2_35AC1D5A
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC1D5A mov eax, dword ptr fs:[00000030h]4_2_35AC1D5A
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC1D5A mov eax, dword ptr fs:[00000030h]4_2_35AC1D5A
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AC1D5A mov eax, dword ptr fs:[00000030h]4_2_35AC1D5A
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD5D50 mov eax, dword ptr fs:[00000030h]4_2_35AD5D50
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD5D50 mov eax, dword ptr fs:[00000030h]4_2_35AD5D50
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h]4_2_35ABFCAB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h]4_2_35ABFCAB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h]4_2_35ABFCAB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h]4_2_35ABFCAB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h]4_2_35ABFCAB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h]4_2_35ABFCAB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h]4_2_35ABFCAB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h]4_2_35ABFCAB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h]4_2_35ABFCAB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h]4_2_35ABFCAB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h]4_2_35ABFCAB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h]4_2_35ABFCAB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h]4_2_35ABFCAB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h]4_2_35ABFCAB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2FCA0 mov ecx, dword ptr fs:[00000030h]4_2_35A2FCA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2FCA0 mov eax, dword ptr fs:[00000030h]4_2_35A2FCA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2FCA0 mov eax, dword ptr fs:[00000030h]4_2_35A2FCA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2FCA0 mov eax, dword ptr fs:[00000030h]4_2_35A2FCA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2FCA0 mov eax, dword ptr fs:[00000030h]4_2_35A2FCA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3BCA0 mov eax, dword ptr fs:[00000030h]4_2_35A3BCA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3BCA0 mov eax, dword ptr fs:[00000030h]4_2_35A3BCA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3BCA0 mov ecx, dword ptr fs:[00000030h]4_2_35A3BCA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3BCA0 mov eax, dword ptr fs:[00000030h]4_2_35A3BCA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A03C84 mov eax, dword ptr fs:[00000030h]4_2_35A03C84
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A03C84 mov eax, dword ptr fs:[00000030h]4_2_35A03C84
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A03C84 mov eax, dword ptr fs:[00000030h]4_2_35A03C84
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A03C84 mov eax, dword ptr fs:[00000030h]4_2_35A03C84
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FDCA0 mov eax, dword ptr fs:[00000030h]4_2_359FDCA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AA1CF9 mov eax, dword ptr fs:[00000030h]4_2_35AA1CF9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AA1CF9 mov eax, dword ptr fs:[00000030h]4_2_35AA1CF9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AA1CF9 mov eax, dword ptr fs:[00000030h]4_2_35AA1CF9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A35CC0 mov eax, dword ptr fs:[00000030h]4_2_35A35CC0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A35CC0 mov eax, dword ptr fs:[00000030h]4_2_35A35CC0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11CC7 mov eax, dword ptr fs:[00000030h]4_2_35A11CC7
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11CC7 mov eax, dword ptr fs:[00000030h]4_2_35A11CC7
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A83CDB mov eax, dword ptr fs:[00000030h]4_2_35A83CDB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A83CDB mov eax, dword ptr fs:[00000030h]4_2_35A83CDB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A83CDB mov eax, dword ptr fs:[00000030h]4_2_35A83CDB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AAFCDF mov eax, dword ptr fs:[00000030h]4_2_35AAFCDF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AAFCDF mov eax, dword ptr fs:[00000030h]4_2_35AAFCDF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AAFCDF mov eax, dword ptr fs:[00000030h]4_2_35AAFCDF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ACDC27 mov eax, dword ptr fs:[00000030h]4_2_35ACDC27
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ACDC27 mov eax, dword ptr fs:[00000030h]4_2_35ACDC27
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ACDC27 mov eax, dword ptr fs:[00000030h]4_2_35ACDC27
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD1C3C mov eax, dword ptr fs:[00000030h]4_2_35AD1C3C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3BC3B mov esi, dword ptr fs:[00000030h]4_2_35A3BC3B
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ADBC01 mov eax, dword ptr fs:[00000030h]4_2_35ADBC01
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ADBC01 mov eax, dword ptr fs:[00000030h]4_2_35ADBC01
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A8BC10 mov eax, dword ptr fs:[00000030h]4_2_35A8BC10
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A8BC10 mov eax, dword ptr fs:[00000030h]4_2_35A8BC10
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A8BC10 mov ecx, dword ptr fs:[00000030h]4_2_35A8BC10
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11C60 mov eax, dword ptr fs:[00000030h]4_2_35A11C60
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F7C40 mov eax, dword ptr fs:[00000030h]4_2_359F7C40
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F7C40 mov ecx, dword ptr fs:[00000030h]4_2_359F7C40
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F7C40 mov eax, dword ptr fs:[00000030h]4_2_359F7C40
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359F7C40 mov eax, dword ptr fs:[00000030h]4_2_359F7C40
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A31C7C mov eax, dword ptr fs:[00000030h]4_2_35A31C7C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABFC4F mov eax, dword ptr fs:[00000030h]4_2_35ABFC4F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FFF90 mov edi, dword ptr fs:[00000030h]4_2_359FFF90
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3BFB0 mov eax, dword ptr fs:[00000030h]4_2_35A3BFB0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A41FB8 mov eax, dword ptr fs:[00000030h]4_2_35A41FB8
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11F92 mov ecx, dword ptr fs:[00000030h]4_2_35A11F92
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11F92 mov ecx, dword ptr fs:[00000030h]4_2_35A11F92
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11F92 mov eax, dword ptr fs:[00000030h]4_2_35A11F92
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11F92 mov ecx, dword ptr fs:[00000030h]4_2_35A11F92
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11F92 mov ecx, dword ptr fs:[00000030h]4_2_35A11F92
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11F92 mov eax, dword ptr fs:[00000030h]4_2_35A11F92
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11F92 mov ecx, dword ptr fs:[00000030h]4_2_35A11F92
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11F92 mov ecx, dword ptr fs:[00000030h]4_2_35A11F92
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11F92 mov eax, dword ptr fs:[00000030h]4_2_35A11F92
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11F92 mov ecx, dword ptr fs:[00000030h]4_2_35A11F92
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11F92 mov ecx, dword ptr fs:[00000030h]4_2_35A11F92
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A11F92 mov eax, dword ptr fs:[00000030h]4_2_35A11F92
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AA3F90 mov eax, dword ptr fs:[00000030h]4_2_35AA3F90
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AA3F90 mov eax, dword ptr fs:[00000030h]4_2_35AA3F90
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_359FBFD0 mov eax, dword ptr fs:[00000030h]4_2_359FBFD0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3BFEC mov eax, dword ptr fs:[00000030h]4_2_35A3BFEC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3BFEC mov eax, dword ptr fs:[00000030h]4_2_35A3BFEC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A3BFEC mov eax, dword ptr fs:[00000030h]4_2_35A3BFEC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A03FC0 mov eax, dword ptr fs:[00000030h]4_2_35A03FC0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABBFC0 mov ecx, dword ptr fs:[00000030h]4_2_35ABBFC0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABBFC0 mov eax, dword ptr fs:[00000030h]4_2_35ABBFC0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AD3FC0 mov eax, dword ptr fs:[00000030h]4_2_35AD3FC0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A31FCD mov eax, dword ptr fs:[00000030h]4_2_35A31FCD
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A31FCD mov eax, dword ptr fs:[00000030h]4_2_35A31FCD
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A31FCD mov eax, dword ptr fs:[00000030h]4_2_35A31FCD
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A83FD7 mov eax, dword ptr fs:[00000030h]4_2_35A83FD7
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35ABDF2F mov eax, dword ptr fs:[00000030h]4_2_35ABDF2F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35AA7F3E mov eax, dword ptr fs:[00000030h]4_2_35AA7F3E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A8DF10 mov eax, dword ptr fs:[00000030h]4_2_35A8DF10
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A81F13 mov eax, dword ptr fs:[00000030h]4_2_35A81F13
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A2BF60 mov eax, dword ptr fs:[00000030h]4_2_35A2BF60
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A7FF42 mov eax, dword ptr fs:[00000030h]4_2_35A7FF42
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_35A01F50 mov eax, dword ptr fs:[00000030h]4_2_35A01F50
      Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"Jump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_004036DA EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,LdrInitializeThunk,CharNextW,LdrInitializeThunk,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,0_2_004036DA

      Stealing of Sensitive Information

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000004.00000002.2282815600.0000000035660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000004.00000002.2282815600.0000000035660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
      Native API      		1
      DLL Side-Loading      		1
      Access Token Manipulation      		1
      Masquerading      		OS Credential Dumping211
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
      Process Injection      		1
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Virtualization/Sandbox Evasion      		Remote Desktop ProtocolData from Removable Media1
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      DLL Side-Loading      		1
      Access Token Manipulation      		Security Account Manager3
      File and Directory Discovery      		SMB/Windows Admin SharesData from Network Shared Drive2
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
      Process Injection      		NTDS22
      System Information Discovery      		Distributed Component Object ModelInput Capture13
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Deobfuscate/Decode Files or Information      		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
      Obfuscated Files or Information      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      DLL Side-Loading      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Quotation.exe45%ReversingLabsWin32.Backdoor.FormBook

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp\System.dll0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://apis.google.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      drive.google.com
      		142.250.186.174
      		truefalse
        		unknown
        drive.usercontent.google.com
        		142.250.186.129
        		truefalse
          		unknown
          18.31.95.13.in-addr.arpa
          		unknown
          		unknowntrue
            		unknown
            50.23.12.20.in-addr.arpa
            		unknown
            		unknowntrue
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtdQuotation.exe, 00000004.00000001.2043874157.00000000005F2000.00000020.00000001.01000000.00000008.sdmpfalse
                		unknown
                https://www.google.comQuotation.exe, 00000004.00000003.2169438323.00000000057FF000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  http://www.ftp.ftp://ftp.gopher.Quotation.exe, 00000004.00000001.2043874157.0000000000649000.00000020.00000001.01000000.00000008.sdmpfalse
                    		unknown
                    https://drive.usercontent.google.com/Quotation.exe, 00000004.00000002.2262193150.00000000057BD000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtdQuotation.exe, 00000004.00000001.2043874157.00000000005F2000.00000020.00000001.01000000.00000008.sdmpfalse
                        		unknown
                        https://apis.google.comQuotation.exe, 00000004.00000003.2169438323.00000000057FF000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://nsis.sf.net/NSIS_Error...Quotation.exefalse
                          		unknown
                          https://drive.google.com/Quotation.exe, 00000004.00000002.2262040393.0000000005748000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://drive.google.com/rQuotation.exe, 00000004.00000002.2262040393.0000000005748000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214Quotation.exe, 00000004.00000001.2043874157.0000000000649000.00000020.00000001.01000000.00000008.sdmpfalse
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                142.250.186.129
                                		drive.usercontent.google.comUnited States
                                		15169GOOGLEUSfalse
                                142.250.186.174
                                		drive.google.comUnited States
                                		15169GOOGLEUSfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1546656
                                Start date and time:2024-11-01 12:06:06 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 5m 58s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:5
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:Quotation.exe
                                Detection:MAL
                                Classification:mal88.troj.evad.winEXE@3/12@4/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 63%
                                • Number of executed functions: 32
                                • Number of non-executed functions: 294
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Stop behavior analysis, all processes terminated

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                • VT rate limit hit for: Quotation.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                07:07:54API Interceptor3x Sleep call for process: Quotation.exe modified

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASNs

                                No context

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                37f463bf4616ecd445d4a1937da06e19V323904LY3.lNK.lnkGet hashmaliciousUnknownBrowse
                                • 142.250.186.129
                                • 142.250.186.174
                                PO-000172483.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                • 142.250.186.129
                                • 142.250.186.174
                                PO-000172483.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                • 142.250.186.129
                                • 142.250.186.174
                                oZ7nac01Em.exeGet hashmaliciousStealc, VidarBrowse
                                • 142.250.186.129
                                • 142.250.186.174
                                SecuriteInfo.com.FileRepMalware.6479.21607.exeGet hashmaliciousUnknownBrowse
                                • 142.250.186.129
                                • 142.250.186.174
                                WGo3ga1AL9.exeGet hashmaliciousStealc, VidarBrowse
                                • 142.250.186.129
                                • 142.250.186.174
                                FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.pif.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                • 142.250.186.129
                                • 142.250.186.174
                                FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.pif.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                • 142.250.186.129
                                • 142.250.186.174
                                PO-000172483 (2).exeGet hashmaliciousFormBook, GuLoaderBrowse
                                • 142.250.186.129
                                • 142.250.186.174
                                Quotation.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                • 142.250.186.129
                                • 142.250.186.174

                                Dropped Files

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp\System.dllPO-000172483.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                  PO-000172483.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                    PO-000172483 (2).exeGet hashmaliciousFormBook, GuLoaderBrowse
                                      Quotation.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        Quotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                          rPO-000172483.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            rPO-000172483.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              gHQQfMh4F3.exeGet hashmaliciousGuLoaderBrowse
                                                gHQQfMh4F3.exeGet hashmaliciousGuLoaderBrowse
                                                  N874xsydiD.exeGet hashmaliciousGuLoaderBrowse

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp\System.dll

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Quotation.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12288
                                                    Entropy (8bit):5.97694153396788
                                                    Encrypted:false
                                                    SSDEEP:192:acA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:RR7SrtTv53tdtTgwF4SQbGPX36wJMw
                                                    MD5:D6F54D2CEFDF58836805796F55BFC846
                                                    SHA1:B980ADDC1A755B968DD5799179D3B4F1C2DE9D2D
                                                    SHA-256:F917AEF484D1FBB4D723B2E2D3045CB6F5F664E61FBB3D5C577BD1C215DE55D9
                                                    SHA-512:CE67DA936A93D46EF7E81ABC8276787C82FD844C03630BA18AFC3528C7E420C3228BFE82AEDA083BB719F2D1314AFAE913362ABD1E220CB364606519690D45DB
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Joe Sandbox View:
                                                    • Filename: PO-000172483.exe, Detection: malicious, Browse
                                                    • Filename: PO-000172483.exe, Detection: malicious, Browse
                                                    • Filename: PO-000172483 (2).exe, Detection: malicious, Browse
                                                    • Filename: Quotation.exe, Detection: malicious, Browse
                                                    • Filename: Quotation.exe, Detection: malicious, Browse
                                                    • Filename: rPO-000172483.exe, Detection: malicious, Browse
                                                    • Filename: rPO-000172483.exe, Detection: malicious, Browse
                                                    • Filename: gHQQfMh4F3.exe, Detection: malicious, Browse
                                                    • Filename: gHQQfMh4F3.exe, Detection: malicious, Browse
                                                    • Filename: N874xsydiD.exe, Detection: malicious, Browse
                                                    Reputation:moderate, very likely benign file
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@t.]!..]!..]!...T..Z!...Y..Z!..]!..I!...T..Y!...T..\!...T..\!...T..\!..Rich]!..................PE..L.....*c.........."!.....$..........J........@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...{".......$.................. ..`.rdata.......@.......(..............@..@.data...D....P.......,..............@....reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\Music\antithetic.ini

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Quotation.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):35
                                                    Entropy (8bit):4.264578373902383
                                                    Encrypted:false
                                                    SSDEEP:3:apWPWPjNLCNHiy:UPRCNHiy
                                                    MD5:58AC0B5E1D49D0EE1AED2FE13FAE6C7A
                                                    SHA1:02C8384573D47CA39F2E2ACA32B275861EC59A93
                                                    SHA-256:624F49944CB84ED51FECABCD549AE3B47152F9A20C4A95E93C8B007AEFE9FEAB
                                                    SHA-512:8F5F062D6EBB8312DA4AD4F5AF077B1EAA2E14244823F15E6A87A9E48C7172CC1EA5AB691D3B4F9D8F8E0605F9CB3AA06590B4389820DA531633D9915B988FFC
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:[broadspread]..slyngvrk=houghband..

                                                    C:\Users\user\overlays\besvangredes\Emmens.udk

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Quotation.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):482519
                                                    Entropy (8bit):1.2446382063037653
                                                    Encrypted:false
                                                    SSDEEP:1536:+yiLw81PnsncGiIsTVODPOqNbsVEVWZkZA4:G/Pne9iIyVODPsVpZkZA4
                                                    MD5:1D099F6122F4B7C8A78925726B59E5C3
                                                    SHA1:EEA154E31FF04CD1A2CED0193F7633ED219CFA47
                                                    SHA-256:1B6DC1EAD079DB05B998725B154E803E6E1504E7E5B49C5611D55E018CD45E6D
                                                    SHA-512:F31F0A285C5A6EB2236CCD49A8BF939E46624F270E0270FC4C5640B37684BC1C7780C5350F778DA8E9D0B8CD25320C1909A9CD937F15BB3A7CDDBCEEE94C47FB
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:.....................................FP.l...........-...............#............W.............a...............3..........1..i.k.............;......H.............................2..............X..H.....}..................................................M.........M........................................................8......_............8....................................................................?...................................................................................J..............................................T.....................................................B..........................7.....................4........o..P................!........................................................................q..........................................................................l............................;...................................q...............................g.......mm......................................n.......................P.........

                                                    C:\Users\user\overlays\besvangredes\Launeddas.Bag176

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Quotation.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):369843
                                                    Entropy (8bit):7.629977866684954
                                                    Encrypted:false
                                                    SSDEEP:6144:6EypBtE9/dGm8lXjiRzud/+Gkzv+FgxTTnDHDnydHtuvCtG7EbiA7w0HdWJg:6btK1eXuRzg/+GkaSVTDjncHtuAu3A79
                                                    MD5:6F0C443C92E0FE20FC11929EA216ED03
                                                    SHA1:D90FD89E448385B765E61627A947E3990489AE5B
                                                    SHA-256:B9049859A352190740651A7E919F6D71AB41CB5347AF0115F592037F47935FA9
                                                    SHA-512:177CD0AD99100883123F2181D72CBAE044B8B036D9BCD7FB7529C4161FCD0AE2033F3CD0749DA3A24DAA0D40D69B37089828AA87A4E3DFE3F1AA9841878C3695
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:.....+..............................gg...SSSS......AA...........................X.......................PP.....qqq.............G....%...ff.]........A.......?........88...SSSS......... ...............A....((.......).%..........dd.....[[[[[[......................Be..W.R. .eY;...b.....w...G-..g.)..u....kHl.A=.....I%.}..{...p.s0.$f!.........M.]q.r....G.,..+..1.#.~....6^..5.f.s..!.....x..R......P.v(..?..'......1o..........GZ.j.B...7.T.9VC|..>Ft..`i.)..{........_../...].y..L..4f....X..J.E..O.........DD5.U....!&...:.m.Zz...hQSKd....4.<N\2.<.p8.n@..ca".e..W.R. .eY;...b...E.&f.u....B....w...G-..g.)..u....kHl.A=.....I%.}..{...p.s0.$..M.]q.r....G.,.....*.......!..1.#.~....6^*.....x..R......P.v(.f......?.?..'......1o.Z.j.B...7.T.9VC|..>Ft..`i.)..{........_../...].yf............L..4f....X..J.E..O...D5.U.....;../......&...:.m.Zz...hQSKd....4.<N\2.<...f......2p8.n@..ca".e..W.R. .eY;...b.....w...G-..g.)..u.... ......-Hl.A=.....I%.}..{...p.s0.$..M.]q.r....G.,..+......`......>1.#.~....6^*.....x..

                                                    C:\Users\user\overlays\besvangredes\Phenomenalizing\gear.dra

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Quotation.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):433786
                                                    Entropy (8bit):1.255949132332751
                                                    Encrypted:false
                                                    SSDEEP:768:NFXORpsqJLOaVDzzoIgUPRGRoYNxHVxyczaUz4pP9Nom56I4tY6UBh1Yc88LaAQo:TUAoYxPzqoIzdwWR1+/24cwZXeCPiIBo
                                                    MD5:53FF1A157920AE92C9BF891D453D6B65
                                                    SHA1:B7BF3B7B16048F38132D8ACCA841130D73DB44C3
                                                    SHA-256:FAD1B5E641DC44B5A51048470D4E0FB47664CF2B994CEA24304495D99323B9DE
                                                    SHA-512:E739381C24627F89255DB55B2DA39A09F055A322C577C3604BA048FB2C817AE7F63B12131F8461491F6140953FB33DD94EB66D8CB3B13B36717143342CE270AF
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:......................................j......................................."t......... .............Z..........................................+...o..G.......d......................................................................................X................5....................................F.........'.....................................................U...............................\............Y............)..............................d..D....................................................%.................................................Y..#.......................................................................................................................^.........................................j...........w...............................................n.....................................V..........i.............................................6...7..........*.........................................................................H.............................

                                                    C:\Users\user\overlays\besvangredes\Phenomenalizing\jagtfalk.ill

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Quotation.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):374902
                                                    Entropy (8bit):1.250991222921627
                                                    Encrypted:false
                                                    SSDEEP:1536:XkYzjcLYszRzU5n1C900tMkYQx+gnpovYHO:XkYz4DzQB5sYYH
                                                    MD5:169115C751DDA5E021E8C86E8454B26D
                                                    SHA1:5A8254634C0C726BB18E42E626EAEB581D532DCD
                                                    SHA-256:ACCD4911D88E808AED4A2AA27394628C62574810B0B47977B7103A246FDF2A10
                                                    SHA-512:2B643014E8623CADBA7CE78B91D3C751D60FCBF3FA69FA26F29A14E55679FC6A5C2074834B2496773A1756E3172EC7C898E2DF29CB4A0513DBF8BC0DCDDA7E04
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:.......].....................................................S....................................^.4....................=.b.........................................................................o....O..................O........................t..............................I.................................................................;......................................m...................A.....................................i.........................................=...............................................................................................u..&...............................v............=................v...............p...............O.......'.............................K........................;............m......P................x.f....................K[.(..A..........#........................J..L........................i........................X................................................................................N..............f.........

                                                    C:\Users\user\overlays\besvangredes\Phenomenalizing\regill.ful

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Quotation.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):489048
                                                    Entropy (8bit):1.245615736901525
                                                    Encrypted:false
                                                    SSDEEP:1536:HMtjgMjMD1whyMu1IXCVAcFNpruXO+nBJH:stjgmYi03XDL+nBJ
                                                    MD5:B4FB425BAF217F31E91AAB39ABF66DCD
                                                    SHA1:03DE3BD0F923AB14213B6C4461C5CA73A0A6371C
                                                    SHA-256:4BC57A47B82B63EC20B393F65F3585EB81FE3F7748229CD19DEC8FE8A41D67C3
                                                    SHA-512:E72395FD6098130EFD543C5941781A1AA80FCE17C7701CB40FA8874271E0D43E0F7F082EBF5D458181287DE41CF4B34F88DCAABE84D8AD51003EF5DA1495D871
                                                    Malicious:false
                                                    Preview:.............9.....................A..............Z...........=.........................................................h...'.........................................................L..............................................p..C...........................,...................................p..........S............................................................................{............................................(.........C...^...........*............................U.........~................................................z.....................................A................................................]..........i.............,....................................g..............................3......K.....................u..............................................................H.t....................................................................................................................`....*.........................)1.............q..............4....

                                                    C:\Users\user\overlays\besvangredes\Phenomenalizing\sortlistningens.txt

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Quotation.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):371
                                                    Entropy (8bit):4.247837387326688
                                                    Encrypted:false
                                                    SSDEEP:6:r8pLNAsEyv1WABlvMW9uu+IXvVJyQXPhXOQemtNxgFUvNwmA6AQOp2jMPA9cnb:ruJAOgABlQuTXbyKhXOLmtLgHmFOYjMV
                                                    MD5:46003C65AA12A0EBE55662F0141186DC
                                                    SHA1:739652C3375018DAFFB986302A7D3E8D32770B41
                                                    SHA-256:2EA079DEDE1B356842C5F5E0751B5E2B6565FDED65DAFB59A73D170C002ABB27
                                                    SHA-512:59D394789F9EECE97873D56AEA64F353D3E13E007E4ACBD396AC76CB68E91494EB65888049EF05CBE9B20597ADADCC960D067F90AAD3EA5AA46AC3A82F5B82FD
                                                    Malicious:false
                                                    Preview:degageredes indtgters commencing subfunctional rubiator startkatalogernes dismasted outsport..surkaalen syndedes turtledoving,leddelsestes obs jernholdigt normsammenbruds.azotite hestesko hvilkes snrkels enstatitite nappes,slangudtrykkets squills consonantising windchest interpretableness lynkrigen..vinders drikkegildet orgal snakkehjrnets responders etageejendommens..

                                                    C:\Users\user\overlays\besvangredes\Proprietrer.bet

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Quotation.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):288955
                                                    Entropy (8bit):1.2577770955280814
                                                    Encrypted:false
                                                    SSDEEP:768:l1SkOmjqFRV/HZzy6+19kZBH4YVHCdJS7G5iOUEEaXXLlgHHl7MRY9hN+418WPK5:KOqvBJzC5vBhp8KT9AGCbQTZkkR
                                                    MD5:0B62328C4966F6B879B3C13B7FBD9C0D
                                                    SHA1:6DD81F12E739E81E06778067513ED1178A06AFC9
                                                    SHA-256:645C325F62AF720972466322B09A7E396E46D8E640B138D582374B68D763A3A7
                                                    SHA-512:2F738A2950352F124F7B969D38B52BD2E4453FF42BC8DEB7566620E6CDEA30368A6DC16230BA49050F8C0327175CAB71DC4A1709541F08A3FFDCF55FAF5B75B8
                                                    Malicious:false
                                                    Preview:.........................................s.............i.......................................A.........................4.......;........i................................................_........................-.&..............................+..........................................................8.............................................?....U........................................................~........g... .....?...............................................................f............................S..................................!...........................j.............m....g....................................(............................z....d..........z..........^...............s...........................H............................t..........A.....................|............................................................[.................................................\.......................v...........o...................................m...........

                                                    C:\Users\user\overlays\besvangredes\Stridbar.Rek181

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Quotation.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):139601
                                                    Entropy (8bit):4.61537500518796
                                                    Encrypted:false
                                                    SSDEEP:1536:tVgb7qrHny+uCD5wC4oceCt4te4kBwkDzhXAkUd1JjNkCdH9Exy3mv7zy1c/JH:w76u8R5V41zh+JjNkCdHyxy3mvHyyhH
                                                    MD5:1D160CB39F9C70CC5468DB8E075DD655
                                                    SHA1:B9CD90FF90E3EF4E46D3D606E75F91348E63073D
                                                    SHA-256:556634B9DB98EE3B1DAB5C5AA0D2422C07244B89CF690FF52AD6226297D0F859
                                                    SHA-512:51B29DCA2246B2BAAAA3051519561B01D2FB5C316DBC2ADDBE2EFF009F62AF5E114BEE0D0D08C40F77BB7A632D071F429FDF583D4F110136600E9584EE251A83
                                                    Malicious:false
                                                    Preview:...........hhhh.(........k.]].......77.............@@..............M....p....0...u........YYY...ee.4.......................m..LL.......||...T.j...."..d........V...........................====......>......JJ.e........II..................Q........}}..............).......................ttttt.p.77...................>.......$$......................................K.m..........................K..1.y......<.......................llll..)..www......BB...........................RR.................5555.......6666.2.................H...............@@.........f..........4...j............C.00.....gg..;.__............aa.?.............{..........\\\............??...........m.................................)))....i.........................*......K.......zzz...BBBBB.......&....bb...B................mmm...................)......``.........1......,,.a.........=.....................$$$......{..........................HH.........y.............3.HHHHH..vv..................n..............$..................

                                                    C:\Users\user\overlays\besvangredes\Trikstanks.pra

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Quotation.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):340974
                                                    Entropy (8bit):1.254605943274635
                                                    Encrypted:false
                                                    SSDEEP:768:AgVdAd1etxyZmQhZgJwrQTTwKuiTGrJqCoIEsPkZnFFSKsOI4v/3n35lB3LiADa4:5TxLsV5IjQ3xx12
                                                    MD5:49BE0E06F2E4F0CCFFB46426EE262642
                                                    SHA1:FF9C56C31A824E4CA087705C23D01D288FE34239
                                                    SHA-256:A55DAC07FB586D4B64F0DDF812087A2EEEC6F5286D9BC73AD648ED3220ABDD3A
                                                    SHA-512:27E9D035708943DD257186457C15488C9405747FC77F7C76760C96EE011C239F9FA53B5DA17958038FB2BA1C4E27E643E7924A37E6164E250B9F45A109D92E53
                                                    Malicious:false
                                                    Preview:.....................................n.........A...5............K.................C.........a............>....................................................................................p...................................................................................................................W.......................................m.........................................M..........................'......i.............................................................................................4....................................}....................................................................................................................................................x...........S..................'..y............................................../..........................................M..................Z.................................V.......................................=.....N...............................n..................................|. .....

                                                    C:\Users\user\overlays\besvangredes\boyaus.rom

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Quotation.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):392462
                                                    Entropy (8bit):1.241128723454179
                                                    Encrypted:false
                                                    SSDEEP:768:jby0EUrStmwpKcx/orVcYZ+M3ok1I7vZFCDrlv2UV5t3votN6cGia46OGj3OkYSk:FaZaukRTadSdbrJ5N275Ea3nRYS3r
                                                    MD5:F130EC3095DBECEDC791D8C58A59040C
                                                    SHA1:DAD2300B487F31F199520E1B41AB02B7D677B352
                                                    SHA-256:A56351ED69A301F5D9D89B6530280B7A85F998A806E1648911C37B6983BA9426
                                                    SHA-512:8599200F472F2D59390E8F2C497331640B12AB9FAF71817160C6D450EDF8A99F78CEF28CC3B57581D6AECFC1EC90A49947A6685C606321B6EE300D483C838360
                                                    Malicious:false
                                                    Preview:..................J......-..............K....e..........1......................D....................................?............K.V..............................................\....3.......................................L.................................A.........i........,...........................P.{............................................................r................................................V........................................e............&.................................................7...................k.........<...s................).................................................x...............................j................................`.................b.................G.......w..........................................{.........................................G..............................:.................#..............................................<..O......^..........O..............................7..\................................

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                    Entropy (8bit):7.809850655504734
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:Quotation.exe
                                                    File size:1'189'752 bytes
                                                    MD5:fbd9ee316d3beb79ca69987ddc7563a3
                                                    SHA1:9330cd86914cc967b3757cfd56e261661a207358
                                                    SHA256:dd15fe7ea08743edcf83e3511206a76569d339d9c6e10a99e7d977f911131b76
                                                    SHA512:6ec309320135b90c2f204cafe113144a78b0f2bc971678e67e21da3515b8565e955dd59e260d07b4e7fc986daceff1c09556b20803198cc9e8088149cce39356
                                                    SSDEEP:24576:l4nhDoAFkObxapMUdJ7uCnb+BNFweI4ZNXLGQ7WczkxFnfbP9:l+hkf2apPVb+5weI+NXKQKczg
                                                    TLSH:6845231D72A1C04BEB821B384BF7E337EB7AED012C25966777212B0D9E75348ADC6650
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............o...o...o...k...o...i...o...n...o...n...o.I.k...o.I.....o.I.m...o.Rich..o.................PE..L...!.*c.................n.

                                                    File Icon

                                                    Icon Hash:873335651170390f

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4036da
                                                    Entrypoint Section:.text
                                                    Digitally signed:true
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x632AE721 [Wed Sep 21 10:27:45 2022 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:5
                                                    OS Version Minor:1
                                                    File Version Major:5
                                                    File Version Minor:1
                                                    Subsystem Version Major:5
                                                    Subsystem Version Minor:1
                                                    Import Hash:3f91aceea750f765ef2ba5d9988e6a00

                                                    Authenticode Signature

                                                    Signature Valid:false
                                                    Signature Issuer:CN=Wharfside, O=Wharfside, L=Pliening, C=DE
                                                    Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                    Error Number:-2146762487
                                                    Not Before, Not After
                                                    • 18/12/2023 01:23:29 17/12/2026 01:23:29
                                                    Subject Chain
                                                    • CN=Wharfside, O=Wharfside, L=Pliening, C=DE
                                                    Version:3
                                                    Thumbprint MD5:B078224F50DCCD5519D4475860B6C234
                                                    Thumbprint SHA-1:8ADE93E556715FCFBADAD5DB48DCA0E7A6AFBB8F
                                                    Thumbprint SHA-256:85C3112CA3E7E843DA082FB2193CF109FEEF22AC6E99469D1CA3871648DA882F
                                                    Serial:5D34841BA6E924A3AA82D3EAB8F85ACEBF92E013

                                                    Entrypoint Preview

                                                    Instruction
                                                    sub esp, 000003ECh
                                                    push ebx
                                                    push ebp
                                                    push esi
                                                    push edi
                                                    xor ebx, ebx
                                                    mov edi, 00408528h
                                                    push 00008001h
                                                    mov dword ptr [esp+14h], ebx
                                                    mov ebp, ebx
                                                    call dword ptr [00408170h]
                                                    mov esi, dword ptr [004080ACh]
                                                    lea eax, dword ptr [esp+2Ch]
                                                    xorps xmm0, xmm0
                                                    mov dword ptr [esp+40h], ebx
                                                    push eax
                                                    movlpd qword ptr [esp+00000144h], xmm0
                                                    mov dword ptr [esp+30h], 0000011Ch
                                                    call esi
                                                    test eax, eax
                                                    jne 00007F772CB58B39h
                                                    lea eax, dword ptr [esp+2Ch]
                                                    mov dword ptr [esp+2Ch], 00000114h
                                                    push eax
                                                    call esi
                                                    push 00000053h
                                                    pop eax
                                                    mov dl, 04h
                                                    mov byte ptr [esp+00000146h], dl
                                                    cmp word ptr [esp+40h], ax
                                                    jne 00007F772CB58B13h
                                                    mov eax, dword ptr [esp+5Ah]
                                                    add eax, FFFFFFD0h
                                                    mov word ptr [esp+00000140h], ax
                                                    jmp 00007F772CB58B0Dh
                                                    xor eax, eax
                                                    jmp 00007F772CB58AF4h
                                                    mov dl, byte ptr [esp+00000146h]
                                                    cmp dword ptr [esp+30h], 0Ah
                                                    jnc 00007F772CB58B0Dh
                                                    movzx eax, word ptr [esp+38h]
                                                    mov dword ptr [esp+38h], eax
                                                    jmp 00007F772CB58B06h
                                                    mov eax, dword ptr [esp+38h]
                                                    mov dword ptr [007A8638h], eax
                                                    movzx eax, byte ptr [esp+30h]
                                                    shl ax, 0008h
                                                    movzx ecx, ax
                                                    movzx eax, byte ptr [esp+34h]
                                                    or ecx, eax
                                                    movzx eax, byte ptr [esp+00000140h]
                                                    shl ax, 0008h
                                                    shl ecx, 10h
                                                    movzx eax, word ptr [eax]

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x8a000xa0.rdata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3db0000x3e910.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x1215800x11f8.data
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x6c0b0x6e009178309eee1a86dc5ef945d6826a6897False0.6605823863636363data6.398414552532143IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rdata0x80000x18960x1a000885e83a553c38819d1fab2908ca0cf5False0.4307391826923077data4.86610208699674IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0xa0000x39e6400x2005c0f03a1a77f205400c2cbabec9976c4unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .ndata0x3a90000x320000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0x3db0000x3e9100x3ea002690c3c0c1de505f961321c7e2d6da34False0.6915076097804391data6.574790239627466IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0x3db3880x16482PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States1.000394451383867
                                                    RT_ICON0x3f18100x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.486498876138649
                                                    RT_ICON0x4020380x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.5308492747529956
                                                    RT_ICON0x40b4e00x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.5497227356746766
                                                    RT_ICON0x4109680x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.5415682569674067
                                                    RT_ICON0x414b900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5884854771784233
                                                    RT_ICON0x4171380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.6179643527204502
                                                    RT_ICON0x4181e00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.6668032786885246
                                                    RT_ICON0x418b680x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.7287234042553191
                                                    RT_DIALOG0x418fd00x100dataEnglishUnited States0.5234375
                                                    RT_DIALOG0x4190d00x11cdataEnglishUnited States0.6056338028169014
                                                    RT_DIALOG0x4191f00xc4dataEnglishUnited States0.5918367346938775
                                                    RT_DIALOG0x4192b80x60dataEnglishUnited States0.7291666666666666
                                                    RT_GROUP_ICON0x4193180x84Targa image data - Map 32 x 25730 x 1 +1EnglishUnited States0.7348484848484849
                                                    RT_VERSION0x4193a00x220dataEnglishUnited States0.5110294117647058
                                                    RT_MANIFEST0x4195c00x349XML 1.0 document, ASCII text, with very long lines (841), with no line terminatorsEnglishUnited States0.5529131985731273

                                                    Imports

                                                    DLLImport
                                                    ADVAPI32.dllRegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyW, RegEnumValueW, RegQueryValueExW, RegSetValueExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, SetFileSecurityW, RegCreateKeyExW, RegOpenKeyExW
                                                    SHELL32.dllShellExecuteExW, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, SHGetSpecialFolderLocation
                                                    ole32.dllOleInitialize, OleUninitialize, CoTaskMemFree, IIDFromString, CoCreateInstance
                                                    COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                                                    USER32.dllDispatchMessageW, wsprintfA, SystemParametersInfoW, SetClassLongW, GetWindowLongW, GetSysColor, ScreenToClient, SetCursor, GetWindowRect, TrackPopupMenu, AppendMenuW, EnableMenuItem, CreatePopupMenu, GetSystemMenu, GetSystemMetrics, IsWindowEnabled, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, CheckDlgButton, EndDialog, DialogBoxParamW, IsWindowVisible, SetWindowPos, CreateWindowExW, GetClassInfoW, PeekMessageW, CallWindowProcW, GetMessagePos, CharNextW, ExitWindowsEx, SetWindowTextW, SetTimer, CreateDialogParamW, DestroyWindow, LoadImageW, FindWindowExW, SetWindowLongW, InvalidateRect, ReleaseDC, GetDC, SetForegroundWindow, EnableWindow, GetDlgItem, ShowWindow, IsWindow, PostQuitMessage, SendMessageTimeoutW, SendMessageW, wsprintfW, FillRect, GetClientRect, EndPaint, BeginPaint, DrawTextW, DefWindowProcW, SetDlgItemTextW, GetDlgItemTextW, CharNextA, MessageBoxIndirectW, RegisterClassW, CharPrevW, LoadCursorW
                                                    GDI32.dllSetBkMode, CreateBrushIndirect, GetDeviceCaps, SelectObject, DeleteObject, SetBkColor, SetTextColor, CreateFontIndirectW
                                                    KERNEL32.dllWriteFile, GetLastError, WaitForSingleObject, GetExitCodeProcess, GetTempFileNameW, CreateFileW, CreateDirectoryW, WideCharToMultiByte, lstrlenW, lstrcpynW, GlobalLock, GlobalUnlock, CreateThread, GetDiskFreeSpaceW, CopyFileW, GetVersionExW, GetWindowsDirectoryW, ExitProcess, GetCurrentProcess, CreateProcessW, GetTempPathW, SetEnvironmentVariableW, GetCommandLineW, GetModuleFileNameW, GetTickCount, GetFileSize, MultiByteToWideChar, MoveFileW, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, lstrcmpiW, lstrcmpW, MulDiv, GlobalFree, GlobalAlloc, LoadLibraryExW, GetModuleHandleW, FreeLibrary, Sleep, CloseHandle, SetFileTime, SetFilePointer, SetFileAttributesW, ReadFile, GetShortPathNameW, GetFullPathNameW, GetFileAttributesW, FindNextFileW, FindFirstFileW, FindClose, DeleteFileW, CompareFileTime, SearchPathW, SetCurrentDirectoryW, ExpandEnvironmentStringsW, RemoveDirectoryW, GetSystemDirectoryW, MoveFileExW, GetModuleHandleA, GetProcAddress, lstrcmpiA, lstrcpyA, lstrcatW, SetErrorMode

                                                    Possible Origin

                                                    Language of compilation systemCountry where language is spokenMap
                                                    EnglishUnited States

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-11-01T12:07:17.375917+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.175.87.197443192.168.2.449730TCP
                                                    2024-11-01T12:07:40.421570+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.459643TCP
                                                    2024-11-01T12:07:41.838078+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.459644TCP
                                                    2024-11-01T12:07:48.379430+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.459645142.250.186.174443TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 1, 2024 12:07:47.100330114 CET59645443192.168.2.4142.250.186.174
                                                    Nov 1, 2024 12:07:47.100343943 CET44359645142.250.186.174192.168.2.4
                                                    Nov 1, 2024 12:07:47.100408077 CET59645443192.168.2.4142.250.186.174
                                                    Nov 1, 2024 12:07:47.111613989 CET59645443192.168.2.4142.250.186.174
                                                    Nov 1, 2024 12:07:47.111625910 CET44359645142.250.186.174192.168.2.4
                                                    Nov 1, 2024 12:07:47.960817099 CET44359645142.250.186.174192.168.2.4
                                                    Nov 1, 2024 12:07:47.960897923 CET59645443192.168.2.4142.250.186.174
                                                    Nov 1, 2024 12:07:47.961452961 CET44359645142.250.186.174192.168.2.4
                                                    Nov 1, 2024 12:07:47.961505890 CET59645443192.168.2.4142.250.186.174
                                                    Nov 1, 2024 12:07:48.016103983 CET59645443192.168.2.4142.250.186.174
                                                    Nov 1, 2024 12:07:48.016119957 CET44359645142.250.186.174192.168.2.4
                                                    Nov 1, 2024 12:07:48.016355991 CET44359645142.250.186.174192.168.2.4
                                                    Nov 1, 2024 12:07:48.018053055 CET59645443192.168.2.4142.250.186.174
                                                    Nov 1, 2024 12:07:48.021992922 CET59645443192.168.2.4142.250.186.174
                                                    Nov 1, 2024 12:07:48.067334890 CET44359645142.250.186.174192.168.2.4
                                                    Nov 1, 2024 12:07:48.379465103 CET44359645142.250.186.174192.168.2.4
                                                    Nov 1, 2024 12:07:48.379571915 CET59645443192.168.2.4142.250.186.174
                                                    Nov 1, 2024 12:07:48.379585981 CET44359645142.250.186.174192.168.2.4
                                                    Nov 1, 2024 12:07:48.379713058 CET59645443192.168.2.4142.250.186.174
                                                    Nov 1, 2024 12:07:48.380175114 CET59645443192.168.2.4142.250.186.174
                                                    Nov 1, 2024 12:07:48.380204916 CET44359645142.250.186.174192.168.2.4
                                                    Nov 1, 2024 12:07:48.380296946 CET59645443192.168.2.4142.250.186.174
                                                    Nov 1, 2024 12:07:48.419956923 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:48.420008898 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:48.420134068 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:48.420814991 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:48.420830011 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:49.316961050 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:49.317109108 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:49.321126938 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:49.321141005 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:49.321516037 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:49.321583033 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:49.321932077 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:49.367340088 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.461545944 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.461612940 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.470033884 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.470108986 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.578810930 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.578852892 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.578870058 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.578882933 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.578892946 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.578933001 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.581746101 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.581794977 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.581804037 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.581854105 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.585974932 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.586040974 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.586051941 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.586090088 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.598573923 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.598628044 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.598638058 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.598684072 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.629004955 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.629057884 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.629081011 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.629084110 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.629098892 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.629098892 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.629148006 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.629157066 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.629196882 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.629585028 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.629631042 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.630793095 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.630845070 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.630851030 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.630896091 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.638120890 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.638175964 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.638184071 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.638226986 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.695985079 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.696050882 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.696088076 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.696096897 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.696106911 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.696155071 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.696161032 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.696204901 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.696209908 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.696250916 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.696336985 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.696377993 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.696383953 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.696428061 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.696429968 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.696439981 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.696468115 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.696492910 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.698219061 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.698271990 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.698350906 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.698398113 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.698451996 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.698497057 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.698503017 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.698549032 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.702733040 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.702805042 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.702812910 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.702863932 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.704571962 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.704632998 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.704638958 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.704678059 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.713579893 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.713716984 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.713751078 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.713759899 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.713778973 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.713816881 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.716029882 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.716084003 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.716092110 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.716134071 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.722378016 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.722430944 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.722486019 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.722533941 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.727389097 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.727438927 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.727446079 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.727490902 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.733037949 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.733088017 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.733123064 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.733172894 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.738712072 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.738765955 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.738774061 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.738820076 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.744494915 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.744546890 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.744559050 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.744605064 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.749993086 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.750046015 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.750055075 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.750101089 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.755593061 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.755650043 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.755659103 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.755703926 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.761183023 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.761241913 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.761287928 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.761346102 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.767250061 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.767308950 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.767323017 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.767378092 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.767514944 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.773011923 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.773080111 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.773087978 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.773128033 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.813141108 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.813209057 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.813241005 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.813262939 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.813304901 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.813390017 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.813421965 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.813478947 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.813483953 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.813491106 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.813549042 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.813555956 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.813636065 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.814032078 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.814084053 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.814469099 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.814512014 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.814523935 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.814574003 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.814580917 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.814630032 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.815759897 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.815809965 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.815817118 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.815861940 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.815867901 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.815911055 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.816674948 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.816725016 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.816731930 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.816778898 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.821552992 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.821598053 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.821608067 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.821655035 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.826433897 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.826492071 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.826514006 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.826556921 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.831407070 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.831470966 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.831480980 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.831522942 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.834508896 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.834566116 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.834575891 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.834616899 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.837682962 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.837752104 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.837758064 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.837798119 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.840598106 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.840655088 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.840662003 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.840708017 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.843424082 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.843472958 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.843481064 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.843528986 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.846501112 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.846554041 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.846560955 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.846599102 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.850343943 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.850398064 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.850404978 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.850442886 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.852516890 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.852560997 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.852567911 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.852613926 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.855392933 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.855447054 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.855453014 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.855490923 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.858169079 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.858221054 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.858228922 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.858269930 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.860924959 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.860991955 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.861040115 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.861082077 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.863780022 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.863837004 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.864583015 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.864631891 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.866678953 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.866734028 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.866746902 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.866794109 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.869209051 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.869265079 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.869354010 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.869399071 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.873142958 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.873198986 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.873208046 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.873250008 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.874876976 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.874923944 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.874934912 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.874982119 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.877549887 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.877603054 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.877609968 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.877655029 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.880225897 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.880279064 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.880286932 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.880333900 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.882719040 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.882771015 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.882777929 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.882829905 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.885375023 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.885426998 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.885477066 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.885524988 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.888151884 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.888197899 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.888206005 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.888250113 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.890582085 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.890633106 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.890645027 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.890691042 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.892963886 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.893016100 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.893023014 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.893071890 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.895584106 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.895628929 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.895636082 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.895684004 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.897902966 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.897955894 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.897968054 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.898015976 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.900393009 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.900438070 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.900444984 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.900490999 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.903352022 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.903398037 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.903404951 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.903462887 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.903470039 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.903515100 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.905354023 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.905397892 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.905405045 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.905451059 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.907689095 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.907737017 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.907742977 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.907788992 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.910209894 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.910264969 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.910271883 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.910320044 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.930187941 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.930264950 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.930285931 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.930330992 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.930335999 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.930344105 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.930371046 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.930418015 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.930471897 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.930526972 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.930598021 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.930648088 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.930654049 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.930701971 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.930705070 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.930712938 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.930752039 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.931865931 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.931912899 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.931919098 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.931927919 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.931969881 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.931976080 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.932020903 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.932028055 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.932076931 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.932385921 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.932434082 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.932440996 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.932492018 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.932673931 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.932717085 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.932723045 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.932770014 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.933855057 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.933904886 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.933912992 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.933958054 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.935870886 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.935920000 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.935925961 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.935971022 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.937931061 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.937978983 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.937985897 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.938035011 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.940701008 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.940752029 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.940759897 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.940807104 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.942436934 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.942481041 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.942487955 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.942533970 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.944817066 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.944863081 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.944869995 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.944912910 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.946683884 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.946742058 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.946749926 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.946798086 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.949105024 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.949157000 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.949163914 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.949217081 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.951298952 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.951339960 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.951345921 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.951390982 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.953094959 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.953140974 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.953147888 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.953196049 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.955116034 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.955163956 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.955171108 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.955216885 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.957542896 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.957592010 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.957600117 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.957647085 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.960424900 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.960474968 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.960480928 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.960530043 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.961208105 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.961252928 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.961287022 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.961330891 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.963397980 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.963464975 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.963471889 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.963536024 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.965080976 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.965136051 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.965142965 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.965182066 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.966921091 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.966969013 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.966975927 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.967021942 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.969312906 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.969362974 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.969367981 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.969415903 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.970480919 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.970527887 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.970563889 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.970608950 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.972491026 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.972534895 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.972541094 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.972589970 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.974189997 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.974232912 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.974239111 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.974278927 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.975821972 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.975869894 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.975900888 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.975944996 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.977519035 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.977565050 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.977571964 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.977617979 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.977650881 CET59646443192.168.2.4142.250.186.129
                                                    Nov 1, 2024 12:07:52.977679014 CET44359646142.250.186.129192.168.2.4
                                                    Nov 1, 2024 12:07:52.977730989 CET59646443192.168.2.4142.250.186.129

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 1, 2024 12:07:31.766803980 CET5351023162.159.36.2192.168.2.4
                                                    Nov 1, 2024 12:07:32.516433954 CET4970653192.168.2.41.1.1.1
                                                    Nov 1, 2024 12:07:32.523818016 CET53497061.1.1.1192.168.2.4
                                                    Nov 1, 2024 12:07:35.261488914 CET6353353192.168.2.41.1.1.1
                                                    Nov 1, 2024 12:07:35.269788027 CET53635331.1.1.1192.168.2.4
                                                    Nov 1, 2024 12:07:47.088732004 CET6038353192.168.2.41.1.1.1
                                                    Nov 1, 2024 12:07:47.095838070 CET53603831.1.1.1192.168.2.4
                                                    Nov 1, 2024 12:07:48.411266088 CET6102453192.168.2.41.1.1.1
                                                    Nov 1, 2024 12:07:48.418246984 CET53610241.1.1.1192.168.2.4

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Nov 1, 2024 12:07:32.516433954 CET192.168.2.41.1.1.10x9b51Standard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                    Nov 1, 2024 12:07:35.261488914 CET192.168.2.41.1.1.10xe739Standard query (0)50.23.12.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                    Nov 1, 2024 12:07:47.088732004 CET192.168.2.41.1.1.10x2bbcStandard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                    Nov 1, 2024 12:07:48.411266088 CET192.168.2.41.1.1.10x2fedStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Nov 1, 2024 12:07:32.523818016 CET1.1.1.1192.168.2.40x9b51Name error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                    Nov 1, 2024 12:07:35.269788027 CET1.1.1.1192.168.2.40xe739Name error (3)50.23.12.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                    Nov 1, 2024 12:07:47.095838070 CET1.1.1.1192.168.2.40x2bbcNo error (0)drive.google.com142.250.186.174A (IP address)IN (0x0001)false
                                                    Nov 1, 2024 12:07:48.418246984 CET1.1.1.1192.168.2.40x2fedNo error (0)drive.usercontent.google.com142.250.186.129A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • drive.google.com
                                                    • drive.usercontent.google.com

                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.459645142.250.186.1744437904C:\Users\user\Desktop\Quotation.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-01 11:07:48 UTC216OUTGET /uc?export=download&id=1l5psgXqmdwL1ZJzDGG3LfEbvUw5V8LIP HTTP/1.1
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                    Host: drive.google.com
                                                    Cache-Control: no-cache
                                                    2024-11-01 11:07:48 UTC1610INHTTP/1.1 303 See Other
                                                    Content-Type: application/binary
                                                    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                    Pragma: no-cache
                                                    Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                    Date: Fri, 01 Nov 2024 11:07:48 GMT
                                                    Location: https://drive.usercontent.google.com/download?id=1l5psgXqmdwL1ZJzDGG3LfEbvUw5V8LIP&export=download
                                                    Strict-Transport-Security: max-age=31536000
                                                    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                    Cross-Origin-Opener-Policy: same-origin
                                                    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                    Content-Security-Policy: script-src 'nonce-zO1YtP6djijhRcJtcB2Few' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                    Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                    Server: ESF
                                                    Content-Length: 0
                                                    X-XSS-Protection: 0
                                                    X-Frame-Options: SAMEORIGIN
                                                    X-Content-Type-Options: nosniff
                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                    Connection: close


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.459646142.250.186.1294437904C:\Users\user\Desktop\Quotation.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-01 11:07:49 UTC258OUTGET /download?id=1l5psgXqmdwL1ZJzDGG3LfEbvUw5V8LIP&export=download HTTP/1.1
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                    Cache-Control: no-cache
                                                    Host: drive.usercontent.google.com
                                                    Connection: Keep-Alive
                                                    2024-11-01 11:07:52 UTC4916INHTTP/1.1 200 OK
                                                    Content-Type: application/octet-stream
                                                    Content-Security-Policy: sandbox
                                                    Content-Security-Policy: default-src 'none'
                                                    Content-Security-Policy: frame-ancestors 'none'
                                                    X-Content-Security-Policy: sandbox
                                                    Cross-Origin-Opener-Policy: same-origin
                                                    Cross-Origin-Embedder-Policy: require-corp
                                                    Cross-Origin-Resource-Policy: same-site
                                                    X-Content-Type-Options: nosniff
                                                    Content-Disposition: attachment; filename="TwhukYndk9.bin"
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Allow-Credentials: false
                                                    Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                    Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                    Accept-Ranges: bytes
                                                    Content-Length: 287296
                                                    Last-Modified: Thu, 31 Oct 2024 13:18:09 GMT
                                                    X-GUploader-UploadID: AHmUCY3ttz2fLGoj84JYdckiYZ9fQQp_WWsvzgPUR1CEO6ayie6zYtKDurfxtY_Zod6GaKslqvsZVn6D_Q
                                                    Date: Fri, 01 Nov 2024 11:07:52 GMT
                                                    Expires: Fri, 01 Nov 2024 11:07:52 GMT
                                                    Cache-Control: private, max-age=0
                                                    X-Goog-Hash: crc32c=yp+T8g==
                                                    Server: UploadServer
                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                    Connection: close
                                                    2024-11-01 11:07:52 UTC4916INData Raw: 1a b7 d5 f6 bb aa 4f 27 44 36 34 13 e3 3d 46 75 26 00 56 8b aa 9a 7e 8a 68 40 56 9f 09 54 5f 35 0c fc 0f 27 1f de 62 f4 9c 0b 84 04 71 15 05 f3 ed eb 23 33 fb 16 8b ba d7 d3 88 8d ad 0d ee 82 d0 ea f9 03 b7 1c dc ab f7 2c 07 52 30 fa 85 30 4e da b4 6a 7c 87 6b 6e 52 87 ab 51 ea 14 e9 6b be 4b 58 3d c8 45 08 67 ae 5d 0b 7e 60 73 5d bf 52 d4 c2 71 b8 19 fe fb f6 ec 82 b6 2f 50 49 1e c5 0c 11 a4 27 26 8e ee 29 f8 d3 ae 1b 59 36 39 3a b0 65 fc 8a 45 96 85 b7 d5 e8 bc 4b ca da 8c 97 c6 0a 0b 83 9c 8e f2 1f a1 16 6b e7 e3 8f 7f c8 d9 0c 73 56 17 5b 8b ca 95 56 a1 32 cd fb d2 7c e9 f6 4f 8d 50 4e 4d c6 f2 7b d2 70 09 c3 d7 83 8f 5f 60 05 76 53 4f 6d 8e fb 8c fd 88 f0 b2 f8 72 9d 4e 12 4c 3f 32 24 b8 db 85 b1 37 38 e9 d4 8a 3a 01 e2 76 fa 2a 2d d3 ad f5 76 6a 76
                                                    Data Ascii: O'D64=Fu&V~h@VT_5'bq#3,R00Nj|knRQkKX=Eg]~`s]Rq/PI'&)Y69:eEKksV[V2|OPNM{p_`vSOmrNL?2$78:v*-vjv
                                                    2024-11-01 11:07:52 UTC4867INData Raw: 37 2d 01 46 26 b8 ed e3 f0 96 25 6a 7b 2c b1 dc d7 3f 33 c9 e2 b1 65 ab 1e 91 40 95 fe 61 b2 cc 92 41 4c a3 38 1c 1d e1 2c d4 85 02 d4 1b 3a 6d ae 4f b9 7a 9d 7f 1d 5c bb 3c ce 1d 08 59 30 07 e8 0f bf 0a c5 24 73 f6 51 b8 46 07 11 4a de 40 65 29 bf a3 e7 35 88 3a ac a8 6a ca 17 c5 ee 78 74 ba 0d fc 27 fc 39 62 45 2e 00 82 2d bf c0 93 81 ad a9 a2 5f da 9c ce 1b 8b eb b8 c0 b7 0d c8 67 f3 90 33 f0 29 68 76 09 c9 0e 90 8c 9c a4 cf 7d 8f bf bf f6 8c 1f 61 55 8b 44 3b d0 25 51 db 05 f9 f5 be e2 67 35 59 46 fb a9 68 27 70 d3 01 f2 c0 fb d7 93 ba b4 2e b0 2a 18 18 18 c8 c3 36 3a 1a e8 92 93 ec 6f a3 5e bd 4b 57 11 d2 3d ea 91 da 55 4e c2 c7 e1 24 bb c4 ab 34 23 77 09 fe 98 c6 07 17 0f 4f 23 1c 38 96 88 74 75 9d c4 66 df 66 7f 2b 17 ef c3 f3 64 ab 7b e3 cd 97 35
                                                    Data Ascii: 7-F&%j{,?3e@aAL8,:mOz\<Y0$sQFJ@e)5:jxt'9bE.-_g3)hv}aUD;%Qg5YFh'p.*6:o^KW=UN$4#wO#8tuff+d{5
                                                    2024-11-01 11:07:52 UTC1378INData Raw: a1 e0 04 6d 25 d7 7b b6 95 4a b0 f6 4b b0 72 be 5b bb 7b 15 50 b9 29 b7 d3 e9 76 0b a7 d3 9d bf 03 e6 1e b5 15 db 17 f3 f9 8c 67 fc a4 63 f8 9e 9e 46 2e b6 44 26 ff d0 24 1c 51 41 5d 8d 59 0e 4d 69 74 64 79 47 6a 7a fe 48 ae 45 f8 44 e4 03 ad 5e 88 91 fb 86 b3 57 c7 ee 74 75 76 12 35 42 a6 e6 81 54 ef 94 b2 22 45 59 11 87 e0 e3 d0 90 b7 72 72 be df c6 e2 72 b4 c0 7b 5b 43 a2 ca b8 dd 42 8c bd b4 63 0a 0e 7e 53 bc 64 03 5b ea f0 95 3d 18 75 5f 1c dc ab 67 cc 47 2d 22 13 ba de 76 27 c5 6c f4 84 29 46 65 87 61 27 4e 7c 9c 82 85 bc 2e 34 43 00 e4 64 69 66 fb 0c 04 2c d6 79 0c 8f 49 94 e5 da 73 b2 f6 aa 3a 25 b3 19 db e9 25 10 7d 6b dd 90 0c e1 c9 a8 cd e1 14 f5 6e 94 53 c3 45 8c d3 e2 7a 31 fd 79 bd de 6c 25 4a 67 8b e6 68 12 77 63 9f b8 3f 70 19 aa 6b 30 2b
                                                    Data Ascii: m%{JKr[{P)vgcF.D&$QA]YMitdyGjzHED^Wtuv5BT"EYrrr{[CBc~Sd[=u_gG-"v'l)Fea'N|.4Cdif,yIs:%%}knSEz1yl%Jghwc?pk0+
                                                    2024-11-01 11:07:52 UTC1378INData Raw: c5 63 03 b4 b1 d5 f0 88 aa 2a be 02 2a 42 9e 88 96 55 fe 9f cd 8d 4e 34 7a 96 20 75 bd 96 3b 51 a4 0d 6d ae 14 8f 37 55 72 7b b7 8e fd 7e de 09 26 99 0a 27 a1 5b 56 34 e2 17 32 25 79 b0 f5 bc 17 2c 66 d4 35 08 ff bc ed fa cf 78 a0 be 26 47 92 48 d0 b3 45 5a 0e 26 ac 5d 8f f9 5c 12 b9 38 ee 81 97 3b 0e 27 65 b9 3e da 0f 4a 61 f4 ce 06 f4 5e 61 87 28 c0 ca 58 5d e0 93 e9 5c f0 71 66 33 aa 8f 51 f7 98 0b 93 11 ff 57 48 a2 e4 59 e0 b5 8f 01 67 83 5c 9a 40 78 8c c0 d4 15 82 e5 1f b8 8a dd 4d 2f ac 11 c5 fc f3 3b ef d1 f9 da 67 b6 37 ab 9e f3 c3 a8 0d 01 69 02 0f 31 4d b3 34 77 3f 6a 7f f9 4c 92 7a 84 98 74 04 cb 33 23 cb b3 e1 ab 9a 45 08 f7 16 96 fb f3 48 84 b4 7e a8 d0 49 bb 79 f0 e1 f8 3c 99 6f 0e c4 60 d0 9d 3c fd a8 7c e6 68 80 a8 fa 81 3c fd d5 8a 17 ba
                                                    Data Ascii: c**BUN4z u;Qm7Ur{~&'[V42%y,f5x&GHEZ&]\8;'e>Ja^a(X]\qf3QWHYg\@xM/;g7i1M4w?jLzt3#EH~Iy<o`<|h<
                                                    2024-11-01 11:07:52 UTC1378INData Raw: c7 e8 95 5f 2c a3 91 82 5d f2 56 83 a8 ee 86 81 b6 09 2d 52 db 2e a3 8c ac ce e1 f6 60 01 5c cd 8b bb af fb 75 e3 0a 99 81 b5 42 29 a8 df c0 ed e8 4a 7f 9c cd 5e f1 06 4f a9 54 68 7b c2 5d 2f d7 ac ce 56 34 74 91 6b c5 e5 c0 c3 4d ec 85 23 bd 2e 27 a1 da a7 aa 30 89 61 61 44 d5 64 32 d3 46 96 d4 30 0e cf 97 13 ed 85 e2 51 73 54 a1 15 2e 49 43 ab a8 0d af 6f ef cf e0 65 96 df 4a c1 cb 1f a2 d9 20 af 7f 8a 34 41 f8 66 2c 49 c7 1a 21 30 c6 ec d9 95 f8 f9 74 45 45 14 71 62 24 de 2c 10 38 aa 06 cf cf b9 d9 c7 fa f9 e4 61 3e 7e f5 32 90 b0 11 41 51 70 05 31 ed 38 d3 de 44 c4 d5 bd 88 fc be 4c be 3c a0 4b 2f ff 85 bd 85 c4 84 c7 b3 50 2a fe 7c 98 d7 ec b2 04 45 e4 49 60 fb 68 7f 46 e8 ae 7a 84 64 28 77 86 e9 6b 66 33 03 e3 0f c3 f8 65 ae 5d d5 06 3b ad 9a 39 b2
                                                    Data Ascii: _,]V-R.`\uB)J^OTh{]/V4tkM#.'0aaDd2F0QsT.ICoeJ 4Af,I!0tEEqb$,8a>~2AQp18DL<K/P*|EI`hFzd(wkf3e];9
                                                    2024-11-01 11:07:52 UTC1378INData Raw: 4f 3d bb d5 ab 74 7e 98 b8 9c cf 38 15 53 fb 44 bc 62 44 26 2a d8 dc 00 98 13 58 b7 53 7a d2 58 1d 6f a6 46 51 a4 79 4d 85 83 05 60 03 5c 74 95 ea bc be 63 96 6f b5 cf 5f b4 17 12 05 53 10 ef 36 94 7d 70 d6 33 27 96 84 1f 15 e9 94 46 17 68 c6 30 5c 02 84 c7 01 dd 51 92 b3 11 50 9f 60 fd 19 2c af 10 e6 e6 1e 04 3b 77 2b 3d ad 3f 5b 94 14 1d 83 e3 5c 27 c1 97 04 42 61 64 98 2a 99 88 d7 c1 9c 03 71 d9 79 86 0e 4c 0a 4b f9 a8 32 b7 53 84 8d 80 34 cc 26 56 12 0e 25 8a 19 30 d6 c0 37 e6 85 02 83 4a 50 74 09 45 38 97 b6 93 63 3e 7a a0 12 d3 5c 97 fe 91 e4 9f ec 0a 25 b3 80 42 5c 69 fe 49 6c 9e 13 e4 56 84 7b 0b 9a 93 da af 7d 68 1c 6d f7 ea c6 8f c6 1d 44 06 8e ad a8 52 99 d8 a3 39 3d b4 45 e2 41 dc d4 26 4f 5c 07 16 83 27 13 c2 b0 a4 b4 78 a9 61 91 55 b1 1c 47
                                                    Data Ascii: O=t~8SDbD&*XSzXoFQyM`\tco_S6}p3'Fh0\QP`,;w+=?[\'Bad*qyLK2S4&V%07JPtE8c>z\%B\iIlV{}hmDR9=EA&O\'xaUG
                                                    2024-11-01 11:07:52 UTC1378INData Raw: 92 05 02 b8 18 ea b6 1d 60 7f f3 09 37 88 28 22 f6 95 7f ac 67 a0 fb 40 08 80 7c c6 66 cb 7d ec 00 f7 6b 06 aa 89 c9 0d 08 e7 e7 43 f0 6c 9f 07 45 df 00 a7 b5 c5 40 59 72 cf c7 fd 8c ce 3b a1 19 97 8d 5b 1a 0d 9f f6 ce af e6 97 83 b6 4f 49 2f d8 ed d4 16 bd 0f 57 2d 2d 83 6c 96 39 15 03 f9 14 6f d0 05 e9 b1 13 da 6f 6c 92 67 bd dc 8f 07 bf df 0c 64 b1 e5 c4 7c 2c b8 30 93 17 4e 92 83 8a eb 0f 38 4e 50 a8 89 08 ac 89 03 cc 86 80 e2 69 88 e3 60 b2 af 30 52 ab f6 b2 b2 a0 86 48 26 ac bf 02 19 59 75 8f cc fc 7a 2e aa a6 71 79 b8 fc b5 57 df 15 ea 32 fa 20 c8 e3 77 31 42 77 3f 97 eb 1d 11 a9 4b c8 d3 17 b2 60 a7 b1 05 b9 d8 03 60 06 22 fa 81 65 bb 4c f6 f2 39 0a 4f 15 b8 c2 8c 6e e1 09 1c f9 c1 d7 a7 80 80 a9 e1 f5 40 88 bb 47 d0 f2 d6 9b 1f c6 28 24 cb 8d ba
                                                    Data Ascii: `7("g@|f}kClE@Yr;[OI/W--l9oolgd|,0N8NPi`0RH&Yuz.qyW2 w1Bw?K``"eL9On@G($
                                                    2024-11-01 11:07:52 UTC1378INData Raw: 8e 44 a8 b8 84 72 f0 67 2d ea cc 88 d4 b5 57 2c 44 9f 5e 73 ef da 38 32 7a 2d ff e3 61 07 11 17 f4 18 16 82 76 91 68 33 2f e1 ff ca 4f b5 3b 07 8f 84 84 18 9b ce e6 ee de 2a b2 b9 cc 4a a5 33 7e 47 9e 30 3a 96 51 f6 d0 ad 52 a4 aa e0 cd 66 31 53 46 6c 55 4c 15 ab 22 53 ba 4a e0 b7 65 e1 2f 74 78 a6 bc 7f 76 06 09 a2 14 ea b0 2f 32 31 43 b2 13 f8 07 c4 8d db 0f a2 ed 4e 70 7f c8 b1 38 fa 65 c0 c1 fb db ed 76 91 a6 0a ef 85 06 1f 69 9f f2 a3 f0 5b 63 bf ef 81 dd 79 44 67 37 1e f8 0f e6 4e 18 65 95 43 13 cb 53 ed c0 b1 92 e7 42 93 5c d2 a2 a8 d0 2e 71 41 57 c4 8e 42 66 83 90 45 60 2d 98 43 e1 ea 5d f2 15 87 4b 72 f6 83 f9 8f 6c 37 d2 46 26 fc 63 a4 59 1a be ad 73 15 44 18 cc 1c 1b 35 10 d3 81 17 0d 1a 08 b1 10 3b 49 9d 4f 0d a8 13 c2 cd 19 4b dc 5f 59 ad d9
                                                    Data Ascii: Drg-W,D^s82z-avh3/O;*J3~G0:QRf1SFlUL"SJe/txv/21CNp8evi[cyDg7NeCSB\.qAWBfE`-C]Krl7F&cYsD5;IOK_Y
                                                    2024-11-01 11:07:52 UTC1378INData Raw: 77 bb c9 ba 72 ce 96 d0 ed 26 9d b7 57 70 1f b3 47 9a e1 1e fa 7e 54 ef 37 af 6a 2b 53 2b 0f 32 29 0e 17 87 93 ec 37 d4 69 66 21 7f 79 5a 77 f1 4e fb c9 4b fc 92 f3 3a 78 42 6f ca 4b c4 2e 02 c3 69 73 04 c8 40 c5 e5 23 a9 87 8e 2d e1 75 fa ba 65 0b a3 af 3f 0d 13 c6 66 26 12 89 1f 6a 25 32 2b 97 1a c5 7e d4 61 26 1d dc 5b e9 7a a1 e4 9a 4a eb 10 7a ae 46 82 ae 05 61 90 99 60 8c 04 3e 6b 2b 4f a1 1f ee 34 43 4b da ee e7 c8 31 53 7c 30 6d 05 57 d4 c6 23 5b fd cb 80 40 a9 32 b3 b6 18 93 7a 4d d4 9d 7b 3d cb 72 06 4b 7e 1a f3 ac d4 f3 de 1f ed d2 e2 36 f0 79 16 88 d1 44 81 eb 76 37 3d 82 2f d6 6f 89 40 47 2e 94 35 95 20 32 cd 44 43 c9 23 d3 eb bd 70 ed 8b 7c 46 e0 87 90 d3 74 83 58 02 87 37 a1 28 c8 24 cb f6 0a 5d 15 e3 ef b0 78 b9 25 23 80 f7 11 a4 91 4a c3
                                                    Data Ascii: wr&WpG~T7j+S+2)7if!yZwNK:xBoK.is@#-ue?f&j%2+~a&[zJzFa`>k+O4CK1S|0mW#[@2zM{=rK~6yDv7=/o@G.5 2DC#p|FtX7($]x%#J
                                                    2024-11-01 11:07:52 UTC1378INData Raw: b4 43 ec e9 11 01 01 4b 0e f5 df 39 28 0e fd e5 df 9b 60 e2 41 f5 5f 4e c0 90 ff 67 92 c7 12 80 6e 29 69 de 1e 1f d7 0d c3 9b 81 15 eb 8c 71 05 5a 2f d6 08 a1 6a 5d 52 7f 3c cb fd 98 70 a8 84 62 33 4f 2c 72 23 7d f3 ed 4b 3e b8 ca c8 62 13 59 4c f0 c8 12 20 e8 49 14 b1 6e b8 74 e7 e8 94 f4 60 35 d8 fe f5 5d af 09 ad 16 62 12 72 06 f6 21 66 1d 02 ea 12 e6 82 e8 3f e6 a8 2b 49 0e 83 3d e1 82 51 2d 9f 25 4e 81 86 1f fc 65 51 ad 82 95 9b 05 f6 b2 2a 25 ce f7 0f 12 e1 29 8d 70 44 46 b8 4a 62 84 9b 57 3f dd 57 93 2b 56 c0 1f 2a fd 99 5f a7 d7 4e b0 c3 23 e3 1d 63 60 34 73 d8 1d b1 60 99 ef ae 10 a1 96 4d c7 dc 09 0f 9c c9 ea 1e 9b 39 87 11 5b 1f 81 60 8b 6c 5f 86 b8 04 28 9a 9c fa 60 8c 82 47 e2 7e 0a 6f 67 cb 94 c1 15 04 1a 79 74 68 04 14 af 49 fa 41 f1 36 63
                                                    Data Ascii: CK9(`A_Ngn)iqZ/j]R<pb3O,r#}K>bYL Int`5]br!f?+I=Q-%NeQ*%)pDFJbW?W+V*_N#c`4s`M9[`l_(`G~ogythIA6c


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:07:06:59
                                                    Start date:01/11/2024
                                                    Path:C:\Users\user\Desktop\Quotation.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\Quotation.exe"
                                                    Imagebase:0x400000
                                                    File size:1'189'752 bytes
                                                    MD5 hash:FBD9EE316D3BEB79CA69987DDC7563A3
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2045391530.000000000592C000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:4
                                                    Start time:07:07:34
                                                    Start date:01/11/2024
                                                    Path:C:\Users\user\Desktop\Quotation.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\Quotation.exe"
                                                    Imagebase:0x400000
                                                    File size:1'189'752 bytes
                                                    MD5 hash:FBD9EE316D3BEB79CA69987DDC7563A3
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2282815600.0000000035660000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2282815600.0000000035660000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    Reputation:low
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:30.4%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:18.4%
                                                      Total number of Nodes:827
                                                      Total number of Limit Nodes:18
                                                      execution_graph 3282 73401000 3285 7340101b 3282->3285 3292 7340156c 3285->3292 3287 73401020 3288 73401032 3287->3288 3289 73401024 GlobalAlloc 3287->3289 3290 734015c5 3 API calls 3288->3290 3289->3288 3291 73401019 3290->3291 3294 73401572 3292->3294 3293 73401578 3293->3287 3294->3293 3295 73401584 GlobalFree 3294->3295 3295->3287 3296 734012c6 3297 7340101b 5 API calls 3296->3297 3298 734012df 3297->3298 3299 734010c7 3300 734010f8 3299->3300 3301 734012be GlobalFree 3300->3301 3302 734011d7 GlobalAlloc 3300->3302 3303 73401258 GlobalFree 3300->3303 3304 73401548 3 API calls 3300->3304 3305 734012ba 3300->3305 3306 73401296 GlobalFree 3300->3306 3307 734015eb 2 API calls 3300->3307 3309 73401165 GlobalAlloc 3300->3309 3310 73401638 lstrcpyW 3300->3310 3302->3300 3303->3300 3304->3300 3305->3301 3306->3300 3308 734011ca GlobalFree 3307->3308 3308->3300 3309->3300 3311 734011ab GlobalFree 3310->3311 3311->3300 3312 73401cc7 3313 73401cee 3312->3313 3314 73401d2f GlobalFree 3313->3314 3315 73401d4e __alldvrm 3313->3315 3314->3315 3316 734015eb 2 API calls 3315->3316 3317 73401de5 GlobalFree GlobalFree 3316->3317 3318 73401aa7 3319 7340156c GlobalFree 3318->3319 3321 73401abf 3319->3321 3320 73401b01 GlobalFree 3321->3320 3322 73401add 3321->3322 3323 73401aed VirtualFree 3321->3323 3322->3320 3323->3320 2807 73401a4a 2808 73401aa1 2807->2808 2809 73401a5a VirtualProtect 2807->2809 2809->2808 3324 73402c6a 3325 73402cc3 3324->3325 3326 73402cd8 3324->3326 3325->3326 3327 73402ccd GetLastError 3325->3327 3327->3326 3328 73401b0a 3329 73401b38 3328->3329 3330 73402351 21 API calls 3329->3330 3331 73401b3f 3330->3331 3332 73401b52 3331->3332 3333 73401b46 3331->3333 3335 73401b73 3332->3335 3336 73401b5c 3332->3336 3334 734015eb 2 API calls 3333->3334 3344 73401b50 3334->3344 3338 73401b79 3335->3338 3339 73401b9f 3335->3339 3337 734015c5 3 API calls 3336->3337 3342 73401b61 3337->3342 3340 73401668 3 API calls 3338->3340 3341 734015c5 3 API calls 3339->3341 3343 73401b7e 3340->3343 3341->3344 3345 73401668 3 API calls 3342->3345 3346 734015eb 2 API calls 3343->3346 3347 73401b67 3345->3347 3348 73401b84 GlobalFree 3346->3348 3349 734015eb 2 API calls 3347->3349 3348->3344 3350 73401b6d GlobalFree 3348->3350 3349->3350 3368 40362d 3369 403653 3368->3369 3370 40363f SetTimer 3368->3370 3371 40365c MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 3369->3371 3372 4036aa 3369->3372 3370->3371 3371->3372 2414 404f70 2415 405111 2414->2415 2416 404f8f 2414->2416 2418 405125 GetDlgItem GetDlgItem 2415->2418 2419 40515e 2415->2419 2416->2415 2417 404f9b 2416->2417 2420 404fa0 SetWindowPos 2417->2420 2421 404fba 2417->2421 2422 4054f8 18 API calls 2418->2422 2423 4051b5 2419->2423 2433 401399 90 API calls 2419->2433 2424 4050fd 2420->2424 2425 40500d 2421->2425 2426 404fbf ShowWindow 2421->2426 2428 405148 SetClassLongW 2422->2428 2440 40510c 2423->2440 2485 4054c6 2423->2485 2524 405739 2424->2524 2430 405015 DestroyWindow 2425->2430 2431 40502f 2425->2431 2426->2424 2429 404fe4 GetWindowLongW 2426->2429 2432 401533 90 API calls 2428->2432 2429->2424 2435 405000 ShowWindow 2429->2435 2442 405446 2430->2442 2436 405034 SetWindowLongW 2431->2436 2437 405047 2431->2437 2432->2419 2438 40518e 2433->2438 2435->2424 2436->2440 2437->2424 2444 405053 GetDlgItem 2437->2444 2438->2423 2439 405192 SendMessageW 2438->2439 2439->2440 2441 401533 90 API calls 2460 4051c7 2441->2460 2442->2440 2445 405479 ShowWindow 2442->2445 2443 405448 DestroyWindow EndDialog 2443->2442 2446 405092 2444->2446 2447 40506f SendMessageW IsWindowEnabled 2444->2447 2445->2440 2450 4050a1 2446->2450 2451 4050e4 SendMessageW 2446->2451 2452 4050b3 2446->2452 2461 405099 2446->2461 2447->2440 2449 40508e 2447->2449 2449->2446 2450->2451 2450->2461 2451->2424 2454 4050ca 2452->2454 2455 4050bc 2452->2455 2458 401533 90 API calls 2454->2458 2518 401533 2455->2518 2456 4050e2 2456->2424 2462 4050d1 2458->2462 2459 4054f8 18 API calls 2459->2460 2460->2440 2460->2441 2460->2443 2460->2459 2476 405388 DestroyWindow 2460->2476 2488 405e98 2460->2488 2505 4054f8 2460->2505 2521 405936 2461->2521 2462->2424 2462->2461 2464 40524b GetDlgItem 2465 405272 ShowWindow KiUserCallbackDispatcher KiUserCallbackDispatcher EnableWindow 2464->2465 2469 405266 2464->2469 2465->2469 2466 4052c7 GetSystemMenu EnableMenuItem SendMessageW 2467 4052f4 SendMessageW 2466->2467 2466->2469 2467->2469 2469->2465 2469->2466 2508 4054e1 SendMessageW 2469->2508 2509 405cf9 2469->2509 2512 406af8 lstrcpynW 2469->2512 2472 405326 lstrlenW 2473 405e98 17 API calls 2472->2473 2474 405340 SetWindowTextW 2473->2474 2513 401399 2474->2513 2476->2442 2477 4053a2 CreateDialogParamW 2476->2477 2477->2442 2478 4053d5 2477->2478 2479 4054f8 18 API calls 2478->2479 2480 4053e0 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 2479->2480 2481 401399 90 API calls 2480->2481 2482 405426 2481->2482 2482->2440 2483 40542e ShowWindow 2482->2483 2484 4054c6 SendMessageW 2483->2484 2484->2442 2486 4054de 2485->2486 2487 4054cf SendMessageW 2485->2487 2486->2460 2487->2486 2499 405ea3 2488->2499 2489 4060dc 2490 4060f1 2489->2490 2545 406af8 lstrcpynW 2489->2545 2490->2460 2493 4060a7 lstrlenW 2493->2499 2494 405fbc GetSystemDirectoryW 2494->2499 2495 405e98 10 API calls 2495->2493 2496 405fcf GetWindowsDirectoryW 2496->2499 2499->2489 2499->2493 2499->2494 2499->2495 2499->2496 2500 405ffc SHGetSpecialFolderLocation 2499->2500 2502 405e98 10 API calls 2499->2502 2503 406048 lstrcatW 2499->2503 2504 406d1b CharNextW CharNextW CharNextW CharNextW CharPrevW 2499->2504 2538 406955 2499->2538 2543 4065fd wsprintfW 2499->2543 2544 406af8 lstrcpynW 2499->2544 2500->2499 2501 406014 SHGetPathFromIDListW CoTaskMemFree 2500->2501 2501->2499 2502->2499 2503->2499 2504->2499 2506 405e98 17 API calls 2505->2506 2507 405503 SetDlgItemTextW 2506->2507 2507->2464 2508->2469 2510 405e98 17 API calls 2509->2510 2511 405d07 SetWindowTextW 2510->2511 2511->2469 2512->2472 2514 401413 2513->2514 2516 4013a3 2513->2516 2514->2460 2516->2514 2517 4013df MulDiv SendMessageW 2516->2517 2550 40154a 2516->2550 2517->2516 2519 401399 90 API calls 2518->2519 2520 401547 2519->2520 2520->2461 2522 405943 SendMessageW 2521->2522 2523 40593d 2521->2523 2522->2456 2523->2522 2525 405751 GetWindowLongW 2524->2525 2526 405807 2524->2526 2525->2526 2527 405766 2525->2527 2526->2440 2527->2526 2528 40579a 2527->2528 2529 40578e GetSysColor 2527->2529 2530 4057a8 SetBkMode 2528->2530 2531 40579e SetTextColor 2528->2531 2529->2528 2532 4057d0 2530->2532 2533 4057c1 GetSysColor 2530->2533 2531->2530 2534 4057e1 2532->2534 2535 4057d4 SetBkColor 2532->2535 2533->2532 2534->2526 2536 4057f1 DeleteObject 2534->2536 2537 4057fa CreateBrushIndirect 2534->2537 2535->2534 2536->2537 2537->2526 2546 4062b6 2538->2546 2541 40698a RegQueryValueExW RegCloseKey 2542 4069bb 2541->2542 2542->2499 2543->2499 2544->2499 2545->2490 2547 4062c5 2546->2547 2548 4062c9 2547->2548 2549 4062ce RegOpenKeyExW 2547->2549 2548->2541 2548->2542 2549->2548 2551 4015c3 2550->2551 2601 4015ce 2550->2601 2552 4016c1 2551->2552 2553 4017c2 2551->2553 2554 4015e6 2551->2554 2555 4018cb 2551->2555 2556 4016ef 2551->2556 2557 4016af 2551->2557 2558 40182f 2551->2558 2559 401711 2551->2559 2560 401633 SetForegroundWindow 2551->2560 2561 4017d3 2551->2561 2562 4015d5 2551->2562 2563 401618 2551->2563 2564 4015f9 2551->2564 2565 40189b 2551->2565 2566 4018de 2551->2566 2567 40163f 2551->2567 2551->2601 2635 40160c 2551->2635 2577 4016d1 ShowWindow 2552->2577 2578 4016d9 2552->2578 2568 40303e 17 API calls 2553->2568 2580 4015f0 PostQuitMessage 2554->2580 2554->2601 2572 40303e 17 API calls 2555->2572 2664 40303e 2556->2664 2733 4065fd wsprintfW 2557->2733 2575 40303e 17 API calls 2558->2575 2569 40303e 17 API calls 2559->2569 2560->2601 2571 40303e 17 API calls 2561->2571 2591 405d18 24 API calls 2562->2591 2562->2601 2661 403002 2563->2661 2594 401399 73 API calls 2564->2594 2570 40303e 17 API calls 2565->2570 2574 40303e 17 API calls 2566->2574 2598 403002 17 API calls 2567->2598 2567->2601 2581 4017c8 2568->2581 2582 401718 2569->2582 2583 4018a2 SearchPathW 2570->2583 2585 4017da 2571->2585 2586 4018d2 2572->2586 2588 4018e5 2574->2588 2589 401835 GetFullPathNameW 2575->2589 2577->2578 2590 4016e6 ShowWindow 2578->2590 2578->2601 2580->2601 2737 4065ad FindFirstFileW 2581->2737 2669 406ba3 CharNextW CharNextW 2582->2669 2583->2601 2584 405d18 24 API calls 2584->2601 2596 40303e 17 API calls 2585->2596 2699 406a34 2586->2699 2587 40161e Sleep 2587->2601 2606 401906 2588->2606 2607 40190e 2588->2607 2599 401857 2589->2599 2600 40184d 2589->2600 2590->2601 2591->2601 2594->2601 2602 4017e3 2596->2602 2598->2601 2599->2600 2613 4065ad 2 API calls 2599->2613 2600->2601 2603 401889 GetShortPathNameW 2600->2603 2601->2516 2605 40303e 17 API calls 2602->2605 2603->2601 2604 401780 2612 401790 2604->2612 2604->2635 2609 4017ec MoveFileW 2605->2609 2745 406af8 lstrcpynW 2606->2745 2746 406af8 lstrcpynW 2607->2746 2614 401804 2609->2614 2609->2635 2687 405d18 2612->2687 2618 40186a 2613->2618 2614->2601 2621 4065ad 2 API calls 2614->2621 2615 40190c 2703 406d1b 2615->2703 2616 401919 2747 406534 lstrlenW CharPrevW 2616->2747 2618->2600 2744 406af8 lstrcpynW 2618->2744 2628 401814 2621->2628 2628->2601 2740 40621b MoveFileExW 2628->2740 2629 4017a2 SetCurrentDirectoryW 2629->2601 2631 401720 2631->2604 2632 401769 GetFileAttributesW 2631->2632 2675 4065d4 2631->2675 2679 4064da 2631->2679 2682 405e1c CreateDirectoryW 2631->2682 2734 405dfc CreateDirectoryW 2631->2734 2632->2631 2633 401968 2750 406b7b GetFileAttributesW 2633->2750 2635->2584 2636 4065ad 2 API calls 2652 40192b 2636->2652 2639 40193f CompareFileTime 2639->2652 2640 401a18 2642 405d18 24 API calls 2640->2642 2641 4019fd 2644 405d18 24 API calls 2641->2644 2645 401a24 2642->2645 2643 406af8 lstrcpynW 2643->2652 2644->2601 2713 403148 2645->2713 2648 401a52 SetFileTime 2650 401a60 CloseHandle 2648->2650 2649 405e98 17 API calls 2649->2652 2650->2601 2651 401a73 2650->2651 2653 401a78 2651->2653 2654 401a89 2651->2654 2652->2562 2652->2633 2652->2636 2652->2639 2652->2640 2652->2641 2652->2643 2652->2649 2712 4068f9 GetFileAttributesW CreateFileW 2652->2712 2753 406a86 2652->2753 2655 405e98 17 API calls 2653->2655 2656 405e98 17 API calls 2654->2656 2657 401a80 lstrcatW 2655->2657 2658 401a91 2656->2658 2657->2658 2660 406a86 MessageBoxIndirectW 2658->2660 2660->2601 2662 405e98 17 API calls 2661->2662 2663 403016 2662->2663 2663->2587 2665 405e98 17 API calls 2664->2665 2666 403067 2665->2666 2667 4016f6 SetFileAttributesW 2666->2667 2668 406d1b 5 API calls 2666->2668 2667->2601 2668->2667 2670 406bc1 2669->2670 2674 406bf8 2669->2674 2671 406bd0 CharNextW 2670->2671 2673 406bd5 2670->2673 2671->2674 2672 4065d4 CharNextW 2672->2673 2673->2672 2673->2674 2674->2631 2676 4065e0 2675->2676 2677 4065fa 2675->2677 2676->2677 2678 4065e9 CharNextW 2676->2678 2677->2631 2678->2676 2678->2677 2757 4068c4 GetModuleHandleA 2679->2757 2683 405e67 GetLastError 2682->2683 2684 405e8a 2682->2684 2683->2684 2685 405e74 SetFileSecurityW 2683->2685 2684->2631 2685->2684 2686 405e8e GetLastError 2685->2686 2686->2684 2688 405d2a 2687->2688 2696 401797 2687->2696 2689 405d49 lstrlenW 2688->2689 2690 405e98 17 API calls 2688->2690 2691 405d5b lstrlenW 2689->2691 2692 405d7e 2689->2692 2690->2689 2693 405d70 lstrcatW 2691->2693 2691->2696 2694 405d95 2692->2694 2695 405d88 SetWindowTextW 2692->2695 2693->2692 2694->2696 2697 405d9a SendMessageW SendMessageW SendMessageW 2694->2697 2695->2694 2698 406af8 lstrcpynW 2696->2698 2697->2696 2698->2629 2700 406a41 GetTickCount GetTempFileNameW 2699->2700 2701 406a75 2700->2701 2702 406a79 2700->2702 2701->2700 2701->2702 2702->2601 2704 406d30 2703->2704 2705 406db2 2704->2705 2707 406da3 CharNextW 2704->2707 2708 4065d4 CharNextW 2704->2708 2710 406d8f CharNextW 2704->2710 2711 406d9e CharNextW 2704->2711 2706 406dba CharPrevW 2705->2706 2709 406dda 2705->2709 2706->2705 2707->2704 2707->2705 2708->2704 2709->2652 2710->2704 2711->2707 2712->2652 2714 403190 2713->2714 2715 403183 2713->2715 2766 406926 ReadFile 2714->2766 2773 403131 SetFilePointer 2715->2773 2719 401a3a 2719->2648 2719->2650 2720 4031b6 GetTickCount 2720->2719 2728 4031e6 2720->2728 2721 4032f9 2722 403340 2721->2722 2726 4032fd 2721->2726 2724 40311b ReadFile 2722->2724 2724->2719 2725 40311b ReadFile 2725->2726 2726->2719 2726->2725 2727 4069e9 WriteFile 2726->2727 2727->2726 2728->2719 2729 40323d GetTickCount 2728->2729 2730 40326e MulDiv wsprintfW 2728->2730 2768 40311b 2728->2768 2771 4069e9 WriteFile 2728->2771 2729->2728 2731 405d18 24 API calls 2730->2731 2731->2728 2733->2601 2735 405e16 2734->2735 2736 405e0e GetLastError 2734->2736 2735->2631 2736->2735 2738 4065c3 FindClose 2737->2738 2739 4065ce 2737->2739 2738->2739 2739->2601 2741 40623c 2740->2741 2742 40622f 2740->2742 2741->2635 2774 4062e4 2742->2774 2744->2600 2745->2615 2746->2616 2748 406551 lstrcatW 2747->2748 2749 40191f lstrcatW 2747->2749 2748->2749 2749->2615 2751 406b9d 2750->2751 2752 406b8d SetFileAttributesW 2750->2752 2751->2652 2752->2751 2754 406a9b 2753->2754 2755 406ae9 2754->2755 2756 406ab1 MessageBoxIndirectW 2754->2756 2755->2652 2756->2755 2758 4068e6 GetProcAddress 2757->2758 2759 4068dc 2757->2759 2761 4064e1 2758->2761 2763 40617c GetSystemDirectoryW 2759->2763 2761->2631 2762 4068e2 2762->2758 2762->2761 2764 40619e wsprintfW LoadLibraryExW 2763->2764 2764->2762 2767 4031a2 2766->2767 2767->2719 2767->2720 2767->2721 2769 406926 ReadFile 2768->2769 2770 40312e 2769->2770 2770->2728 2772 406a0a 2771->2772 2772->2728 2773->2714 2775 406314 2774->2775 2776 40633a GetShortPathNameW 2774->2776 2801 4068f9 GetFileAttributesW CreateFileW 2775->2801 2778 40641a 2776->2778 2779 40634f 2776->2779 2778->2741 2779->2778 2781 406357 wsprintfA 2779->2781 2780 40631e CloseHandle GetShortPathNameW 2780->2778 2782 406332 2780->2782 2783 405e98 17 API calls 2781->2783 2782->2776 2782->2778 2784 406380 2783->2784 2802 4068f9 GetFileAttributesW CreateFileW 2784->2802 2786 40638d 2786->2778 2787 406398 GetFileSize GlobalAlloc 2786->2787 2788 406413 CloseHandle 2787->2788 2789 4063b7 2787->2789 2788->2778 2790 406926 ReadFile 2789->2790 2791 4063bf 2790->2791 2791->2788 2803 406b14 lstrlenA lstrlenA 2791->2803 2794 4063d2 lstrcpyA 2797 4063e4 2794->2797 2795 40641f 2796 406b14 3 API calls 2795->2796 2796->2797 2798 4063f5 SetFilePointer 2797->2798 2799 4069e9 WriteFile 2798->2799 2800 40640c GlobalFree 2799->2800 2800->2788 2801->2780 2802->2786 2804 4063ce 2803->2804 2805 406b33 2803->2805 2804->2794 2804->2795 2805->2804 2806 406b60 lstrlenA 2805->2806 2806->2804 2806->2805 2810 4036da SetErrorMode GetVersionExW 2811 403725 GetVersionExW 2810->2811 2813 40375c 2810->2813 2812 403747 2811->2812 2812->2813 2814 4037c3 2813->2814 2815 4068c4 5 API calls 2813->2815 2816 40617c 3 API calls 2814->2816 2815->2814 2817 4037d9 lstrlenA 2816->2817 2817->2814 2818 4037e7 2817->2818 2819 4068c4 5 API calls 2818->2819 2820 4037ee 2819->2820 2821 4068c4 5 API calls 2820->2821 2822 4037f5 2821->2822 2823 4068c4 5 API calls 2822->2823 2824 403801 #17 OleInitialize SHGetFileInfoW 2823->2824 2900 406af8 lstrcpynW 2824->2900 2827 40384f GetCommandLineW 2901 406af8 lstrcpynW 2827->2901 2829 403860 2830 4065d4 CharNextW 2829->2830 2831 40389a CharNextW 2830->2831 2832 403988 GetTempPathW 2831->2832 2843 4038b3 2831->2843 2902 403c83 2832->2902 2834 4039a0 2835 4039a4 GetWindowsDirectoryW lstrcatW 2834->2835 2836 4039fa DeleteFileW 2834->2836 2837 403c83 12 API calls 2835->2837 2912 4033cb GetTickCount GetModuleFileNameW 2836->2912 2839 4039c0 2837->2839 2839->2836 2842 4039c4 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 2839->2842 2840 4065d4 CharNextW 2840->2843 2841 403a0d 2844 403a90 2841->2844 2846 403a82 2841->2846 2850 4065d4 CharNextW 2841->2850 2845 403c83 12 API calls 2842->2845 2843->2832 2843->2840 2849 403974 2843->2849 3019 4036b0 2844->3019 2848 4039f2 2845->2848 2940 405a1c 2846->2940 2848->2836 2848->2844 3001 406af8 lstrcpynW 2849->3001 2864 403a2c 2850->2864 2854 403bd7 2856 406a86 MessageBoxIndirectW 2854->2856 2855 403bea 2857 403bf3 GetCurrentProcess OpenProcessToken 2855->2857 2858 403be2 ExitProcess 2855->2858 2856->2858 2862 403c0b LookupPrivilegeValueW AdjustTokenPrivileges 2857->2862 2863 403c3f 2857->2863 2859 403a56 3002 406616 2859->3002 2860 403a97 2867 4064da 5 API calls 2860->2867 2862->2863 2866 4068c4 5 API calls 2863->2866 2864->2859 2864->2860 2869 403c46 2866->2869 2870 403a9c lstrcatW 2867->2870 2873 403c5b ExitWindowsEx 2869->2873 2874 403c68 2869->2874 2871 403ac0 lstrcatW lstrcmpiW 2870->2871 2872 403ab1 lstrcatW 2870->2872 2871->2844 2875 403ae7 2871->2875 2872->2871 2873->2858 2873->2874 2877 401533 90 API calls 2874->2877 2878 403af0 2875->2878 2879 403af7 2875->2879 2877->2858 2881 405e1c 4 API calls 2878->2881 2882 405dfc 2 API calls 2879->2882 2880 403a77 3017 406af8 lstrcpynW 2880->3017 2884 403af5 2881->2884 2885 403afc SetCurrentDirectoryW 2882->2885 2884->2885 2886 403b10 2885->2886 2887 403b1f 2885->2887 3018 406af8 lstrcpynW 2886->3018 2997 406af8 lstrcpynW 2887->2997 2890 405e98 17 API calls 2891 403b4f DeleteFileW 2890->2891 2892 403b5a CopyFileW 2891->2892 2897 403b2d 2891->2897 2892->2897 2893 403bb3 2895 40621b 35 API calls 2893->2895 2894 40621b 35 API calls 2894->2897 2895->2844 2896 405e98 17 API calls 2896->2897 2897->2890 2897->2893 2897->2894 2897->2896 2899 403b9e CloseHandle 2897->2899 2998 4066b4 CreateProcessW 2897->2998 2899->2897 2900->2827 2901->2829 2903 406d1b 5 API calls 2902->2903 2905 403c8f 2903->2905 2904 403c99 2904->2834 2905->2904 2906 406534 3 API calls 2905->2906 2907 403ca1 2906->2907 2908 405dfc 2 API calls 2907->2908 2909 403ca7 2908->2909 2910 406a34 2 API calls 2909->2910 2911 403cb2 2910->2911 2911->2834 3026 4068f9 GetFileAttributesW CreateFileW 2912->3026 2914 40340d 2939 40341a 2914->2939 3027 406af8 lstrcpynW 2914->3027 2916 403430 3028 406cee lstrlenW 2916->3028 2920 403441 GetFileSize 2921 403548 2920->2921 2937 40345a 2920->2937 3033 403367 2921->3033 2923 403557 2925 403598 GlobalAlloc 2923->2925 2923->2939 3044 403131 SetFilePointer 2923->3044 2924 40311b ReadFile 2924->2937 3045 403131 SetFilePointer 2925->3045 2926 403616 2928 403367 6 API calls 2926->2928 2928->2939 2930 403574 2932 406926 ReadFile 2930->2932 2931 4035b5 2934 403148 31 API calls 2931->2934 2935 403586 2932->2935 2933 403367 6 API calls 2933->2937 2936 4035c4 2934->2936 2935->2925 2935->2939 2936->2936 2938 4035f4 SetFilePointer 2936->2938 2936->2939 2937->2921 2937->2924 2937->2926 2937->2933 2937->2939 2938->2939 2939->2841 2941 4068c4 5 API calls 2940->2941 2942 405a30 2941->2942 2943 405a4b 2942->2943 2945 405a39 2942->2945 2944 406955 3 API calls 2943->2944 2946 405a7a 2944->2946 3058 4065fd wsprintfW 2945->3058 2948 405a99 lstrcatW 2946->2948 2950 406955 3 API calls 2946->2950 2949 405a49 2948->2949 3050 40595d 2949->3050 2950->2948 2953 406616 18 API calls 2954 405acb 2953->2954 2955 405b65 2954->2955 2957 406955 3 API calls 2954->2957 2956 406616 18 API calls 2955->2956 2958 405b6b 2956->2958 2959 405afe 2957->2959 2960 405b7b LoadImageW 2958->2960 2961 405e98 17 API calls 2958->2961 2959->2955 2964 405b22 lstrlenW 2959->2964 2968 4065d4 CharNextW 2959->2968 2962 405c28 2960->2962 2963 405bab RegisterClassW 2960->2963 2961->2960 2967 401533 90 API calls 2962->2967 2965 405bd8 2963->2965 2966 405bdf SystemParametersInfoW CreateWindowExW 2963->2966 2969 405b32 lstrcmpiW 2964->2969 2970 405b58 2964->2970 2965->2844 2966->2962 2971 405c2e 2967->2971 2972 405b1d 2968->2972 2969->2970 2973 405b42 GetFileAttributesW 2969->2973 2974 406534 3 API calls 2970->2974 2971->2965 2977 40595d 18 API calls 2971->2977 2972->2964 2976 405b4e 2973->2976 2975 405b5e 2974->2975 3059 406af8 lstrcpynW 2975->3059 2976->2970 2980 406cee 2 API calls 2976->2980 2978 405c3b 2977->2978 2981 405c47 ShowWindow 2978->2981 2982 405cc9 2978->2982 2980->2970 2983 40617c 3 API calls 2981->2983 3060 405842 OleInitialize 2982->3060 2985 405c5f 2983->2985 2989 405c6d GetClassInfoW 2985->2989 2990 40617c 3 API calls 2985->2990 2986 405ccf 2987 405cd3 2986->2987 2988 405ced 2986->2988 2987->2965 2994 401533 90 API calls 2987->2994 2991 401533 90 API calls 2988->2991 2992 405c80 GetClassInfoW RegisterClassW 2989->2992 2993 405c96 DialogBoxParamW 2989->2993 2990->2989 2995 405cf4 2991->2995 2992->2993 2996 401533 90 API calls 2993->2996 2994->2965 2995->2995 2996->2965 2997->2897 2999 4066f3 2998->2999 3000 4066e7 CloseHandle 2998->3000 2999->2897 3000->2999 3001->2832 3068 406af8 lstrcpynW 3002->3068 3004 406627 3005 406ba3 4 API calls 3004->3005 3006 40662d 3005->3006 3007 403a64 3006->3007 3008 406d1b 5 API calls 3006->3008 3007->2844 3016 406af8 lstrcpynW 3007->3016 3014 406639 3008->3014 3009 406669 lstrlenW 3010 406675 3009->3010 3009->3014 3011 406534 3 API calls 3010->3011 3013 40667a GetFileAttributesW 3011->3013 3012 4065ad 2 API calls 3012->3014 3013->3007 3014->3007 3014->3009 3014->3012 3015 406cee 2 API calls 3014->3015 3015->3009 3016->2880 3017->2846 3018->2887 3020 4036c8 3019->3020 3021 4036ba CloseHandle 3019->3021 3069 403cf1 3020->3069 3021->3020 3026->2914 3027->2916 3029 406cfd 3028->3029 3030 406d03 CharPrevW 3029->3030 3031 403436 3029->3031 3030->3029 3030->3031 3032 406af8 lstrcpynW 3031->3032 3032->2920 3034 403386 3033->3034 3035 40336e 3033->3035 3038 403397 GetTickCount 3034->3038 3039 40338f 3034->3039 3036 403377 DestroyWindow 3035->3036 3037 40337e 3035->3037 3036->3037 3037->2923 3041 4033a5 CreateDialogParamW ShowWindow 3038->3041 3042 4033ca 3038->3042 3046 4061ed 3039->3046 3041->3042 3042->2923 3044->2930 3045->2931 3047 4061ff PeekMessageW 3046->3047 3048 4061f5 DispatchMessageW 3047->3048 3049 403396 3047->3049 3048->3047 3049->2923 3051 405970 3050->3051 3067 4065fd wsprintfW 3051->3067 3053 4059e9 3054 405cf9 18 API calls 3053->3054 3056 4059ee 3054->3056 3055 405a17 3055->2953 3056->3055 3057 405e98 17 API calls 3056->3057 3057->3056 3058->2949 3059->2955 3061 4054c6 SendMessageW 3060->3061 3064 405865 3061->3064 3062 40588c 3063 4054c6 SendMessageW 3062->3063 3065 40589e OleUninitialize 3063->3065 3064->3062 3066 401399 90 API calls 3064->3066 3065->2986 3066->3064 3067->3053 3068->3004 3070 403cff 3069->3070 3071 4036cd 3070->3071 3072 403d04 FreeLibrary GlobalFree 3070->3072 3073 4066f7 3071->3073 3072->3071 3072->3072 3074 406616 18 API calls 3073->3074 3075 406719 3074->3075 3076 406722 DeleteFileW 3075->3076 3077 406739 3075->3077 3078 4036d9 OleUninitialize 3076->3078 3077->3078 3091 406859 3077->3091 3112 406af8 lstrcpynW 3077->3112 3078->2854 3078->2855 3080 406761 3081 406779 3080->3081 3082 40676b lstrcatW 3080->3082 3085 406cee 2 API calls 3081->3085 3084 40677f 3082->3084 3083 4065ad 2 API calls 3086 406876 3083->3086 3087 406790 lstrcatW 3084->3087 3089 406798 lstrlenW FindFirstFileW 3084->3089 3085->3084 3086->3078 3088 40687a 3086->3088 3087->3089 3090 406534 3 API calls 3088->3090 3089->3091 3101 4067c1 3089->3101 3092 406880 3090->3092 3091->3078 3091->3083 3093 406563 5 API calls 3092->3093 3094 40688c 3093->3094 3096 406890 3094->3096 3097 4068af 3094->3097 3095 40683b FindNextFileW 3099 406852 FindClose 3095->3099 3095->3101 3096->3078 3102 405d18 24 API calls 3096->3102 3100 405d18 24 API calls 3097->3100 3099->3091 3100->3078 3101->3095 3106 4066f7 59 API calls 3101->3106 3108 406807 3101->3108 3113 406af8 lstrcpynW 3101->3113 3104 40689c 3102->3104 3105 40621b 35 API calls 3104->3105 3107 4068a5 3105->3107 3106->3108 3107->3078 3108->3095 3109 405d18 24 API calls 3108->3109 3110 405d18 24 API calls 3108->3110 3111 40621b 35 API calls 3108->3111 3114 406563 3108->3114 3109->3095 3110->3108 3111->3108 3112->3080 3113->3101 3115 406b7b 2 API calls 3114->3115 3116 40656f 3115->3116 3117 406587 DeleteFileW 3116->3117 3118 40657f RemoveDirectoryW 3116->3118 3119 406591 3116->3119 3120 40658d 3117->3120 3118->3120 3119->3108 3120->3119 3121 40659c SetFileAttributesW 3120->3121 3121->3119 3122 7340167a 3123 734016b7 3122->3123 3164 73402351 3123->3164 3125 734016be 3126 734017ef 3125->3126 3127 734016d6 3125->3127 3128 734016cf 3125->3128 3194 73402049 3127->3194 3210 73401fcb 3128->3210 3133 73401740 3139 73401791 3133->3139 3140 73401746 3133->3140 3134 73401722 3223 73402209 3134->3223 3135 7340170a 3150 73401700 3135->3150 3220 73402f9f 3135->3220 3136 734016eb 3138 734016f5 3136->3138 3145 73401702 3136->3145 3138->3150 3204 73402d14 3138->3204 3143 73402209 10 API calls 3139->3143 3242 73401f1e 3140->3242 3148 7340177e 3143->3148 3144 73401728 3234 73401668 3144->3234 3214 734017f7 3145->3214 3163 734017de 3148->3163 3247 7340200d 3148->3247 3150->3133 3150->3134 3152 73401708 3152->3150 3153 73402209 10 API calls 3153->3148 3156 734017e8 GlobalFree 3156->3126 3160 734017cf 3160->3163 3251 734015c5 wsprintfW 3160->3251 3162 734017c2 FreeLibrary 3162->3160 3163->3126 3163->3156 3254 734012f8 GlobalAlloc 3164->3254 3166 7340237f 3255 734012f8 GlobalAlloc 3166->3255 3168 73402a3a GlobalFree GlobalFree GlobalFree 3169 73402a5a 3168->3169 3173 73402aa7 3168->3173 3171 73402af7 3169->3171 3169->3173 3177 73402a73 3169->3177 3170 7340238a 3170->3168 3174 73402947 GlobalAlloc 3170->3174 3179 734029bd GlobalFree 3170->3179 3180 7340299f lstrcpyW 3170->3180 3184 734029af lstrcpyW 3170->3184 3189 73402822 GlobalFree 3170->3189 3191 734029fb 3170->3191 3256 734012f8 GlobalAlloc 3170->3256 3257 734012e1 3170->3257 3172 73402b19 GetModuleHandleW 3171->3172 3171->3173 3175 73402b2a LoadLibraryW 3172->3175 3176 73402b3f 3172->3176 3173->3125 3174->3170 3175->3173 3175->3176 3262 73401f7b WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 3176->3262 3177->3173 3183 734012e1 2 API calls 3177->3183 3179->3170 3180->3170 3181 73402b8e 3181->3173 3182 73402b9c lstrlenW 3181->3182 3263 73401f7b WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 3182->3263 3183->3173 3184->3170 3185 73402b4c 3185->3181 3192 73402b78 GetProcAddress 3185->3192 3187 73402bb6 3187->3173 3189->3170 3191->3170 3260 73401309 GlobalSize GlobalAlloc 3191->3260 3192->3181 3199 7340205e 3194->3199 3196 734021be GlobalFree 3196->3199 3201 734016dc 3196->3201 3197 73402124 GlobalAlloc WideCharToMultiByte 3197->3196 3198 73402154 GlobalAlloc 3203 7340208b 3198->3203 3199->3196 3199->3197 3199->3198 3200 734012e1 lstrcpynW GlobalAlloc 3199->3200 3199->3203 3200->3199 3201->3135 3201->3136 3201->3150 3203->3196 3203->3199 3265 73401548 3203->3265 3270 734019db 3203->3270 3205 73402d26 3204->3205 3206 73402dcb SetFilePointer 3205->3206 3207 73402de9 3206->3207 3273 73402cbf 3207->3273 3211 73401fde 3210->3211 3212 734016d5 3211->3212 3213 73401fe9 GlobalAlloc 3211->3213 3212->3127 3213->3211 3218 73401823 3214->3218 3215 73401897 GlobalAlloc 3219 734018b5 3215->3219 3216 734018a8 3217 734018ac GlobalSize 3216->3217 3216->3219 3217->3219 3218->3215 3218->3216 3219->3152 3222 73402faa 3220->3222 3221 73402fea GlobalFree 3222->3221 3276 734012f8 GlobalAlloc 3223->3276 3225 73402280 MultiByteToWideChar 3228 73402211 3225->3228 3226 734022a6 StringFromGUID2 3226->3228 3227 734022b7 lstrcpynW 3227->3228 3228->3225 3228->3226 3228->3227 3229 734022ca wsprintfW 3228->3229 3230 734022ee GlobalFree 3228->3230 3231 73402325 GlobalFree 3228->3231 3232 734015eb 2 API calls 3228->3232 3277 73401638 3228->3277 3229->3228 3230->3228 3231->3144 3232->3228 3281 734012f8 GlobalAlloc 3234->3281 3236 7340166d 3237 73401f1e 2 API calls 3236->3237 3238 73401677 3237->3238 3239 734015eb 3238->3239 3240 73401633 GlobalFree 3239->3240 3241 734015f4 GlobalAlloc lstrcpynW 3239->3241 3240->3148 3241->3240 3243 73401f2b wsprintfW 3242->3243 3244 73401f5c lstrcpyW 3242->3244 3246 73401765 3243->3246 3244->3246 3246->3153 3248 734017a4 3247->3248 3249 7340201c 3247->3249 3248->3160 3248->3162 3249->3248 3250 73402033 GlobalFree 3249->3250 3250->3249 3252 734015eb 2 API calls 3251->3252 3253 734015e6 3252->3253 3253->3163 3254->3166 3255->3170 3256->3170 3264 734012f8 GlobalAlloc 3257->3264 3259 734012f0 lstrcpynW 3259->3170 3261 73401327 3260->3261 3261->3191 3262->3185 3263->3187 3264->3259 3266 73401555 3265->3266 3267 734012f8 GlobalAlloc 3265->3267 3268 734012e1 2 API calls 3266->3268 3267->3203 3269 7340156a 3268->3269 3269->3203 3271 73401a48 3270->3271 3272 734019ea VirtualAlloc 3270->3272 3271->3203 3272->3271 3274 73402cd8 3273->3274 3275 73402ccd GetLastError 3273->3275 3274->3150 3275->3274 3276->3228 3278 73401663 3277->3278 3279 7340163f 3277->3279 3278->3228 3279->3278 3280 73401648 lstrcpyW 3279->3280 3280->3278 3281->3236 3352 7340103a 3353 73401052 3352->3353 3354 734010c5 3353->3354 3355 73401081 3353->3355 3356 73401061 3353->3356 3357 7340156c GlobalFree 3355->3357 3358 7340156c GlobalFree 3356->3358 3362 73401079 3357->3362 3359 73401072 3358->3359 3360 7340156c GlobalFree 3359->3360 3360->3362 3361 73401091 GlobalSize 3363 7340109a 3361->3363 3362->3361 3362->3363 3364 734010af 3363->3364 3365 7340109e GlobalAlloc 3363->3365 3367 734010b8 GlobalFree 3364->3367 3366 734015c5 3 API calls 3365->3366 3366->3364 3367->3354 3373 73402ebf 3374 73402ed7 3373->3374 3375 73401309 2 API calls 3374->3375 3376 73402ef2 3375->3376

                                                      Executed Functions

                                                      Function 004036DA Relevance: 84.4, APIs: 32, Strings: 16, Instructions: 416stringfilecomCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 4036da-403723 SetErrorMode GetVersionExW 1 403725-403745 GetVersionExW 0->1 2 40375c 0->2 3 403747-40374b 1->3 4 403758-40375a 1->4 5 403763-403768 2->5 6 40374e-403756 3->6 4->6 7 403775 5->7 8 40376a-403773 5->8 6->5 9 403779-4037bb 7->9 8->9 10 4037bd-4037c5 call 4068c4 9->10 11 4037ce 9->11 10->11 17 4037c7 10->17 13 4037d3-4037e5 call 40617c lstrlenA 11->13 18 4037e7-403803 call 4068c4 * 3 13->18 17->11 25 403814-4038ad #17 OleInitialize SHGetFileInfoW call 406af8 GetCommandLineW call 406af8 call 4065d4 CharNextW 18->25 26 403805-40380b 18->26 35 4038b3 25->35 36 403988-4039a2 GetTempPathW call 403c83 25->36 26->25 31 40380d 26->31 31->25 37 4038b5-4038bb 35->37 42 4039a4-4039c2 GetWindowsDirectoryW lstrcatW call 403c83 36->42 43 4039fa-403a13 DeleteFileW call 4033cb 36->43 39 4038c8-4038d3 37->39 40 4038bd-4038c6 37->40 44 4038d5-4038dc 39->44 45 4038de-4038ed 39->45 40->39 40->40 42->43 55 4039c4-4039f4 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403c83 42->55 57 403bc4 43->57 58 403a19-403a1f 43->58 44->45 48 403948-40395c call 4065d4 45->48 49 4038ef-4038fb 45->49 67 403964-40396a 48->67 68 40395e-403961 48->68 53 403915-40391b 49->53 54 4038fd-403904 49->54 61 403937-40393e 53->61 62 40391d-403924 53->62 59 403906-403909 54->59 60 40390b 54->60 55->43 80 403bc2 55->80 63 403bc8-403bd5 call 4036b0 OleUninitialize 57->63 69 403a21-403a33 call 4065d4 58->69 70 403a84-403a8b call 405a1c 58->70 59->53 59->60 60->53 61->48 66 403940-403946 61->66 62->61 64 403926-40392d 62->64 84 403bd7-403be2 call 406a86 63->84 85 403bea-403bf1 63->85 72 403934 64->72 73 40392f-403932 64->73 66->48 75 403974-403983 call 406af8 66->75 67->36 76 40396c-40396f 67->76 68->67 86 403a49-403a4b 69->86 83 403a90-403a92 70->83 72->61 73->61 73->72 75->36 76->37 80->57 83->63 94 403be4 ExitProcess 84->94 90 403bf3-403c09 GetCurrentProcess OpenProcessToken 85->90 91 403c6f-403c7e 85->91 87 403a35-403a3b 86->87 88 403a4d-403a54 86->88 98 403a46 87->98 99 403a3d-403a44 87->99 92 403a56-403a66 call 406616 88->92 93 403a97-403aaf call 4064da lstrcatW 88->93 96 403c0b-403c39 LookupPrivilegeValueW AdjustTokenPrivileges 90->96 97 403c3f-403c4d call 4068c4 90->97 91->94 108 403a6c-403a82 call 406af8 * 2 92->108 109 403bbe-403bc0 92->109 106 403ac0-403ae1 lstrcatW lstrcmpiW 93->106 107 403ab1-403abb lstrcatW 93->107 96->97 110 403c5b-403c66 ExitWindowsEx 97->110 111 403c4f-403c59 97->111 98->86 99->88 99->98 106->109 113 403ae7-403aee 106->113 107->106 108->70 109->63 110->91 112 403c68-403c6a call 401533 110->112 111->110 111->112 112->91 116 403af0-403af5 call 405e1c 113->116 117 403af7 call 405dfc 113->117 124 403afc-403b0e SetCurrentDirectoryW 116->124 117->124 126 403b10-403b1a call 406af8 124->126 127 403b1f-403b39 call 406af8 124->127 126->127 131 403b3a-403b58 call 405e98 DeleteFileW 127->131 134 403ba7-403bb1 131->134 135 403b5a-403b6e CopyFileW 131->135 134->131 137 403bb3-403bb9 call 40621b 134->137 135->134 136 403b70-403b95 call 40621b call 405e98 call 4066b4 135->136 144 403b9a-403b9c 136->144 137->109 144->134 145 403b9e-403ba5 CloseHandle 144->145 145->134
                                                      APIs
                                                      • SetErrorMode.KERNELBASE(00008001), ref: 004036F6
                                                      • GetVersionExW.KERNEL32(?), ref: 0040371F
                                                      • GetVersionExW.KERNEL32(?), ref: 00403732
                                                      • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004037DA
                                                      • #17.COMCTL32(00000007,00000009,0000000B), ref: 00403814
                                                      • OleInitialize.OLE32(00000000), ref: 0040381B
                                                      • SHGetFileInfoW.SHELL32(004085B0,00000000,?,000002B4,00000000), ref: 0040383A
                                                      • GetCommandLineW.KERNEL32(007A7540,NSIS Error), ref: 0040384F
                                                      • CharNextW.USER32(00000000,007B3000,?,007B3000,00000000), ref: 0040389B
                                                      • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 00403999
                                                      • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004039AA
                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039B6
                                                      • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039CA
                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004039D2
                                                      • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004039E3
                                                      • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004039EB
                                                      • DeleteFileW.KERNELBASE(1033), ref: 00403A05
                                                        • Part of subcall function 004033CB: GetTickCount.KERNEL32 ref: 004033DE
                                                        • Part of subcall function 004033CB: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Quotation.exe,00000400), ref: 004033FA
                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,007B3000,00000000,00000000), ref: 00403AA8
                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00408600,C:\Users\user\AppData\Local\Temp\,~nsu,007B3000,00000000,00000000), ref: 00403ABB
                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,007B3000,00000000,00000000), ref: 00403ACA
                                                      • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,007B3000,00000000,00000000), ref: 00403AD9
                                                      • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403B01
                                                      • DeleteFileW.KERNEL32(0079F200,0079F200,?,007A9000,?), ref: 00403B54
                                                      • CopyFileW.KERNEL32(C:\Users\user\Desktop\Quotation.exe,0079F200,00000001), ref: 00403B66
                                                      • CloseHandle.KERNEL32(00000000,0079F200,0079F200,?,0079F200,00000000), ref: 00403B9F
                                                        • Part of subcall function 00405DFC: CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user\AppData\Local\Temp\,00403CA7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00405E04
                                                        • Part of subcall function 00405DFC: GetLastError.KERNEL32 ref: 00405E0E
                                                      • OleUninitialize.OLE32(00000000), ref: 00403BCD
                                                      • ExitProcess.KERNEL32 ref: 00403BE4
                                                      • GetCurrentProcess.KERNEL32(?,?), ref: 00403BFA
                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00403C01
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403C16
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403C39
                                                      • ExitWindowsEx.USER32(00000002,80040002), ref: 00403C5E
                                                        • Part of subcall function 004065D4: CharNextW.USER32(?,0040389A,007B3000,?,007B3000,00000000), ref: 004065EA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: Filelstrcat$DirectoryProcess$CharCurrentDeleteEnvironmentErrorExitNextPathTempTokenVariableVersionWindows$AdjustCloseCommandCopyCountCreateHandleInfoInitializeLastLineLookupModeModuleNameOpenPrivilegePrivilegesTickUninitializeValuelstrcmpilstrlen
                                                      • String ID: .tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Quotation.exe$C:\Users\user\overlays\besvangredes\Phenomenalizing$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                      • API String ID: 1152188737-1019491921
                                                      • Opcode ID: 12ebdcd378dca8b2cb256432fecdbae80df5df33235eb46f5e0670d6daf7f44b
                                                      • Instruction ID: ef6c2823884109cd5a884fcd16d1840cc0f2fcd0ed87f9f7bcd5e2f232321f3d
                                                      • Opcode Fuzzy Hash: 12ebdcd378dca8b2cb256432fecdbae80df5df33235eb46f5e0670d6daf7f44b
                                                      • Instruction Fuzzy Hash: B8D14DB16043106AD7207FB19D45B6B3EECAB4574AF05443FF585B62D2DBBC8A40872E
                                                      Function 73402351 Relevance: 18.7, APIs: 12, Instructions: 705stringlibrarymemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 734012F8: GlobalAlloc.KERNEL32(?,?,734011C4,-000000A0), ref: 73401302
                                                      • GlobalAlloc.KERNELBASE(?,00001CA4), ref: 7340294E
                                                      • lstrcpyW.KERNEL32(00000008,?), ref: 734029A4
                                                      • lstrcpyW.KERNEL32(00000808,?), ref: 734029AF
                                                      • GlobalFree.KERNEL32(00000000), ref: 734029C0
                                                      • GlobalFree.KERNEL32(?), ref: 73402A44
                                                      • GlobalFree.KERNEL32(?), ref: 73402A4A
                                                      • GlobalFree.KERNEL32(?), ref: 73402A50
                                                      • GetModuleHandleW.KERNEL32(00000008), ref: 73402B1A
                                                      • LoadLibraryW.KERNEL32(00000008), ref: 73402B2B
                                                      • GetProcAddress.KERNEL32(?,?), ref: 73402B82
                                                      • lstrlenW.KERNEL32(00000808), ref: 73402B9D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2078212554.0000000073401000.00000020.00000001.01000000.00000006.sdmp, Offset: 73400000, based on PE: true
                                                      • Associated: 00000000.00000002.2078122706.0000000073400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000000.00000002.2078245094.0000000073404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000000.00000002.2078263961.0000000073406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_73400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: Global$Free$Alloclstrcpy$AddressHandleLibraryLoadModuleProclstrlen
                                                      • String ID:
                                                      • API String ID: 1042148487-0
                                                      • Opcode ID: 27dd1f3ffc7d94c1712b50c7291ca04458f445e72cd416089f08b0f825ee75ea
                                                      • Instruction ID: 5f873e01485edb4509cb78f54c42802f333d722ea20a4992cc1b454ac94cbf71
                                                      • Opcode Fuzzy Hash: 27dd1f3ffc7d94c1712b50c7291ca04458f445e72cd416089f08b0f825ee75ea
                                                      • Instruction Fuzzy Hash: 8F42BD71B0830ADFD30DCF24858075AB7F5FB88314F044ABEE4AAA62D4EB70D5458B99
                                                      Function 004066F7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155filestringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 866 4066f7-406720 call 406616 869 406722-406734 DeleteFileW 866->869 870 406739-406743 866->870 871 4068b8-4068c1 869->871 872 406745-406747 870->872 873 406756-406769 call 406af8 870->873 874 4068a7-4068ad 872->874 875 40674d-406750 872->875 880 406779-40677a call 406cee 873->880 881 40676b-406777 lstrcatW 873->881 878 4068b7 874->878 875->873 879 406870-406878 call 4065ad 875->879 878->871 879->878 888 40687a-40688e call 406534 call 406563 879->888 883 40677f-406784 880->883 881->883 886 406790-406796 lstrcatW 883->886 887 406786-40678e 883->887 889 406798-4067bb lstrlenW FindFirstFileW 886->889 887->886 887->889 902 406890-406892 888->902 903 4068af-4068b2 call 405d18 888->903 891 4067c1-4067c3 889->891 892 406859-40685e 889->892 895 4067c4-4067c9 891->895 892->878 894 406860-40686e 892->894 894->874 894->879 897 4067e2-4067f5 call 406af8 895->897 898 4067cb-4067d1 895->898 910 4067f7-4067fe 897->910 911 406809-406812 call 406563 897->911 900 4067d3-4067d8 898->900 901 40683b-40684c FindNextFileW 898->901 900->897 907 4067da-4067e0 900->907 901->895 905 406852-406853 FindClose 901->905 902->874 908 406894-4068a5 call 405d18 call 40621b 902->908 903->878 905->892 907->897 907->901 908->878 910->901 913 406800-406802 call 4066f7 910->913 921 406833-406836 call 405d18 911->921 922 406814-406816 911->922 920 406807 913->920 920->901 921->901 923 406818-406829 call 405d18 call 40621b 922->923 924 40682b-406831 922->924 923->901 924->901
                                                      APIs
                                                        • Part of subcall function 00406616: lstrlenW.KERNEL32(007A4288,00000000,007A4288,007A4288,?,?,?,00406719,?,00000000,74DF3420,?), ref: 0040666A
                                                        • Part of subcall function 00406616: GetFileAttributesW.KERNELBASE(007A4288,007A4288), ref: 0040667B
                                                      • DeleteFileW.KERNELBASE(?,?,00000000,74DF3420,?), ref: 00406723
                                                      • lstrcatW.KERNEL32(007A3A88,\*.*,007A3A88,?,00000000,?,00000000,74DF3420,?), ref: 00406775
                                                      • lstrcatW.KERNEL32(?,004082B0,?,007A3A88,?,00000000,?,00000000,74DF3420,?), ref: 00406796
                                                      • lstrlenW.KERNEL32(?), ref: 00406799
                                                      • FindFirstFileW.KERNEL32(007A3A88,?), ref: 004067B0
                                                      • FindNextFileW.KERNEL32(00000000,?,000000F2,?,?,?,?,?), ref: 00406841
                                                      • FindClose.KERNEL32(00000000), ref: 00406853
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: File$Find$lstrcatlstrlen$AttributesCloseDeleteFirstNext
                                                      • String ID: \*.*
                                                      • API String ID: 2636146433-1173974218
                                                      • Opcode ID: e2e738021974a1aad663f4d73af15b9e2c0d72d7b607af8b3925b065a255c774
                                                      • Instruction ID: 325cce783f2df783a7673d4e22b29853c472d97363b16a381ac5d63d2c539c61
                                                      • Opcode Fuzzy Hash: e2e738021974a1aad663f4d73af15b9e2c0d72d7b607af8b3925b065a255c774
                                                      • Instruction Fuzzy Hash: 2741373210631069D720BB658D05A6B72ACDF92318F16853FF893B21D1EB3C8965C6AF
                                                      Function 00403148 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 162COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 946 403148-403181 947 403190-4031a4 call 406926 946->947 948 403183-40318b call 403131 946->948 952 403357 947->952 953 4031aa-4031b0 947->953 948->947 956 403359 952->956 954 4031b6-4031e0 GetTickCount 953->954 955 4032f9-4032fb 953->955 960 4032f1-4032f3 954->960 961 4031e6-4031fd call 40311b 954->961 957 403340-403355 call 40311b 955->957 958 4032fd-4032ff 955->958 959 40335a-403364 956->959 957->952 957->960 958->960 962 403301 958->962 960->959 961->952 969 403203-403211 961->969 965 403306-403316 call 40311b 962->965 965->952 972 403318-403328 call 4069e9 965->972 971 40321b-403237 call 406e86 969->971 977 4032f5-4032f7 971->977 978 40323d-40325d GetTickCount 971->978 979 40332a-403338 972->979 980 40333c-40333e 972->980 977->956 981 4032aa-4032b0 978->981 982 40325f-403268 978->982 979->965 985 40333a 979->985 980->956 983 4032b2-4032b4 981->983 984 4032e9-4032eb 981->984 986 40326a-40326c 982->986 987 40326e-4032a6 MulDiv wsprintfW call 405d18 982->987 989 4032b6-4032bf call 4069e9 983->989 990 4032ce-4032d6 983->990 984->960 984->961 985->960 986->981 986->987 987->981 994 4032c4-4032c6 989->994 993 4032da-4032e1 990->993 993->971 995 4032e7 993->995 994->980 996 4032c8-4032cc 994->996 995->960 996->993
                                                      APIs
                                                      • GetTickCount.KERNEL32 ref: 004031B6
                                                      • GetTickCount.KERNEL32 ref: 00403248
                                                      • MulDiv.KERNEL32(?,?,?), ref: 00403278
                                                      • wsprintfW.USER32 ref: 00403289
                                                        • Part of subcall function 00403131: SetFilePointer.KERNELBASE(?,00000000,00000000,004035B5,?), ref: 0040313F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: CountTick$FilePointerwsprintf
                                                      • String ID: ... %d%%$<Py
                                                      • API String ID: 999035486-2352372732
                                                      • Opcode ID: de52eb9ac16236f3fca6093ce857b7e1a1bc104f410f064c541848c7e306c8f4
                                                      • Instruction ID: cddf24be581f0244f3449d1f5e961e9f445dbb2a95aafc889e314ca9340d81f7
                                                      • Opcode Fuzzy Hash: de52eb9ac16236f3fca6093ce857b7e1a1bc104f410f064c541848c7e306c8f4
                                                      • Instruction Fuzzy Hash: FD519F702083028BD710DF29DE85B2B7BE8AB84756F14093EFC54F22D1DB38DA048B5A
                                                      Function 004065AD Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNELBASE(?,007A5E88,00000000,0040665A,007A4288), ref: 004065B8
                                                      • FindClose.KERNEL32(00000000), ref: 004065C4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: Find$CloseFileFirst
                                                      • String ID:
                                                      • API String ID: 2295610775-0
                                                      • Opcode ID: a2d354ff7ed2319fbee56d8d140705e4a76cab61c7ff8bd1d53ab4a71d5363ca
                                                      • Instruction ID: 54e165a9d952ab4a9c526d77f24574b80d9b4166436818e4e9d84c3548612847
                                                      • Opcode Fuzzy Hash: a2d354ff7ed2319fbee56d8d140705e4a76cab61c7ff8bd1d53ab4a71d5363ca
                                                      • Instruction Fuzzy Hash: A5D012315191607FC2501B387F0C84B7A599F65372B114B36B4A6F51E4DA348C628698
                                                      Function 00404F70 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374windowstringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 146 404f70-404f89 147 405111-405123 146->147 148 404f8f-404f95 146->148 150 405125-405165 GetDlgItem * 2 call 4054f8 SetClassLongW call 401533 147->150 151 40516b-40517f 147->151 148->147 149 404f9b-404f9e 148->149 152 404fa0-404fb5 SetWindowPos 149->152 153 404fba-404fbd 149->153 150->151 155 405181-405183 151->155 156 4051bd-4051c2 call 4054c6 151->156 157 4050fd 152->157 158 40500d-405013 153->158 159 404fbf-404fde ShowWindow 153->159 162 4051b5-4051b7 155->162 163 405185-405190 call 401399 155->163 167 4051c7-4051e6 156->167 164 405101-40510c call 405739 157->164 168 405015-40502a DestroyWindow 158->168 169 40502f-405032 158->169 159->164 166 404fe4-404ffa GetWindowLongW 159->166 162->156 165 405488 162->165 163->162 182 405192-4051b0 SendMessageW 163->182 179 40548a-405491 164->179 165->179 166->164 173 405000-405008 ShowWindow 166->173 174 4051e8-4051f3 call 401533 167->174 175 4051f9-4051ff 167->175 176 40546c-405473 168->176 177 405034-405042 SetWindowLongW 169->177 178 405047-40504d 169->178 173->164 174->175 186 405205-405207 175->186 187 405448-405461 DestroyWindow EndDialog 175->187 176->165 185 405475-405477 176->185 177->179 178->157 188 405053-40506d GetDlgItem 178->188 182->179 185->165 191 405479-405482 ShowWindow 185->191 186->187 192 40520d-405264 call 405e98 call 4054f8 * 3 GetDlgItem 186->192 189 405467 187->189 193 405092-405097 188->193 194 40506f-405088 SendMessageW IsWindowEnabled 188->194 189->176 191->165 222 405272-4052c1 ShowWindow KiUserCallbackDispatcher * 2 EnableWindow 192->222 223 405266-40526e 192->223 197 405099-40509a 193->197 198 40509c-40509f 193->198 194->165 196 40508e 194->196 196->193 199 4050dd-4050e2 call 405936 197->199 200 4050a1-4050a8 198->200 201 4050ae-4050b1 198->201 199->164 203 4050e4-4050f7 SendMessageW 200->203 204 4050aa-4050ac 200->204 201->203 205 4050b3-4050ba 201->205 203->157 204->199 208 4050ca-4050d3 call 401533 205->208 209 4050bc-4050c8 call 401533 205->209 208->164 220 4050d5 208->220 219 4050db 209->219 219->199 220->219 224 4052c3-4052c4 222->224 225 4052c6 222->225 223->222 226 4052c7-4052f2 GetSystemMenu EnableMenuItem SendMessageW 224->226 225->226 227 4052f4-405309 SendMessageW 226->227 228 40530b 226->228 229 405311-405357 call 4054e1 call 405cf9 call 406af8 lstrlenW call 405e98 SetWindowTextW call 401399 227->229 228->229 229->167 240 40535d-40535f 229->240 240->167 241 405365-405369 240->241 242 405388-40539c DestroyWindow 241->242 243 40536b-405371 241->243 242->189 245 4053a2-4053cf CreateDialogParamW 242->245 243->165 244 405377-40537d 243->244 244->167 246 405383 244->246 245->176 247 4053d5-40542c call 4054f8 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401399 245->247 246->165 247->165 252 40542e-405441 ShowWindow call 4054c6 247->252 254 405446 252->254 254->189
                                                      APIs
                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404FAF
                                                      • ShowWindow.USER32(?), ref: 00404FD9
                                                      • GetWindowLongW.USER32(?,?), ref: 00404FEA
                                                      • ShowWindow.USER32(?,?), ref: 00405006
                                                      • GetDlgItem.USER32(?,00000001), ref: 0040512D
                                                      • GetDlgItem.USER32(?,00000002), ref: 00405137
                                                      • SetClassLongW.USER32(?,000000F2,?), ref: 00405151
                                                      • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040519F
                                                      • GetDlgItem.USER32(?,00000003), ref: 0040524E
                                                      • ShowWindow.USER32(00000000,?), ref: 00405277
                                                      • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040528B
                                                      • KiUserCallbackDispatcher.NTDLL(?), ref: 0040529F
                                                      • EnableWindow.USER32(?), ref: 004052B7
                                                      • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004052CE
                                                      • EnableMenuItem.USER32(00000000), ref: 004052D5
                                                      • SendMessageW.USER32(?,?,00000000,00000001), ref: 004052E6
                                                      • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004052FD
                                                      • lstrlenW.KERNEL32(Atomvaabenpolitik Setup: Installing,?,Atomvaabenpolitik Setup: Installing,00000000), ref: 0040532E
                                                        • Part of subcall function 00405E98: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp\System.dll,?,?,?), ref: 0040604E
                                                      • SetWindowTextW.USER32(?,Atomvaabenpolitik Setup: Installing), ref: 00405346
                                                        • Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
                                                        • Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409
                                                      • DestroyWindow.USER32(?,00000000), ref: 0040538E
                                                      • CreateDialogParamW.USER32(?,?,-007A8560), ref: 004053C2
                                                        • Part of subcall function 004054F8: SetDlgItemTextW.USER32(?,?,00000000), ref: 00405512
                                                      • GetDlgItem.USER32(?,000003FA), ref: 004053EB
                                                      • GetWindowRect.USER32(00000000), ref: 004053F2
                                                      • ScreenToClient.USER32(?,?), ref: 004053FE
                                                      • SetWindowPos.USER32(00000000,?,?,00000000,00000000,00000015), ref: 00405417
                                                      • ShowWindow.USER32(?,?,00000000), ref: 00405436
                                                        • Part of subcall function 004054C6: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054D8
                                                      • ShowWindow.USER32(?,0000000A), ref: 0040547C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: Window$Item$MessageSendShow$CallbackDispatcherEnableLongMenuTextUser$ClassClientCreateDestroyDialogParamRectScreenSystemlstrcatlstrlen
                                                      • String ID: Atomvaabenpolitik Setup: Installing
                                                      • API String ID: 162979904-1513183412
                                                      • Opcode ID: 72123b1cd148b1eb205aab3943036d4082e425be0be4f9ae0839b9c0fe245c6a
                                                      • Instruction ID: 456415ec42eff5e8f6a9a9f0208e2dc106d0a6226250255d67da48920511729f
                                                      • Opcode Fuzzy Hash: 72123b1cd148b1eb205aab3943036d4082e425be0be4f9ae0839b9c0fe245c6a
                                                      • Instruction Fuzzy Hash: 38D1C071904B10ABDB20AF21EE44A6B7B68FB89355F00853EF545B21E1CA3D8851CFAD
                                                      Function 00405A1C Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 225stringregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 255 405a1c-405a37 call 4068c4 258 405a39-405a49 call 4065fd 255->258 259 405a4b-405a81 call 406955 255->259 268 405aa4-405acd call 40595d call 406616 258->268 264 405a83-405a94 call 406955 259->264 265 405a99-405a9f lstrcatW 259->265 264->265 265->268 273 405ad3-405ad8 268->273 274 405b65-405b6d call 406616 268->274 273->274 275 405ade-405af9 call 406955 273->275 280 405b7b-405ba9 LoadImageW 274->280 281 405b6f-405b76 call 405e98 274->281 279 405afe-405b07 275->279 279->274 282 405b09-405b0f 279->282 284 405c28-405c30 call 401533 280->284 285 405bab-405bd6 RegisterClassW 280->285 281->280 286 405b11-405b1f call 4065d4 282->286 287 405b22-405b30 lstrlenW 282->287 298 405ce2-405ce4 284->298 299 405c36-405c41 call 40595d 284->299 288 405bd8-405bda 285->288 289 405bdf-405c23 SystemParametersInfoW CreateWindowExW 285->289 286->287 292 405b32-405b40 lstrcmpiW 287->292 293 405b58-405b60 call 406534 call 406af8 287->293 294 405ce5-405cec 288->294 289->284 292->293 297 405b42-405b4c GetFileAttributesW 292->297 293->274 302 405b52-405b53 call 406cee 297->302 303 405b4e-405b50 297->303 298->294 308 405c47-405c61 ShowWindow call 40617c 299->308 309 405cc9-405cd1 call 405842 299->309 302->293 303->293 303->302 316 405c63-405c68 call 40617c 308->316 317 405c6d-405c7e GetClassInfoW 308->317 314 405cd3-405cd9 309->314 315 405ced-405cef call 401533 309->315 314->298 318 405cdb-405cdd call 401533 314->318 324 405cf4 315->324 316->317 321 405c80-405c94 GetClassInfoW RegisterClassW 317->321 322 405c96-405cb9 DialogBoxParamW call 401533 317->322 318->298 321->322 326 405cbe-405cc7 call 403cd6 322->326 324->324 326->294
                                                      APIs
                                                        • Part of subcall function 004068C4: GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,004037EE,0000000B), ref: 004068D2
                                                        • Part of subcall function 004068C4: GetProcAddress.KERNEL32(00000000), ref: 004068EE
                                                      • lstrcatW.KERNEL32(1033,Atomvaabenpolitik Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Atomvaabenpolitik Setup: Installing,00000000,00000002,00000000,74DF3420,00000000,74DF3170), ref: 00405A9F
                                                      • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,007B3800,1033,Atomvaabenpolitik Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Atomvaabenpolitik Setup: Installing,00000000,00000002,00000000), ref: 00405B23
                                                      • lstrcmpiW.KERNEL32(-000000FC,.exe,Call,?,?,?,Call,00000000,007B3800,1033,Atomvaabenpolitik Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Atomvaabenpolitik Setup: Installing,00000000), ref: 00405B38
                                                      • GetFileAttributesW.KERNEL32(Call), ref: 00405B43
                                                      • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,007B3800), ref: 00405B8C
                                                        • Part of subcall function 004065FD: wsprintfW.USER32 ref: 0040660A
                                                      • RegisterClassW.USER32(007A74E0), ref: 00405BD1
                                                      • SystemParametersInfoW.USER32(?,00000000,?,00000000), ref: 00405BE8
                                                      • CreateWindowExW.USER32(?,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405C1D
                                                      • ShowWindow.USER32(00000005,00000000), ref: 00405C4F
                                                      • GetClassInfoW.USER32(00000000,RichEdit20W,007A74E0), ref: 00405C7A
                                                      • GetClassInfoW.USER32(00000000,RichEdit,007A74E0), ref: 00405C87
                                                      • RegisterClassW.USER32(007A74E0), ref: 00405C94
                                                      • DialogBoxParamW.USER32(?,00000000,00404F70,00000000), ref: 00405CAF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                      • String ID: .DEFAULT\Control Panel\International$.exe$1033$Atomvaabenpolitik Setup: Installing$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$tz
                                                      • API String ID: 1975747703-4098506729
                                                      • Opcode ID: d8277d97e2f230740c86ea31856198af6673e632619b6bda425b05bf07e2b6f7
                                                      • Instruction ID: 09b92c81f8f4ef2e2e9fd8d830fcc712f1cdd6db1c368b512ccdb95b409c048d
                                                      • Opcode Fuzzy Hash: d8277d97e2f230740c86ea31856198af6673e632619b6bda425b05bf07e2b6f7
                                                      • Instruction Fuzzy Hash: 31611370604604BEE7107B65AD42F2B366CEB46748F11813EF941B61E2EB3CA9108FAD
                                                      Function 0040154A Relevance: 37.2, APIs: 17, Strings: 4, Instructions: 441stringtimesleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 329 40154a-4015bd 330 402ea1 329->330 331 4015c3-4015c7 329->331 351 402ea5 330->351 332 4016c1-4016cf 331->332 333 4017c2-401e9e call 40303e call 4065ad 331->333 334 401684-4016aa 331->334 335 4015e6-4015ee 331->335 336 4018cb-4018d4 call 40303e call 406a34 331->336 337 40160c-40160d 331->337 338 4015ce-4015d0 331->338 339 4016ef-4016fb call 40303e SetFileAttributesW 331->339 340 4016af-4016bc call 4065fd 331->340 341 40182f-40184b call 40303e GetFullPathNameW 331->341 342 401711-401728 call 40303e call 406ba3 331->342 343 401633-40163a SetForegroundWindow 331->343 344 4017d3-4017f6 call 40303e * 3 MoveFileW 331->344 345 4015d5-4015d6 331->345 346 401618-40162e call 403002 Sleep 331->346 347 4015f9-401607 call 4030fd call 401399 331->347 348 40189b-4018b8 call 40303e SearchPathW 331->348 349 4018de-401904 call 40303e call 406de1 331->349 350 40163f-401645 331->350 367 4016d1-4016d5 ShowWindow 332->367 368 4016d9-4016e0 332->368 422 401bb2-401bb6 333->422 423 401ea4-401ea8 333->423 364 402ead-402eb7 334->364 371 4015f0-4015f7 PostQuitMessage 335->371 372 4015dc-4015e1 335->372 405 4018d9 336->405 356 40160e-401613 call 405d18 337->356 338->364 400 401701-401703 339->400 340->330 398 401857-40185d 341->398 399 40184d-401855 341->399 414 401784-40178e 342->414 415 40172a-40173f call 4065d4 342->415 343->330 430 401804-401808 344->430 431 4017f8-4017ff 344->431 369 4015d7 call 405d18 345->369 346->330 347->364 348->330 392 4018be-4018c6 348->392 417 401906-40190c call 406af8 349->417 418 40190e-401920 call 406af8 call 406534 lstrcatW 349->418 361 401671-40167f 350->361 362 401647 350->362 363 402eab 351->363 356->330 361->330 382 401657-40166c call 403002 362->382 383 401649-401650 362->383 363->364 367->368 368->330 386 4016e6-4016ea ShowWindow 368->386 369->372 371->372 372->364 382->330 383->382 386->330 392->351 409 40187b 398->409 410 40185f-401862 398->410 408 40187f-401883 399->408 400->330 411 401709-40170c 400->411 405->400 408->351 412 401889-401896 GetShortPathNameW 408->412 409->408 410->409 419 401864-40186c call 4065ad 410->419 411->351 412->351 426 401790-4017ab call 405d18 call 406af8 SetCurrentDirectoryW 414->426 427 4017bb-4017bd 414->427 436 401741-401745 415->436 437 401758-401759 call 405dfc 415->437 439 401925-40192d call 406d1b 417->439 418->439 419->399 442 40186e-401876 call 406af8 419->442 422->364 423->364 426->330 460 4017b1-4017b6 426->460 427->356 430->411 438 40180e-401816 call 4065ad 430->438 431->356 436->437 443 401747-40174e call 4064da 436->443 452 40175e-401760 437->452 438->411 456 40181c-40182a call 40621b 438->456 459 40192e-401931 439->459 442->409 443->437 461 401750-401751 call 405e1c 443->461 457 401762-401767 452->457 458 401775-40177e 452->458 456->356 463 401774 457->463 464 401769-401772 GetFileAttributesW 457->464 458->415 465 401780 458->465 466 401933-40193d call 4065ad 459->466 467 401964-401966 459->467 460->330 475 401756 461->475 463->458 464->458 464->463 465->414 478 401950-401960 466->478 479 40193f-40194e CompareFileTime 466->479 468 401968-401969 call 406b7b 467->468 469 40196e-401989 call 4068f9 467->469 468->469 480 401a18-401a49 call 405d18 call 403148 469->480 481 40198f-401991 469->481 475->452 478->467 479->478 494 401a52-401a5a SetFileTime 480->494 495 401a4b-401a50 480->495 482 401993-4019df call 406af8 * 2 call 405e98 call 406af8 call 406a86 481->482 483 4019fd-401a13 call 405d18 481->483 482->459 512 4019e5-4019e8 482->512 483->351 497 401a60-401a6d CloseHandle 494->497 495->494 495->497 497->330 498 401a73-401a76 497->498 500 401a78-401a87 call 405e98 lstrcatW 498->500 501 401a89-401a8c call 405e98 498->501 507 401a91-401a9c call 406a86 500->507 501->507 507->372 513 4019f2-4019f8 512->513 514 4019ea-4019ed 512->514 513->363 514->369
                                                      APIs
                                                      • PostQuitMessage.USER32(00000000), ref: 004015F1
                                                      • Sleep.KERNELBASE(00000001,?,00000000,00000000), ref: 00401628
                                                      • SetForegroundWindow.USER32 ref: 00401634
                                                      • ShowWindow.USER32(?,00000000,?,?,00000000,00000000), ref: 004016D3
                                                      • ShowWindow.USER32(?,?,?,?,00000000,00000000), ref: 004016E8
                                                      • SetFileAttributesW.KERNELBASE(00000000,?,?,?,?,00000000,00000000), ref: 004016FB
                                                      • GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000), ref: 0040176A
                                                      • SetCurrentDirectoryW.KERNELBASE(00000000,C:\Users\user\overlays\besvangredes\Phenomenalizing,00000000,000000E6,C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp\System.dll,00000000,?,?,?,00000000,00000000), ref: 004017A3
                                                      • MoveFileW.KERNEL32(00000000,00000000), ref: 004017EE
                                                      • GetFullPathNameW.KERNEL32(00000000,00000400,00000000,?,00000000,000000E3,C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp\System.dll,?,?,00000000,00000000), ref: 00401843
                                                      • GetShortPathNameW.KERNEL32(00000000,00000000,00000400), ref: 00401890
                                                      • SearchPathW.KERNEL32(00000000,00000000,00000000,00000400,00000000,?,000000FF,?,?,00000000,00000000), ref: 004018B0
                                                      • lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\overlays\besvangredes\Phenomenalizing,00000000,00000000,00000031,00000000,00000000,000000EF,?,?,00000000,00000000), ref: 00401920
                                                      • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\overlays\besvangredes\Phenomenalizing,00000000,00000000,00000031,00000000,00000000,000000EF), ref: 00401948
                                                      • SetFileTime.KERNELBASE(?,?,00000000,?,?,?,00000000,00000000,000000EA,?,Call,40000000,00000001,Call,00000000,00000000), ref: 00401A5A
                                                      • CloseHandle.KERNELBASE(?,?,?,00000000,00000000), ref: 00401A61
                                                      • lstrcatW.KERNEL32(Call,?,Call,000000E9,?,?,00000000,00000000), ref: 00401A82
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: File$PathWindow$AttributesNameShowTimelstrcat$CloseCompareCurrentDirectoryForegroundFullHandleMessageMovePostQuitSearchShortSleep
                                                      • String ID: C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp$C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp\System.dll$C:\Users\user\overlays\besvangredes\Phenomenalizing$Call
                                                      • API String ID: 3895412863-752717137
                                                      • Opcode ID: 907391b652bc81e351481e76b091bf194ed4adcc93ce6230dc48087d29c5e171
                                                      • Instruction ID: f97e61f8377ab9e25a0dd965f2557d34b91b3991d6c9f65f1b163fc05bb86adc
                                                      • Opcode Fuzzy Hash: 907391b652bc81e351481e76b091bf194ed4adcc93ce6230dc48087d29c5e171
                                                      • Instruction Fuzzy Hash: 6AD1D571644301ABC710BF66CD85E2B76A8AF86758F10463FF452B22E1DB7CD8019A6F
                                                      Function 004033CB Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 178memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 515 4033cb-403418 GetTickCount GetModuleFileNameW call 4068f9 518 403424-403454 call 406af8 call 406cee call 406af8 GetFileSize 515->518 519 40341a-40341f 515->519 527 403550-40355f call 403367 518->527 528 40345a 518->528 520 403623-40362a 519->520 533 403565-403567 527->533 534 40361e 527->534 530 40345e-403484 call 40311b 528->530 538 403616-40361d call 403367 530->538 539 40348a-403491 530->539 536 403598-4035c8 GlobalAlloc call 403131 call 403148 533->536 537 403569-403581 call 403131 call 406926 533->537 534->520 536->534 563 4035ca-4035dc 536->563 558 403586-403588 537->558 538->534 543 403512-403515 539->543 544 403493-4034ac call 406692 539->544 546 403517-40351e call 403367 543->546 547 40351f-403525 543->547 544->547 562 4034ae-4034b6 544->562 546->547 553 403527-403536 call 406e1a 547->553 554 40353a-403542 547->554 553->554 554->530 557 403548-40354c 554->557 557->527 558->534 565 40358e-403592 558->565 562->547 564 4034b8-4034c0 562->564 567 4035e4-4035e7 563->567 568 4035de 563->568 564->547 569 4034c2-4034ca 564->569 565->534 565->536 571 4035ea-4035f2 567->571 568->567 569->547 570 4034cc-4034d4 569->570 570->547 572 4034d6-4034f5 570->572 571->571 573 4035f4-40360d SetFilePointer call 406692 571->573 572->534 574 4034fb-403501 572->574 577 403612-403614 573->577 574->557 576 403503-40350c 574->576 576->547 578 40350e-403510 576->578 577->520 578->547
                                                      APIs
                                                      • GetTickCount.KERNEL32 ref: 004033DE
                                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Quotation.exe,00000400), ref: 004033FA
                                                        • Part of subcall function 004068F9: GetFileAttributesW.KERNELBASE(?,0040340D,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 004068FD
                                                        • Part of subcall function 004068F9: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000), ref: 0040691D
                                                      • GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Quotation.exe,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 00403444
                                                      • GlobalAlloc.KERNELBASE(?,?), ref: 0040359E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                      • String ID: C:\Users\user\Desktop$C:\Users\user\Desktop\Quotation.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                      • API String ID: 2803837635-1886681884
                                                      • Opcode ID: 89db09ba3d9e86f9c075612005f46009679623d63feb2a5cce1b372a96914bed
                                                      • Instruction ID: 8295773d5102a3db2c924d587f32f5b95c2827ef7f93a52122a4f4d2b553c90e
                                                      • Opcode Fuzzy Hash: 89db09ba3d9e86f9c075612005f46009679623d63feb2a5cce1b372a96914bed
                                                      • Instruction Fuzzy Hash: B951D371904300AFD720AF25DD81B1B7AA8BB8471AF10453FF955B62E1CB3D8E548B6E
                                                      Function 00405E98 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209stringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 579 405e98-405ea1 580 405ea3-405eb2 579->580 581 405eb4-405ecf 579->581 580->581 582 405ed1-405edc 581->582 583 405ee6-405eed 581->583 582->583 584 405ede-405ee2 582->584 585 4060e1-4060e8 583->585 586 405ef3-405ef6 583->586 584->583 588 4060f3 585->588 589 4060ea-4060f1 call 406af8 585->589 587 405ef7-405f05 586->587 592 405f0b-405f16 587->592 593 4060dc-4060e0 587->593 591 4060f5-4060fb 588->591 589->591 595 4060b5 592->595 596 405f1c-405f60 592->596 593->585 599 4060c3 595->599 600 4060b7-4060c1 595->600 597 406060-406063 596->597 598 405f66-405f77 596->598 603 406065-406068 597->603 604 406099-40609c 597->604 601 405fb7-405fba 598->601 602 405f79-405f97 call 406955 598->602 605 4060c6 599->605 600->605 609 405fca-405fcd 601->609 610 405fbc-405fc8 GetSystemDirectoryW 601->610 614 405f9c-405fa5 602->614 611 406078-40608f call 406af8 603->611 612 40606a-406076 call 4065fd 603->612 607 4060a7-4060b3 lstrlenW 604->607 608 40609e-4060a2 call 405e98 604->608 613 4060c8-4060d6 605->613 607->613 608->607 617 405fdd-405fe5 609->617 618 405fcf-405fdb GetWindowsDirectoryW 609->618 616 406038 610->616 611->607 629 406091-406097 call 406d1b 611->629 612->607 613->587 613->593 622 40603c-406041 614->622 623 405fab-405fb2 call 405e98 614->623 616->622 624 405fe7-405ff0 617->624 625 405ffc-406012 SHGetSpecialFolderLocation 617->625 618->616 630 406043-406046 622->630 631 406054-40605e call 406d1b 622->631 623->622 637 405ff8-405ffa 624->637 627 406014-40602d SHGetPathFromIDListW CoTaskMemFree 625->627 628 40602f-406036 625->628 627->616 627->628 628->616 628->617 629->607 630->631 634 406048-40604e lstrcatW 630->634 631->607 634->631 637->616 637->625
                                                      APIs
                                                      • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00405FC2
                                                        • Part of subcall function 00406AF8: lstrcpynW.KERNEL32(?,?,00000400,0040384F,007A7540,NSIS Error), ref: 00406B05
                                                        • Part of subcall function 00406D1B: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00406D90
                                                        • Part of subcall function 00406D1B: CharNextW.USER32(?,?,?,00000000), ref: 00406D9F
                                                        • Part of subcall function 00406D1B: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00406DA4
                                                        • Part of subcall function 00406D1B: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00406DBC
                                                      • GetWindowsDirectoryW.KERNEL32(Call,00000400,Skipped: C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp\System.dll,?,?,?), ref: 00405FD5
                                                      • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp\System.dll,?,?,?), ref: 0040604E
                                                      • lstrlenW.KERNEL32(Call,Skipped: C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp\System.dll,?,?,?), ref: 004060A8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: Char$Next$Directory$PrevSystemWindowslstrcatlstrcpynlstrlen
                                                      • String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                      • API String ID: 4187626192-1358229178
                                                      • Opcode ID: 90908ed2b1fff3d7c45b9d6734c0443e5caff99512698a5aebad6b02f2870112
                                                      • Instruction ID: e5fb9ae88836c379eadb94168964a2c41ebb3bf79b6cd8bfde1838e31315b013
                                                      • Opcode Fuzzy Hash: 90908ed2b1fff3d7c45b9d6734c0443e5caff99512698a5aebad6b02f2870112
                                                      • Instruction Fuzzy Hash: 0E6115716442159BDB24AB288C40A3B76A4EF99350F11853FF982F72D1EB3CC9258B5E
                                                      Function 00405D18 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76stringwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 930 405d18-405d24 931 405df5-405df9 930->931 932 405d2a-405d3d 930->932 933 405d49-405d59 lstrlenW 932->933 934 405d3f-405d44 call 405e98 932->934 936 405d5b-405d6a lstrlenW 933->936 937 405d7e 933->937 934->933 938 405d70-405d7c lstrcatW 936->938 939 405df2-405df4 936->939 940 405d83-405d86 937->940 938->940 939->931 941 405d95-405d98 940->941 942 405d88-405d8f SetWindowTextW 940->942 943 405de0-405de2 941->943 944 405d9a-405dde SendMessageW * 3 941->944 942->941 943->939 945 405de4-405dea 943->945 944->943 945->939
                                                      APIs
                                                      • lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp\System.dll,?,00000000,?,?), ref: 00405D4A
                                                      • lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp\System.dll,?,00000000,?,?), ref: 00405D5C
                                                      • lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp\System.dll,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp\System.dll,?,00000000,?,?), ref: 00405D77
                                                      • SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp\System.dll), ref: 00405D8F
                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405DB6
                                                      • SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DD1
                                                      • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405DDE
                                                        • Part of subcall function 00405E98: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp\System.dll,?,?,?), ref: 0040604E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$lstrcatlstrlen$TextWindow
                                                      • String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp\System.dll
                                                      • API String ID: 1759915248-2222070643
                                                      • Opcode ID: b3a3bffc108da763a0d5830401e4444f920c759f89e848b3eba3191ccd966a9d
                                                      • Instruction ID: eb00d4876afd5f62942919e2a46038e7a2417e41af97232aca8a81e0ace8ac77
                                                      • Opcode Fuzzy Hash: b3a3bffc108da763a0d5830401e4444f920c759f89e848b3eba3191ccd966a9d
                                                      • Instruction Fuzzy Hash: C7212672A056206BC310AF598D44E5BBBDCFF95310F04443FF988B3291C7B89D018BAA
                                                      Function 0040617C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 997 40617c-40619c GetSystemDirectoryW 998 4061b6 997->998 999 40619e-4061a0 997->999 1001 4061b8 998->1001 999->998 1000 4061a2-4061ad 999->1000 1000->1001 1002 4061af-4061b4 1000->1002 1003 4061bd-4061ea wsprintfW LoadLibraryExW 1001->1003 1002->1003
                                                      APIs
                                                      • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406193
                                                      • wsprintfW.USER32 ref: 004061CF
                                                      • LoadLibraryExW.KERNEL32(?,00000000,?), ref: 004061E3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DirectoryLibraryLoadSystemwsprintf
                                                      • String ID: %s%S.dll$UXTHEME$\
                                                      • API String ID: 2200240437-1946221925
                                                      • Opcode ID: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
                                                      • Instruction ID: a4cd9840ceca3203298f5f6208b2692cfaa140b5cc7ad0efff7adaa08ca45ff7
                                                      • Opcode Fuzzy Hash: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
                                                      • Instruction Fuzzy Hash: CEF0BB7190161457D710B764DE0DB9A367CEB10304F54447A6646F62C1EB7C9A54C79C
                                                      Function 00406A34 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1004 406a34-406a40 1005 406a41-406a73 GetTickCount GetTempFileNameW 1004->1005 1006 406a75-406a77 1005->1006 1007 406a7e 1005->1007 1006->1005 1009 406a79-406a7c 1006->1009 1008 406a80-406a83 1007->1008 1009->1008
                                                      APIs
                                                      • GetTickCount.KERNEL32 ref: 00406A50
                                                      • GetTempFileNameW.KERNELBASE(?,0073006E,00000000,?,?,?,00000000,00403CB2,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00406A6B
                                                      Strings
                                                      • n, xrefs: 00406A42
                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00406A39
                                                      • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406A3D
                                                      • a, xrefs: 00406A49
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: CountFileNameTempTick
                                                      • String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$a$n
                                                      • API String ID: 1716503409-3085344383
                                                      • Opcode ID: 42452896a03faa5c12687f234f03a62933820c93469ae2d29fedaba6baed2be8
                                                      • Instruction ID: 42be8ac81fa96e2418e52fe12c64c606f0e7da939330081f96b146de974569e0
                                                      • Opcode Fuzzy Hash: 42452896a03faa5c12687f234f03a62933820c93469ae2d29fedaba6baed2be8
                                                      • Instruction Fuzzy Hash: EDF05E72700208BBEB149F85DD09BEF7769EF91B10F15807BE945BA180E6B05E9487A4
                                                      Function 004068C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1010 4068c4-4068da GetModuleHandleA 1011 4068e6-4068ee GetProcAddress 1010->1011 1012 4068dc-4068dd call 40617c 1010->1012 1014 4068f4-4068f6 1011->1014 1015 4068e2-4068e4 1012->1015 1015->1011 1015->1014
                                                      APIs
                                                      • GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,004037EE,0000000B), ref: 004068D2
                                                      • GetProcAddress.KERNEL32(00000000), ref: 004068EE
                                                        • Part of subcall function 0040617C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406193
                                                        • Part of subcall function 0040617C: wsprintfW.USER32 ref: 004061CF
                                                        • Part of subcall function 0040617C: LoadLibraryExW.KERNEL32(?,00000000,?), ref: 004061E3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                      • String ID: Error writing temporary file. Make sure your temp folder is valid.$UXTHEME
                                                      • API String ID: 2547128583-890815371
                                                      • Opcode ID: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
                                                      • Instruction ID: cca553acf36b1fe6902a80dcde2ed56f94a70d609a724c5234c7087bacb34bc4
                                                      • Opcode Fuzzy Hash: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
                                                      • Instruction Fuzzy Hash: FDD02B331022159BC7002F22AE0894F776DEF66350701403BF541F2230EB38C82295FD
                                                      Function 00405E1C Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1016 405e1c-405e65 CreateDirectoryW 1017 405e67-405e72 GetLastError 1016->1017 1018 405e8a-405e8c 1016->1018 1019 405e94-405e95 1017->1019 1020 405e74-405e88 SetFileSecurityW 1017->1020 1018->1019 1020->1018 1021 405e8e GetLastError 1020->1021 1021->1019
                                                      APIs
                                                      • CreateDirectoryW.KERNELBASE(?,?), ref: 00405E5D
                                                      • GetLastError.KERNEL32 ref: 00405E67
                                                      • SetFileSecurityW.ADVAPI32(?,80000007,?), ref: 00405E80
                                                      • GetLastError.KERNEL32 ref: 00405E8E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                      • String ID:
                                                      • API String ID: 3449924974-0
                                                      • Opcode ID: c4ec091984c90c0ed15a9be6932df6b8cec91024cb801c9daff41168a069ff59
                                                      • Instruction ID: c5276d81fc3706eb17032c67a8bd40c2bbffd7631990a047acf891ba11bc5777
                                                      • Opcode Fuzzy Hash: c4ec091984c90c0ed15a9be6932df6b8cec91024cb801c9daff41168a069ff59
                                                      • Instruction Fuzzy Hash: 39011A74D00609DFDB109FA0DA44BAE7BB4EB04315F10443AD949F6190D77886488F99
                                                      Function 00406955 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1022 406955-406988 call 4062b6 1025 4069c7-4069c9 1022->1025 1026 40698a-4069b9 RegQueryValueExW RegCloseKey 1022->1026 1027 4069cc-4069ce 1025->1027 1026->1025 1028 4069bb-4069bf 1026->1028 1028->1027 1029 4069c1-4069c5 1028->1029 1029->1025 1029->1027
                                                      APIs
                                                      • RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,?,?,?,?,Call,00000000,00000000,00000002,00405F9C), ref: 0040699C
                                                      • RegCloseKey.KERNELBASE(?), ref: 004069A7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: CloseQueryValue
                                                      • String ID: Call
                                                      • API String ID: 3356406503-1824292864
                                                      • Opcode ID: 76b6ba2905dba72e0879de14cdf3f2fb9278ac09f103d2f047db2673b29e615b
                                                      • Instruction ID: 1ae9e56a03760404e91669882a34a602e62d6bc2f034f3a498143100352ea1f7
                                                      • Opcode Fuzzy Hash: 76b6ba2905dba72e0879de14cdf3f2fb9278ac09f103d2f047db2673b29e615b
                                                      • Instruction Fuzzy Hash: F6015EB652010AABDF218FA4DD06EEF7BA8EF44354F110136F905E2260E334DA64DB94
                                                      Function 00405DFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1030 405dfc-405e0c CreateDirectoryW 1031 405e16-405e19 1030->1031 1032 405e0e-405e14 GetLastError 1030->1032 1032->1031
                                                      APIs
                                                      • CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user\AppData\Local\Temp\,00403CA7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00405E04
                                                      • GetLastError.KERNEL32 ref: 00405E0E
                                                      Strings
                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405DFC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: CreateDirectoryErrorLast
                                                      • String ID: C:\Users\user\AppData\Local\Temp\
                                                      • API String ID: 1375471231-3081826266
                                                      • Opcode ID: 0648b17569fc2713f910b90d2ba9bcc6c5026819f2e8f4ff2f6a8f9bab12dfc5
                                                      • Instruction ID: 1d45a01f7acee8fa23fe776dff3dd1d011af88d7d8ca29917c3c3e776444c4f1
                                                      • Opcode Fuzzy Hash: 0648b17569fc2713f910b90d2ba9bcc6c5026819f2e8f4ff2f6a8f9bab12dfc5
                                                      • Instruction Fuzzy Hash: 74C012326000309BC7602B65AE08A87BE94EB506A13068239B988E2220DA308C54CAE8
                                                      Function 7340167A Relevance: 4.6, APIs: 3, Instructions: 123COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 73402351: GlobalFree.KERNEL32(?), ref: 73402A44
                                                        • Part of subcall function 73402351: GlobalFree.KERNEL32(?), ref: 73402A4A
                                                        • Part of subcall function 73402351: GlobalFree.KERNEL32(?), ref: 73402A50
                                                      • GlobalFree.KERNEL32(00000000), ref: 73401738
                                                      • FreeLibrary.KERNEL32(?), ref: 734017C3
                                                      • GlobalFree.KERNEL32(00000000), ref: 734017E9
                                                        • Part of subcall function 73401FCB: GlobalAlloc.KERNEL32(?,?), ref: 73401FFA
                                                        • Part of subcall function 734017F7: GlobalAlloc.KERNEL32(?,00000000,?,?,00000000,?,?,73401708,00000000), ref: 7340189A
                                                        • Part of subcall function 73401F1E: wsprintfW.USER32 ref: 73401F51
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2078212554.0000000073401000.00000020.00000001.01000000.00000006.sdmp, Offset: 73400000, based on PE: true
                                                      • Associated: 00000000.00000002.2078122706.0000000073400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000000.00000002.2078245094.0000000073404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000000.00000002.2078263961.0000000073406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_73400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: Global$Free$Alloc$Librarywsprintf
                                                      • String ID:
                                                      • API String ID: 3962662361-0
                                                      • Opcode ID: fe3398f8a01118b1ec6821936fe015275026bbc0c71f076f04840378f7b7e511
                                                      • Instruction ID: 642ffc0d17af5f85f297750f5445e6d73a92770459395297c0103a365e7370a8
                                                      • Opcode Fuzzy Hash: fe3398f8a01118b1ec6821936fe015275026bbc0c71f076f04840378f7b7e511
                                                      • Instruction Fuzzy Hash: BC41C37A700349AFD72DAE64C984B8A33FDAB40314F1440BDF94E5B2C2EB7455448658
                                                      Function 00401399 Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
                                                      • SendMessageW.USER32(?,00000402,00000000), ref: 00401409
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: 21554dfdf2296733f6a7aae3810b83fc303a9337ac7eb4ef6af54ee552a22d80
                                                      • Instruction ID: 15b31486c92c371a01b824ec8c308dd00c5fb3f6de234e3455dc008c55755f60
                                                      • Opcode Fuzzy Hash: 21554dfdf2296733f6a7aae3810b83fc303a9337ac7eb4ef6af54ee552a22d80
                                                      • Instruction Fuzzy Hash: 2A01D472E542309BD7196F28AC09B2A2699A7C1711F15893EF901F72F1E6B89D01879C
                                                      Function 00406616 Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00406AF8: lstrcpynW.KERNEL32(?,?,00000400,0040384F,007A7540,NSIS Error), ref: 00406B05
                                                        • Part of subcall function 00406BA3: CharNextW.USER32(?,?,?,00000000,007A4288,0040662D,007A4288,007A4288,?,?,?,00406719,?,00000000,74DF3420,?), ref: 00406BB2
                                                        • Part of subcall function 00406BA3: CharNextW.USER32(00000000), ref: 00406BB7
                                                        • Part of subcall function 00406BA3: CharNextW.USER32(00000000), ref: 00406BD1
                                                        • Part of subcall function 00406D1B: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00406D90
                                                        • Part of subcall function 00406D1B: CharNextW.USER32(?,?,?,00000000), ref: 00406D9F
                                                        • Part of subcall function 00406D1B: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00406DA4
                                                        • Part of subcall function 00406D1B: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00406DBC
                                                      • lstrlenW.KERNEL32(007A4288,00000000,007A4288,007A4288,?,?,?,00406719,?,00000000,74DF3420,?), ref: 0040666A
                                                      • GetFileAttributesW.KERNELBASE(007A4288,007A4288), ref: 0040667B
                                                        • Part of subcall function 004065AD: FindFirstFileW.KERNELBASE(?,007A5E88,00000000,0040665A,007A4288), ref: 004065B8
                                                        • Part of subcall function 004065AD: FindClose.KERNEL32(00000000), ref: 004065C4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: Char$Next$FileFind$AttributesCloseFirstPrevlstrcpynlstrlen
                                                      • String ID:
                                                      • API String ID: 1879705256-0
                                                      • Opcode ID: 3b9d5aeb4753024ac2323fedf4887ec0200a7770af3d0f5eda4629e85134c37a
                                                      • Instruction ID: a0caebe489df7e9b8c47fc78556c087e467958ed1b806a88a2837ae242d5d264
                                                      • Opcode Fuzzy Hash: 3b9d5aeb4753024ac2323fedf4887ec0200a7770af3d0f5eda4629e85134c37a
                                                      • Instruction Fuzzy Hash: FAF0C2614042212AC72037751E88A2B255C8E4635971B4F3FFCA7F12D2CA7ECC31957D
                                                      Function 004066B4 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A3A40,?), ref: 004066DD
                                                      • CloseHandle.KERNEL32(?), ref: 004066EA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: CloseCreateHandleProcess
                                                      • String ID:
                                                      • API String ID: 3712363035-0
                                                      • Opcode ID: 36c5eb473c901fdc976d11b5d23e54a470827d4f9f65b3378b18ae8ddc32ee08
                                                      • Instruction ID: 38b84478e037bba77e5bda8d52abba300c1c8c141792dec0b9fd1b8b871a7deb
                                                      • Opcode Fuzzy Hash: 36c5eb473c901fdc976d11b5d23e54a470827d4f9f65b3378b18ae8ddc32ee08
                                                      • Instruction Fuzzy Hash: 45E0BFF0600219BFFB009F64ED05E7BB66CFB44604F008529BD51E6150D77499149A79
                                                      Function 004068F9 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNELBASE(?,0040340D,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 004068FD
                                                      • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000), ref: 0040691D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: File$AttributesCreate
                                                      • String ID:
                                                      • API String ID: 415043291-0
                                                      • Opcode ID: 0b70b3aee83a9b3875abd98ff145d1d59e445032f30ecb3830cc7005a44e8a60
                                                      • Instruction ID: 2b20bdeb62c6161fa823f395ef17c7eb789f23499ed64d7ea8bf83f44df62fc9
                                                      • Opcode Fuzzy Hash: 0b70b3aee83a9b3875abd98ff145d1d59e445032f30ecb3830cc7005a44e8a60
                                                      • Instruction Fuzzy Hash: 3ED09E71118201AEDF054F20DE4AF1EBA65EF84710F114A2CF6A6D40F0DA718865AA15
                                                      Function 73402D14 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetFilePointer.KERNELBASE(?), ref: 73402DD3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2078212554.0000000073401000.00000020.00000001.01000000.00000006.sdmp, Offset: 73400000, based on PE: true
                                                      • Associated: 00000000.00000002.2078122706.0000000073400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000000.00000002.2078245094.0000000073404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000000.00000002.2078263961.0000000073406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_73400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: FilePointer
                                                      • String ID:
                                                      • API String ID: 973152223-0
                                                      • Opcode ID: ce0f5b97fa309d64ce275b8a6dd350193bfb821fe42ee78c2a0ef5404567f8fe
                                                      • Instruction ID: af2bd4d15a94fc8fe89313cbae099345bff632a137bdd4164a4b3dc1202efb40
                                                      • Opcode Fuzzy Hash: ce0f5b97fa309d64ce275b8a6dd350193bfb821fe42ee78c2a0ef5404567f8fe
                                                      • Instruction Fuzzy Hash: CE4185B6B08308DFEB0CAF65DB85B4D37B9EB48358F2450F9E5099A290E634D581C7C8
                                                      Function 004069E9 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WriteFile.KERNELBASE(?,?,?,?,00000000,?,00000000,?,00793200,00403326,?,00793200,?,00793200,?,?), ref: 00406A00
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: FileWrite
                                                      • String ID:
                                                      • API String ID: 3934441357-0
                                                      • Opcode ID: fcbaaa44ab5e5c94c5d9c511509a2faa156d79933b004821766515c4fe93841a
                                                      • Instruction ID: af586fd2f7f6880044e5fe5766d6096d47c0719768b2310f5fb2dcc6f4abfd7b
                                                      • Opcode Fuzzy Hash: fcbaaa44ab5e5c94c5d9c511509a2faa156d79933b004821766515c4fe93841a
                                                      • Instruction Fuzzy Hash: 68E0BF32600119BB8F205B56DD04D9FBF6DEE927A07124026F906B6150D670EA51DAE4
                                                      Function 00406926 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ReadFile.KERNELBASE(?,?,?,?,00000000,?,00000000,?,00000000,004031A2,?,?,00000000,00000000,00000000,00000000), ref: 0040693D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID:
                                                      • API String ID: 2738559852-0
                                                      • Opcode ID: f8dde0e6d0967dcd1486054d06716264d6198d5106f5dd6c4da627d3f0af441a
                                                      • Instruction ID: de6cc0abbc936f950c0aa48064430f9d9b1dfb465831d1c2e6fd43c94deb3c7e
                                                      • Opcode Fuzzy Hash: f8dde0e6d0967dcd1486054d06716264d6198d5106f5dd6c4da627d3f0af441a
                                                      • Instruction Fuzzy Hash: B7E0BF72200119BB8F215F46DD04D9FBF6DEE956A07114026B905A6150D670EA11D6E4
                                                      Function 73401A4A Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualProtect.KERNELBASE(7340501C,?,?,73405034), ref: 73401A68
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2078212554.0000000073401000.00000020.00000001.01000000.00000006.sdmp, Offset: 73400000, based on PE: true
                                                      • Associated: 00000000.00000002.2078122706.0000000073400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000000.00000002.2078245094.0000000073404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000000.00000002.2078263961.0000000073406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_73400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: 2c731f33b34a265807051fabd5e8ffa8bf007b69ca559876ae7187d0ec558752
                                                      • Instruction ID: 74c38056c20ba5fb05777afbda17607a069a2e96686688ebf2e1959275b2bc50
                                                      • Opcode Fuzzy Hash: 2c731f33b34a265807051fabd5e8ffa8bf007b69ca559876ae7187d0ec558752
                                                      • Instruction Fuzzy Hash: EEF074F2B5D240DAD71CAF1AA74470D3AE4E758348B2065EEA65DAA340C33045009E9E
                                                      Function 004062B6 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00406983,?,?,?,?,Call,00000000,00000000), ref: 004062DA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: Open
                                                      • String ID:
                                                      • API String ID: 71445658-0
                                                      • Opcode ID: 5d90062fdd1cff32f27602045ec2692a1b627fa5483aed50fd6290a01ccc32d2
                                                      • Instruction ID: 8275c49ac47c74d38988e0f8258bf7c149b7cc7998a497f72a9ef83b4f38b8ad
                                                      • Opcode Fuzzy Hash: 5d90062fdd1cff32f27602045ec2692a1b627fa5483aed50fd6290a01ccc32d2
                                                      • Instruction Fuzzy Hash: 51D0123204020DBBDF11AF90DD01FAB372DAB08750F01443AFE16A40A0D775D531A718
                                                      Function 004054C6 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054D8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: b2e0c2379e296d93849bb49f42c53d0230087db54a3c83b1da74e836768489aa
                                                      • Instruction ID: ded955796c7b3a29419b03b8f07dbed72bf973f4b2991851ad7e5473cbc7331c
                                                      • Opcode Fuzzy Hash: b2e0c2379e296d93849bb49f42c53d0230087db54a3c83b1da74e836768489aa
                                                      • Instruction Fuzzy Hash: C3C04C716446007ADA109B619E05F077759A791701F10C8297240E55E0C675E460CA2C
                                                      Function 004054E1 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,?,00000001,00405316), ref: 004054EF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: 1714e4f5a6add7520e2ba1d59cc8065429a1d3178019bc2ad80d0ec1eb9059a5
                                                      • Instruction ID: 87925707e6409367d6b01bd6df3e013852da7cf14c64ffa79ed0cacb9bd9d926
                                                      • Opcode Fuzzy Hash: 1714e4f5a6add7520e2ba1d59cc8065429a1d3178019bc2ad80d0ec1eb9059a5
                                                      • Instruction Fuzzy Hash: 28B09239684600AADA195B00EE09F467B62ABA4701F008428B240640B0CAB210A0DB18
                                                      Function 00403131 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetFilePointer.KERNELBASE(?,00000000,00000000,004035B5,?), ref: 0040313F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: FilePointer
                                                      • String ID:
                                                      • API String ID: 973152223-0
                                                      • Opcode ID: eeb6e3b4f510f7bce7f4acd2004317b94e1f980229c798523801c224a6f07df3
                                                      • Instruction ID: 249934cc5d2069a5a678a88893d20fb7c04287045258dfdbdab4020963f10c22
                                                      • Opcode Fuzzy Hash: eeb6e3b4f510f7bce7f4acd2004317b94e1f980229c798523801c224a6f07df3
                                                      • Instruction Fuzzy Hash: 94B09231140200AADA214F009E0AF057B21AB90700F108434B290680F086711060EA0D

                                                      Non-executed Functions

                                                      Function 004062E4 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 124memorystringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,00000000,?,0040623C,?,?), ref: 0040631F
                                                      • GetShortPathNameW.KERNEL32(?,007A5688,00000400), ref: 00406328
                                                      • GetShortPathNameW.KERNEL32(?,007A4E88,00000400), ref: 00406345
                                                      • wsprintfA.USER32 ref: 00406363
                                                      • GetFileSize.KERNEL32(00000000,00000000,007A4E88,C0000000,?,007A4E88,?), ref: 0040639B
                                                      • GlobalAlloc.KERNEL32(?,0000000A), ref: 004063AB
                                                      • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 004063DB
                                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,007A4A88,00000000,-0000000A,00408984,00000000,[Rename],00000000,00000000,00000000), ref: 004063FB
                                                      • GlobalFree.KERNEL32(00000000), ref: 0040640D
                                                      • CloseHandle.KERNEL32(00000000), ref: 00406414
                                                        • Part of subcall function 004068F9: GetFileAttributesW.KERNELBASE(?,0040340D,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 004068FD
                                                        • Part of subcall function 004068F9: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000), ref: 0040691D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: File$CloseGlobalHandleNamePathShort$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                      • String ID: %ls=%ls$[Rename]
                                                      • API String ID: 2900126502-461813615
                                                      • Opcode ID: a2b202ff8827565348ba147a21b9a484a8522b83e041da5fa409378b6696546f
                                                      • Instruction ID: 9f7f24d6a9d8affb6c81019e1e78af230b3462d5c5472edf7d8bbe76e1c752c2
                                                      • Opcode Fuzzy Hash: a2b202ff8827565348ba147a21b9a484a8522b83e041da5fa409378b6696546f
                                                      • Instruction Fuzzy Hash: 1B3128B16012117BD7206B358D49F7B3A5CEF81749B06453EF943FA2C2DA7D88628A7C
                                                      Function 00406D1B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00406D90
                                                      • CharNextW.USER32(?,?,?,00000000), ref: 00406D9F
                                                      • CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00406DA4
                                                      • CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 00406DBC
                                                      Strings
                                                      • *?|<>/":, xrefs: 00406D7F
                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00406D1B, 00406D1D
                                                      • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406D22
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: Char$Next$Prev
                                                      • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
                                                      • API String ID: 589700163-562438032
                                                      • Opcode ID: 5b032911993fa6072ca7f20f73d4f3d6e0cff76cb04f630808d27ad5f640f473
                                                      • Instruction ID: 64caea1e5fba35c947d9094266ac5fc002638ab42ea644ca00d5fa91912821bd
                                                      • Opcode Fuzzy Hash: 5b032911993fa6072ca7f20f73d4f3d6e0cff76cb04f630808d27ad5f640f473
                                                      • Instruction Fuzzy Hash: 7511D511B0063156DB30672A8C4097772E8DF69761756443BFDC6E32C0F77D8D9192B9
                                                      Function 00405739 Relevance: 12.1, APIs: 8, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                      • String ID:
                                                      • API String ID: 2320649405-0
                                                      • Opcode ID: bf0799ea3bd6f053e04a74c3ecacf9df28762d59f89d86d460fcd2570ffda868
                                                      • Instruction ID: 26ea8d1a65f0c358df8059d13c2b59527feb86654ff2728a298fdc5f00fd0ae6
                                                      • Opcode Fuzzy Hash: bf0799ea3bd6f053e04a74c3ecacf9df28762d59f89d86d460fcd2570ffda868
                                                      • Instruction Fuzzy Hash: E221D675500B049FDB649F28DA4895BB7F4EF45711B108A3EE896A26A0DB38E814DF28
                                                      Function 73402049 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GlobalFree.KERNEL32(00000000), ref: 734021BF
                                                        • Part of subcall function 734012E1: lstrcpynW.KERNEL32(00000000,?,7340156A,?,734011C4,-000000A0), ref: 734012F1
                                                      • GlobalAlloc.KERNEL32(?), ref: 7340212C
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 7340214C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2078212554.0000000073401000.00000020.00000001.01000000.00000006.sdmp, Offset: 73400000, based on PE: true
                                                      • Associated: 00000000.00000002.2078122706.0000000073400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000000.00000002.2078245094.0000000073404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000000.00000002.2078263961.0000000073406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_73400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                      • String ID: @Hmu
                                                      • API String ID: 4216380887-887474944
                                                      • Opcode ID: 3f8fe6285a61a15fd0558ce2b88d1f87f694de2e6c2844ee1943c0567c49ffee
                                                      • Instruction ID: 67e5dc90266919527d7dcc0502393123c982a79d1e4865f0270a798aebd5c4c1
                                                      • Opcode Fuzzy Hash: 3f8fe6285a61a15fd0558ce2b88d1f87f694de2e6c2844ee1943c0567c49ffee
                                                      • Instruction Fuzzy Hash: 68411671705309EFD30EAF24CA44BDA77F8FB05344F4442BEEA59AE289E7705541CAA8
                                                      Function 0040362D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040364B
                                                      • MulDiv.KERNEL32(00122778,?,00122778), ref: 00403673
                                                      • wsprintfW.USER32 ref: 00403683
                                                      • SetWindowTextW.USER32(?,?), ref: 00403693
                                                      • SetDlgItemTextW.USER32(?,00000406,?), ref: 004036A5
                                                      Strings
                                                      • verifying installer: %d%%, xrefs: 0040367D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: Text$ItemTimerWindowwsprintf
                                                      • String ID: verifying installer: %d%%
                                                      • API String ID: 1451636040-82062127
                                                      • Opcode ID: 047d2cc0e248829387beeb5a8e07bbe74402e6ee51346e78a70c3337b09d8a04
                                                      • Instruction ID: 44471e5cb11ab05bb0c6ce4c76b363bdac3f6882ce80e8a3b6daee8e8afc751d
                                                      • Opcode Fuzzy Hash: 047d2cc0e248829387beeb5a8e07bbe74402e6ee51346e78a70c3337b09d8a04
                                                      • Instruction Fuzzy Hash: BE018F71540208BBDF20AF60DE45BAA3B28A700305F00803AF642B51E0DBB58554CF4C
                                                      Function 73402209 Relevance: 9.1, APIs: 6, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 734012F8: GlobalAlloc.KERNEL32(?,?,734011C4,-000000A0), ref: 73401302
                                                      • GlobalFree.KERNEL32(00000000), ref: 734022F1
                                                      • GlobalFree.KERNEL32(00000000), ref: 73402326
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2078212554.0000000073401000.00000020.00000001.01000000.00000006.sdmp, Offset: 73400000, based on PE: true
                                                      • Associated: 00000000.00000002.2078122706.0000000073400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000000.00000002.2078245094.0000000073404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000000.00000002.2078263961.0000000073406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_73400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: Global$Free$Alloc
                                                      • String ID:
                                                      • API String ID: 1780285237-0
                                                      • Opcode ID: 2325877ae8ed0252c8d5032bdccfdc2700c0e2bfb4af9988cbb9f769ed986317
                                                      • Instruction ID: d4f442d793874d0952cc42479c1f22414f585c9a266686ea074b32c0bd130125
                                                      • Opcode Fuzzy Hash: 2325877ae8ed0252c8d5032bdccfdc2700c0e2bfb4af9988cbb9f769ed986317
                                                      • Instruction Fuzzy Hash: C031BE72304209DBE71E9FA5CA48B2AB7B9FB85319F1005FDE40AA62D0D7319481DB69
                                                      Function 734010C7 Relevance: 8.9, APIs: 7, Instructions: 162memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GlobalAlloc.KERNEL32(?,?), ref: 7340116B
                                                      • GlobalFree.KERNEL32(00000000), ref: 734011AE
                                                      • GlobalFree.KERNEL32(00000000), ref: 734011CD
                                                      • GlobalAlloc.KERNEL32(?,?), ref: 734011E6
                                                      • GlobalFree.KERNEL32 ref: 7340125C
                                                      • GlobalFree.KERNEL32(?), ref: 734012A7
                                                      • GlobalFree.KERNEL32(00000000), ref: 734012BF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2078212554.0000000073401000.00000020.00000001.01000000.00000006.sdmp, Offset: 73400000, based on PE: true
                                                      • Associated: 00000000.00000002.2078122706.0000000073400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000000.00000002.2078245094.0000000073404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000000.00000002.2078263961.0000000073406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_73400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: Global$Free$Alloc
                                                      • String ID:
                                                      • API String ID: 1780285237-0
                                                      • Opcode ID: 8e3191894739fca824d77cd3b2fe8e1f08933a8bfaa1829480954b073b2270ee
                                                      • Instruction ID: b27fc65cf1c302be5220031d46faacab81c5f8a07abf3c5f775e90c5f61bbb6f
                                                      • Opcode Fuzzy Hash: 8e3191894739fca824d77cd3b2fe8e1f08933a8bfaa1829480954b073b2270ee
                                                      • Instruction Fuzzy Hash: 035170BA7042019FD718EF65CA44B2977F8FB48208B1445EDF54AEB390E635D901CB99
                                                      Function 73401F7B Relevance: 7.5, APIs: 5, Instructions: 38memorylibraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000808,00000000,73402B4C,00000000,00000808), ref: 73401F8C
                                                      • GlobalAlloc.KERNEL32(?,00000000), ref: 73401F97
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 73401FAB
                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 73401FB6
                                                      • GlobalFree.KERNEL32(00000000), ref: 73401FBF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2078212554.0000000073401000.00000020.00000001.01000000.00000006.sdmp, Offset: 73400000, based on PE: true
                                                      • Associated: 00000000.00000002.2078122706.0000000073400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000000.00000002.2078245094.0000000073404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000000.00000002.2078263961.0000000073406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_73400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                      • String ID:
                                                      • API String ID: 1148316912-0
                                                      • Opcode ID: 48701d3dac9b45a37521ce72a29bed2b739d6318465686ffc4ac7e6418426172
                                                      • Instruction ID: 2b7defe6a1967bc8c29c8310a1712728fbdfd4db161bafab67da8bbdcbb267f6
                                                      • Opcode Fuzzy Hash: 48701d3dac9b45a37521ce72a29bed2b739d6318465686ffc4ac7e6418426172
                                                      • Instruction Fuzzy Hash: 24F0C733208128BBD6142AE7DE0CE577EACEB8B7FEF161255F61DF1290C56264008B71
                                                      Function 73401F1E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • wsprintfW.USER32 ref: 73401F51
                                                      • lstrcpyW.KERNEL32(?,error,00001018,73401765,00000000,?), ref: 73401F71
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2078212554.0000000073401000.00000020.00000001.01000000.00000006.sdmp, Offset: 73400000, based on PE: true
                                                      • Associated: 00000000.00000002.2078122706.0000000073400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000000.00000002.2078245094.0000000073404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000000.00000002.2078263961.0000000073406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_73400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: lstrcpywsprintf
                                                      • String ID: callback%d$error
                                                      • API String ID: 2408954437-1307476583
                                                      • Opcode ID: 6501a1814961752020610ab6d13d9945f8da1db8d62af6816e1ef88bd087d366
                                                      • Instruction ID: 77fa2d73e65cefe929dd4777678a0f889caabae551e80889f93642a4602979fd
                                                      • Opcode Fuzzy Hash: 6501a1814961752020610ab6d13d9945f8da1db8d62af6816e1ef88bd087d366
                                                      • Instruction Fuzzy Hash: B8F0FE35304120AFD70D9B04D648FB673B5EF85314F1985E8F95AA7352D774AC408F99
                                                      Function 00406534 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403CA1,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A0), ref: 0040653A
                                                      • CharPrevW.USER32(?,00000000), ref: 00406545
                                                      • lstrcatW.KERNEL32(?,004082B0), ref: 00406557
                                                      Strings
                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00406534
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: CharPrevlstrcatlstrlen
                                                      • String ID: C:\Users\user\AppData\Local\Temp\
                                                      • API String ID: 2659869361-3081826266
                                                      • Opcode ID: d05188d841616a9e1b7d59f18f8490afccaafd82e288364c4b54bb9922993767
                                                      • Instruction ID: 997ea4b4438496dccce44eacbb2634370b3c3ae0899ac86cf6792f2d8b8f87b4
                                                      • Opcode Fuzzy Hash: d05188d841616a9e1b7d59f18f8490afccaafd82e288364c4b54bb9922993767
                                                      • Instruction Fuzzy Hash: F7D05E31102924AFC2026B58AE08D9B77ACEF46341341406EFAC1B3160CB745D5287ED
                                                      Function 73401CC7 Relevance: 6.2, APIs: 4, Instructions: 209COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2078212554.0000000073401000.00000020.00000001.01000000.00000006.sdmp, Offset: 73400000, based on PE: true
                                                      • Associated: 00000000.00000002.2078122706.0000000073400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000000.00000002.2078245094.0000000073404000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000000.00000002.2078263961.0000000073406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_73400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: FreeGlobal$__alldvrm
                                                      • String ID:
                                                      • API String ID: 482422042-0
                                                      • Opcode ID: 3b6ccdab82ab66b89ab152c0bfe885d384aa1d87fe7e70cdc085ebf7ada8346f
                                                      • Instruction ID: 9eed3fed65002667e93b6197968e45459be68cdc1fb9a0e79a35f28f520144bf
                                                      • Opcode Fuzzy Hash: 3b6ccdab82ab66b89ab152c0bfe885d384aa1d87fe7e70cdc085ebf7ada8346f
                                                      • Instruction Fuzzy Hash: 2551F63E7143468FD30E9F75898076E76FBAFC8204B1849BDE067C3384F6A1A8814299
                                                      Function 00403367 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(00000000), ref: 00403378
                                                      • GetTickCount.KERNEL32 ref: 00403397
                                                      • CreateDialogParamW.USER32(0000006F,00000000,0040362D,00000000), ref: 004033B6
                                                      • ShowWindow.USER32(00000000,00000005), ref: 004033C4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                      • String ID:
                                                      • API String ID: 2102729457-0
                                                      • Opcode ID: 357b023d8aff776a3d5515b2d6cdf3b091415c345a00606534bd97e45556d1c1
                                                      • Instruction ID: 5fb2c38a213eff1d2f515c73fe307429b33afba48c29838db2cc379488067e45
                                                      • Opcode Fuzzy Hash: 357b023d8aff776a3d5515b2d6cdf3b091415c345a00606534bd97e45556d1c1
                                                      • Instruction Fuzzy Hash: C9F0F870551700EBDB209F60EF8EB163AA8B740B02F505579F941B51F0DB788514CA5C
                                                      Function 00405842 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OleInitialize.OLE32(00000000), ref: 00405852
                                                        • Part of subcall function 004054C6: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054D8
                                                      • OleUninitialize.OLE32(00000404,00000000), ref: 0040589E
                                                        • Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
                                                        • Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409
                                                      Strings
                                                      • Atomvaabenpolitik Setup: Installing, xrefs: 00405842
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$InitializeUninitialize
                                                      • String ID: Atomvaabenpolitik Setup: Installing
                                                      • API String ID: 1011633862-1513183412
                                                      • Opcode ID: fae861af5de1a05301b375e788940b7af21e1eb504ad4c379f9acf3cdad0321b
                                                      • Instruction ID: 8d413f420cbd2cda170a8e13f5886ccfc68e5e1a5fc2061566676394b2cd1e54
                                                      • Opcode Fuzzy Hash: fae861af5de1a05301b375e788940b7af21e1eb504ad4c379f9acf3cdad0321b
                                                      • Instruction Fuzzy Hash: 97F09077800A008EE3416B54AD01B6777A4EBD1305F09C53EEE88A62A1DB794C628A5E
                                                      Function 00406CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00403436,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Quotation.exe,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 00406CF4
                                                      • CharPrevW.USER32(?,00000000), ref: 00406D05
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2043996481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.2043980312.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044020440.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044035596.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2044355400.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: CharPrevlstrlen
                                                      • String ID: C:\Users\user\Desktop
                                                      • API String ID: 2709904686-224404859
                                                      • Opcode ID: 3a3825e1876a518aafdd43096896adb57dd8be29e1d638c1e9cc1f107b5b3402
                                                      • Instruction ID: 8ca8e9e1e5128dac63b4d4f5950f4db4f9885d0bf84f26727eb387c0c5501f09
                                                      • Opcode Fuzzy Hash: 3a3825e1876a518aafdd43096896adb57dd8be29e1d638c1e9cc1f107b5b3402
                                                      • Instruction Fuzzy Hash: 75D05E31015924DBD7626B18ED059AF77A8EF0130030A846EE983E3164CB385C9187BD

                                                      Execution Graph

                                                      Execution Coverage:0%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:100%
                                                      Total number of Nodes:1
                                                      Total number of Limit Nodes:0
                                                      execution_graph 74476 35a42df0 LdrInitializeThunk

                                                      Executed Functions

                                                      Function 35A435C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1 35a435c0-35a435cc LdrInitializeThunk
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 8ab0cb3b317165b83ea8ad2c22369de6209e83b88e2b207c269ea9eb0c0497a2
                                                      • Instruction ID: 604da43e1aae4cedc40a4676abfc782ad043ac347a0e71dd58e5768c22d6b2c7
                                                      • Opcode Fuzzy Hash: 8ab0cb3b317165b83ea8ad2c22369de6209e83b88e2b207c269ea9eb0c0497a2
                                                      • Instruction Fuzzy Hash: 7990023260550A02D50071585514F06101547D0211FB6C852B5824528E87A58A5579A2
                                                      Function 35A42DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 35a42df0-35a42dfc LdrInitializeThunk
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: b334e3c5c67c3e217df58762e6c794366f3ff9454906aa5186b2df45c7506d73
                                                      • Instruction ID: 7714ee377215e4bc8932ab0e93d73cb7892a9b41825b7d693b0f51be5057fa64
                                                      • Opcode Fuzzy Hash: b334e3c5c67c3e217df58762e6c794366f3ff9454906aa5186b2df45c7506d73
                                                      • Instruction Fuzzy Hash: 8A90023220140A13D51171585504F07001947D0251FE6C853B5824518E96668A56B521

                                                      Non-executed Functions

                                                      Function 35ABFCAB Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 95 35abfcab-35abfcc3 GetPEB 96 35abfce2-35abfce3 call 359fb970 95->96 97 35abfcc5-35abfce0 GetPEB call 359fb970 95->97 101 35abfce8-35abfd0a call 359fb970 96->101 97->101 104 35abfd0c 101->104 105 35abfd81-35abfd8a GetPEB 101->105 106 35abfd4b-35abfd50 104->106 107 35abfd28-35abfd2d 104->107 108 35abfd2f-35abfd34 104->108 109 35abfd6e-35abfd73 104->109 110 35abfd21-35abfd26 104->110 111 35abfd60-35abfd65 104->111 112 35abfd67-35abfd6c 104->112 113 35abfd44-35abfd49 104->113 114 35abfd1a-35abfd1f 104->114 115 35abfd59-35abfd5e 104->115 116 35abfd3d-35abfd42 104->116 117 35abfd7c 104->117 118 35abfd13-35abfd18 104->118 119 35abfd52-35abfd57 104->119 120 35abfd36-35abfd3b 104->120 121 35abfd75-35abfd7a 104->121 122 35abfda9-35abfdaa call 359fb970 105->122 123 35abfd8c-35abfda7 GetPEB call 359fb970 105->123 106->105 107->105 108->105 109->105 110->105 111->105 112->105 113->105 114->105 115->105 116->105 117->105 118->105 119->105 120->105 121->105 127 35abfdaf-35abfdca call 359fb970 122->127 123->127 130 35abfe0d-35abfe13 127->130 131 35abfdcc-35abfdd5 GetPEB 127->131 134 35abfe56-35abfe5c 130->134 135 35abfe15-35abfe1e GetPEB 130->135 132 35abfdd7-35abfdf2 GetPEB call 359fb970 131->132 133 35abfdf4-35abfdf5 call 359fb970 131->133 148 35abfdfa-35abfe0c call 359fb970 132->148 133->148 136 35abfe9f-35abfea5 134->136 137 35abfe5e-35abfe67 GetPEB 134->137 140 35abfe3d-35abfe3e call 359fb970 135->140 141 35abfe20-35abfe3b GetPEB call 359fb970 135->141 142 35abfeaf-35abfeb8 GetPEB 136->142 143 35abfea7-35abfead 136->143 146 35abfe69-35abfe84 GetPEB call 359fb970 137->146 147 35abfe86-35abfe87 call 359fb970 137->147 150 35abfe43-35abfe55 call 359fb970 140->150 141->150 154 35abfeba-35abfed5 GetPEB call 359fb970 142->154 155 35abfed7-35abfed8 call 359fb970 142->155 143->142 153 35abfef7-35abff00 GetPEB 143->153 165 35abfe8c-35abfe9e call 359fb970 146->165 147->165 148->130 150->134 163 35abff1f-35abff20 call 359fb970 153->163 164 35abff02-35abff1d GetPEB call 359fb970 153->164 169 35abfedd-35abfef4 call 359fb970 154->169 155->169 172 35abff25-35abff3a call 359fb970 163->172 164->172 165->136 169->153
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                                      • API String ID: 0-2897834094
                                                      • Opcode ID: b56d1c70a37db28b32727cb4bae621b41d395bf633e8fb64d44e7d4c4f833f7e
                                                      • Instruction ID: 522f3e7397c6c1b86c8f0b4ee612bb3437c4ece30eecd594f2f52bb6c72ea6bc
                                                      • Opcode Fuzzy Hash: b56d1c70a37db28b32727cb4bae621b41d395bf633e8fb64d44e7d4c4f833f7e
                                                      • Instruction Fuzzy Hash: E061D473529341DFDB01DB98D880D25B3F9FB04736B1E805AED14DB252CAB6ACC1AB91
                                                      Function 35AA94E0 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 558timeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 553 35aa94e0-35aa9529 554 35aa952b-35aa9530 553->554 555 35aa9578-35aa9587 553->555 557 35aa9534-35aa953a 554->557 556 35aa9589-35aa958e 555->556 555->557 558 35aa9d13-35aa9d27 call 35a44c30 556->558 559 35aa9540-35aa9564 call 35a49020 557->559 560 35aa9695-35aa96bd call 35a49020 557->560 569 35aa9593-35aa9634 GetPEB call 35aadc65 559->569 570 35aa9566-35aa9573 call 35ac972b 559->570 567 35aa96bf-35aa96da call 35aa9d2a 560->567 568 35aa96dc-35aa9712 560->568 573 35aa9714-35aa9716 567->573 568->573 580 35aa9652-35aa9667 569->580 581 35aa9636-35aa9644 569->581 579 35aa967d-35aa9690 RtlDebugPrintTimes 570->579 573->558 578 35aa971c-35aa9731 RtlDebugPrintTimes 573->578 578->558 587 35aa9737-35aa973e 578->587 579->558 580->579 583 35aa9669-35aa966e 580->583 581->580 582 35aa9646-35aa964b 581->582 582->580 585 35aa9673-35aa9676 583->585 586 35aa9670 583->586 585->579 586->585 587->558 589 35aa9744-35aa975f 587->589 590 35aa9763-35aa9774 call 35aaa808 589->590 593 35aa977a-35aa977c 590->593 594 35aa9d11 590->594 593->558 595 35aa9782-35aa9789 593->595 594->558 596 35aa978f-35aa9794 595->596 597 35aa98fc-35aa9902 595->597 598 35aa97bc 596->598 599 35aa9796-35aa979c 596->599 600 35aa9908-35aa9937 call 35a49020 597->600 601 35aa9a9c-35aa9aa2 597->601 603 35aa97c0-35aa9811 call 35a49020 RtlDebugPrintTimes 598->603 599->598 602 35aa979e-35aa97b2 599->602 618 35aa9939-35aa9944 600->618 619 35aa9970-35aa9985 600->619 605 35aa9af4-35aa9af9 601->605 606 35aa9aa4-35aa9aad 601->606 609 35aa97b8-35aa97ba 602->609 610 35aa97b4-35aa97b6 602->610 603->558 645 35aa9817-35aa981b 603->645 607 35aa9ba8-35aa9bb1 605->607 608 35aa9aff-35aa9b07 605->608 606->590 613 35aa9ab3-35aa9aef call 35a49020 606->613 607->590 617 35aa9bb7-35aa9bba 607->617 614 35aa9b09-35aa9b0d 608->614 615 35aa9b13-35aa9b3d call 35aa8513 608->615 609->603 610->603 631 35aa9ce9 613->631 614->607 614->615 642 35aa9d08-35aa9d0c 615->642 643 35aa9b43-35aa9b9e call 35a49020 RtlDebugPrintTimes 615->643 625 35aa9c7d-35aa9cb4 call 35a49020 617->625 626 35aa9bc0-35aa9c0a 617->626 627 35aa994f-35aa996e 618->627 628 35aa9946-35aa994d 618->628 622 35aa9991-35aa9998 619->622 623 35aa9987-35aa9989 619->623 635 35aa99bd-35aa99bf 622->635 633 35aa998b-35aa998d 623->633 634 35aa998f 623->634 655 35aa9cbb-35aa9cc2 625->655 656 35aa9cb6 625->656 629 35aa9c0c 626->629 630 35aa9c11-35aa9c1e 626->630 632 35aa99d9-35aa99f6 RtlDebugPrintTimes 627->632 628->627 629->630 639 35aa9c2a-35aa9c2d 630->639 640 35aa9c20-35aa9c23 630->640 641 35aa9ced 631->641 632->558 659 35aa99fc-35aa9a1f call 35a49020 632->659 633->622 634->622 646 35aa999a-35aa99a4 635->646 647 35aa99c1-35aa99d7 635->647 650 35aa9c39-35aa9c7b 639->650 651 35aa9c2f-35aa9c32 639->651 640->639 649 35aa9cf1-35aa9d06 RtlDebugPrintTimes 641->649 642->590 643->558 686 35aa9ba4 643->686 657 35aa986b-35aa9880 645->657 658 35aa981d-35aa9825 645->658 652 35aa99ad 646->652 653 35aa99a6 646->653 647->632 649->558 649->642 650->649 651->650 663 35aa99af-35aa99b1 652->663 653->647 661 35aa99a8-35aa99ab 653->661 664 35aa9ccd 655->664 665 35aa9cc4-35aa9ccb 655->665 656->655 660 35aa9886-35aa9894 657->660 666 35aa9852-35aa9869 658->666 667 35aa9827-35aa9850 call 35aa8513 658->667 683 35aa9a3d-35aa9a58 659->683 684 35aa9a21-35aa9a3b 659->684 669 35aa9898-35aa98ef call 35a49020 RtlDebugPrintTimes 660->669 661->663 671 35aa99bb 663->671 672 35aa99b3-35aa99b5 663->672 673 35aa9cd1-35aa9cd7 664->673 665->673 666->660 667->669 669->558 689 35aa98f5-35aa98f7 669->689 671->635 672->671 679 35aa99b7-35aa99b9 672->679 680 35aa9cd9-35aa9cdc 673->680 681 35aa9cde-35aa9ce4 673->681 679->635 680->631 681->641 682 35aa9ce6 681->682 682->631 687 35aa9a5d-35aa9a8b RtlDebugPrintTimes 683->687 684->687 686->607 687->558 691 35aa9a91-35aa9a97 687->691 689->642 691->617
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID: $ $0
                                                      • API String ID: 3446177414-3352262554
                                                      • Opcode ID: 52aec55986b0e7de2b20285b1c7732349f4a9aef1eba1945e3678212bdcbbb13
                                                      • Instruction ID: f45dddee8462972e162113421f780c1a5940b92d7faa12bc5fd00bf1cb18bb6b
                                                      • Opcode Fuzzy Hash: 52aec55986b0e7de2b20285b1c7732349f4a9aef1eba1945e3678212bdcbbb13
                                                      • Instruction Fuzzy Hash: 323203B260C3818FE350CF68C984B5BBBF5BB88344F10492EF99987250DB75E949DB52
                                                      Function 35AB0274 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1296 35ab0274-35ab0296 call 35a57e54 1299 35ab0298-35ab02b0 RtlDebugPrintTimes 1296->1299 1300 35ab02b5-35ab02cd call 359f76b2 1296->1300 1304 35ab0751-35ab0760 1299->1304 1305 35ab02d3-35ab02e9 1300->1305 1306 35ab06f7 1300->1306 1307 35ab02eb-35ab02ee 1305->1307 1308 35ab02f0-35ab02f2 1305->1308 1309 35ab06fa-35ab074e call 35ab0766 1306->1309 1311 35ab02f3-35ab030a 1307->1311 1308->1311 1309->1304 1313 35ab06b1-35ab06ba GetPEB 1311->1313 1314 35ab0310-35ab0313 1311->1314 1316 35ab06d9-35ab06de call 359fb970 1313->1316 1317 35ab06bc-35ab06d7 GetPEB call 359fb970 1313->1317 1314->1313 1318 35ab0319-35ab0322 1314->1318 1325 35ab06e3-35ab06f4 call 359fb970 1316->1325 1317->1325 1321 35ab033e-35ab0351 call 35ab0cb5 1318->1321 1322 35ab0324-35ab033b call 35a0ffb0 1318->1322 1330 35ab035c-35ab0370 call 359f758f 1321->1330 1331 35ab0353-35ab035a 1321->1331 1322->1321 1325->1306 1335 35ab05a2-35ab05a7 1330->1335 1336 35ab0376-35ab0382 GetPEB 1330->1336 1331->1330 1335->1309 1339 35ab05ad-35ab05b9 GetPEB 1335->1339 1337 35ab03f0-35ab03fb 1336->1337 1338 35ab0384-35ab0387 1336->1338 1340 35ab04e8-35ab04fa call 35a127f0 1337->1340 1341 35ab0401-35ab0408 1337->1341 1342 35ab0389-35ab03a4 GetPEB call 359fb970 1338->1342 1343 35ab03a6-35ab03ab call 359fb970 1338->1343 1344 35ab05bb-35ab05be 1339->1344 1345 35ab0627-35ab0632 1339->1345 1363 35ab0590-35ab059d call 35ab11a4 call 35ab0cb5 1340->1363 1364 35ab0500-35ab0507 1340->1364 1341->1340 1347 35ab040e-35ab0417 1341->1347 1360 35ab03b0-35ab03d1 call 359fb970 GetPEB 1342->1360 1343->1360 1350 35ab05dd-35ab05e2 call 359fb970 1344->1350 1351 35ab05c0-35ab05db GetPEB call 359fb970 1344->1351 1345->1309 1348 35ab0638-35ab0643 1345->1348 1355 35ab0419-35ab0429 1347->1355 1356 35ab0438-35ab043c 1347->1356 1348->1309 1357 35ab0649-35ab0654 1348->1357 1362 35ab05e7-35ab05fb call 359fb970 1350->1362 1351->1362 1355->1356 1365 35ab042b-35ab0435 call 35abdac6 1355->1365 1367 35ab044e-35ab0454 1356->1367 1368 35ab043e-35ab044c call 35a33bc9 1356->1368 1357->1309 1366 35ab065a-35ab0663 GetPEB 1357->1366 1360->1340 1382 35ab03d7-35ab03eb 1360->1382 1394 35ab05fe-35ab0608 GetPEB 1362->1394 1363->1335 1372 35ab0509-35ab0510 1364->1372 1373 35ab0512-35ab051a 1364->1373 1365->1356 1376 35ab0682-35ab0687 call 359fb970 1366->1376 1377 35ab0665-35ab0680 GetPEB call 359fb970 1366->1377 1379 35ab0457-35ab0460 1367->1379 1368->1379 1372->1373 1384 35ab0538-35ab053c 1373->1384 1385 35ab051c-35ab052c 1373->1385 1391 35ab068c-35ab06ac call 35aa86ba call 359fb970 1376->1391 1377->1391 1380 35ab0472-35ab0475 1379->1380 1381 35ab0462-35ab0470 1379->1381 1392 35ab0477-35ab047e 1380->1392 1393 35ab04e5 1380->1393 1381->1380 1382->1340 1397 35ab053e-35ab0551 call 35a33bc9 1384->1397 1398 35ab056c-35ab0572 1384->1398 1385->1384 1395 35ab052e-35ab0533 call 35abdac6 1385->1395 1391->1394 1392->1393 1401 35ab0480-35ab048b 1392->1401 1393->1340 1394->1309 1403 35ab060e-35ab0622 1394->1403 1395->1384 1413 35ab0563 1397->1413 1414 35ab0553-35ab0561 call 35a2fe99 1397->1414 1402 35ab0575-35ab057c 1398->1402 1401->1393 1407 35ab048d-35ab0496 GetPEB 1401->1407 1402->1363 1408 35ab057e-35ab058e 1402->1408 1403->1309 1411 35ab0498-35ab04b3 GetPEB call 359fb970 1407->1411 1412 35ab04b5-35ab04ba call 359fb970 1407->1412 1408->1363 1422 35ab04bf-35ab04dd call 35aa86ba call 359fb970 1411->1422 1412->1422 1415 35ab0566-35ab056a 1413->1415 1414->1415 1415->1402 1422->1393
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                      • API String ID: 3446177414-1700792311
                                                      • Opcode ID: a1d1bb6220703da8ecb5ec2ea170faafab18435682a069498a49c71b8ed8bf1c
                                                      • Instruction ID: 16c248e2b44b6451cff62df6726d8641e056ddd06c682a7f7c29e3a770415126
                                                      • Opcode Fuzzy Hash: a1d1bb6220703da8ecb5ec2ea170faafab18435682a069498a49c71b8ed8bf1c
                                                      • Instruction Fuzzy Hash: 29D1FF35608784DFDF01CF68C800EADBBF6FF49314F048059E9969B612CBB5A981EB90
                                                      Function 35AB12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                      • API String ID: 0-3591852110
                                                      • Opcode ID: e48353559fde6f3e14f20ee661e55aaf013b4df30151747f283fb8db31ba6a02
                                                      • Instruction ID: 44a71c0e0867f0fe9377965909acb359ede74a98146d276d4d1b13cbc49428d3
                                                      • Opcode Fuzzy Hash: e48353559fde6f3e14f20ee661e55aaf013b4df30151747f283fb8db31ba6a02
                                                      • Instruction Fuzzy Hash: BF12AC74604681DFEB15CF64C440FA6BBFAFF09314F548459E8A78B642E7B5E880EB90
                                                      Function 359FD34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                      • API String ID: 0-3532704233
                                                      • Opcode ID: 912d165baa1162040a126a87c206a3a6d1ed6da9ee386ceb00f81c9d13279c0a
                                                      • Instruction ID: 496a79821fbfcb71c68df998fd12c9604ef625fac82ebd892b8645505f4ab0e8
                                                      • Opcode Fuzzy Hash: 912d165baa1162040a126a87c206a3a6d1ed6da9ee386ceb00f81c9d13279c0a
                                                      • Instruction Fuzzy Hash: D9B198B6A083119BD711CF64C880E5FBBE8BF88755F42492EF898D7240DB71D909DB92
                                                      Function 35A11070 Relevance: 11.4, APIs: 2, Strings: 4, Instructions: 940timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                                      • API String ID: 3446177414-3570731704
                                                      • Opcode ID: 538fc32bb43df0c4ed9b9225ca4bf2d793532322e06d948001fca27adbe818db
                                                      • Instruction ID: 7319c7154415f29ece189d6eb6e83315b662083532088fff227e091698b27fd9
                                                      • Opcode Fuzzy Hash: 538fc32bb43df0c4ed9b9225ca4bf2d793532322e06d948001fca27adbe818db
                                                      • Instruction Fuzzy Hash: 6B923575A04369CFEB24CB28CC80F99B7B6BB49354F0581EADD59A7280DB709A80DF51
                                                      Function 35A2D7B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlDebugPrintTimes.NTDLL ref: 35A2D959
                                                        • Part of subcall function 35A04859: RtlDebugPrintTimes.NTDLL ref: 35A048F7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 3446177414-1975516107
                                                      • Opcode ID: 1067f6de920fb4363e2f8dfc23739dda14c37ccbe0ed49524f059ca4c9ddab25
                                                      • Instruction ID: b6b5d7b1392d5e716b8b8c87151b41e706dda4d90e7781290e4cd547655aee6f
                                                      • Opcode Fuzzy Hash: 1067f6de920fb4363e2f8dfc23739dda14c37ccbe0ed49524f059ca4c9ddab25
                                                      • Instruction Fuzzy Hash: DC51EFB5A043859FDB04CFA8D981F8DBFB2BF48304F224159DC116B682DB70A943EB90
                                                      Function 35A99179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                                      • API String ID: 0-3063724069
                                                      • Opcode ID: 68574e85bc5273cf836e191d69a8b4063d2c735399380e89b301fa19c38f7789
                                                      • Instruction ID: eafd2741dca9f5e4c76126667962fe15d303197a65d52734f1a7fc8ce8fb462a
                                                      • Opcode Fuzzy Hash: 68574e85bc5273cf836e191d69a8b4063d2c735399380e89b301fa19c38f7789
                                                      • Instruction Fuzzy Hash: A7D1D5B290C369BFD726CA94C841FAB77F8AF88754F400929FE5497150E770C9489792
                                                      Function 359FD08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Control Panel\Desktop\LanguageConfiguration, xrefs: 359FD196
                                                      • @, xrefs: 359FD0FD
                                                      • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 359FD262
                                                      • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 359FD146
                                                      • @, xrefs: 359FD2AF
                                                      • @, xrefs: 359FD313
                                                      • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 359FD2C3
                                                      • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 359FD0CF
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                      • API String ID: 0-1356375266
                                                      • Opcode ID: 0fe9646caac9b05534fd252c7e694b9735819f1ef382507f4f1cf968a36224e3
                                                      • Instruction ID: d047daa0ec8a99bf1270033ed0755dbe246dc31ce2de72e164b0e901dea22f27
                                                      • Opcode Fuzzy Hash: 0fe9646caac9b05534fd252c7e694b9735819f1ef382507f4f1cf968a36224e3
                                                      • Instruction Fuzzy Hash: D4A16AB1A083059FE321CF64C580F9BB7E8BF84766F41492EE99896240E775D908DF93
                                                      Function 35A1B730 Relevance: 10.1, Strings: 7, Instructions: 1323COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$\SysWOW64$minkernel\ntdll\ldrutil.c
                                                      • API String ID: 0-1558337705
                                                      • Opcode ID: 1f549d3c943ba2eb5393da323fe1418ea328860b96c30aab135ad1f1a78ce8d3
                                                      • Instruction ID: 7976598474e38f51e587a617a02b3f19c13b262ea556e90ff046bef4f8cd1b85
                                                      • Opcode Fuzzy Hash: 1f549d3c943ba2eb5393da323fe1418ea328860b96c30aab135ad1f1a78ce8d3
                                                      • Instruction Fuzzy Hash: B6C248B4A047298FDB24CF14CC90BAAB7B5BF48344F4041EADE49AB241DB749B81EF55
                                                      Function 359FF172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                      • API String ID: 0-523794902
                                                      • Opcode ID: def19c17657a258ccb453831470777a99ceeae22cf46331293b38496a9f53f30
                                                      • Instruction ID: 03c2d371ed4912377714283bdee50ded29445eb62bd4d2ad31700d8a6304e21a
                                                      • Opcode Fuzzy Hash: def19c17657a258ccb453831470777a99ceeae22cf46331293b38496a9f53f30
                                                      • Instruction Fuzzy Hash: 4342FE752083818FD700CF28C984E6ABBE6FF88355F1449ADF895CB252DB31E985DB52
                                                      Function 35A1B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                      • API String ID: 0-122214566
                                                      • Opcode ID: 1b49667423e436402882ccb7f8526ecb706e1293098da8b4ea47d0c4c2238563
                                                      • Instruction ID: 5b07d10e0c1c8e7e889c4ad21ea2e94db23562be8372089e0cb593fa42c6d92b
                                                      • Opcode Fuzzy Hash: 1b49667423e436402882ccb7f8526ecb706e1293098da8b4ea47d0c4c2238563
                                                      • Instruction Fuzzy Hash: D7C13471A04319ABEB14CB64CC90FBEBBF5BF45344F548069ED12AB680DFB48A45E391
                                                      Function 35A10770 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                      • API String ID: 0-4253913091
                                                      • Opcode ID: c4f6a7be6475354a84e3b57a21d482e715bd6c3e49ad3ad165fdd51f8fd69efc
                                                      • Instruction ID: d21ef669078dc2f925ec4aa3b26292cda731d5a75b8541a4cf8d3a7d995d0a28
                                                      • Opcode Fuzzy Hash: c4f6a7be6475354a84e3b57a21d482e715bd6c3e49ad3ad165fdd51f8fd69efc
                                                      • Instruction Fuzzy Hash: DDF18B74604605DFEB05CF69C990F6AB7F6FB48304F1441A9EC569B381DB70EA41EB90
                                                      Function 35A2F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 35A702E7
                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 35A702BD
                                                      • RTL: Re-Waiting, xrefs: 35A7031E
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                      • API String ID: 0-2474120054
                                                      • Opcode ID: 1962b123a4c78921b83aa8cd31218d1d9fcd1b92d43f4588d11d96f6262ea011
                                                      • Instruction ID: 2e565f06dd2a5a4c175bb8768e1cbd127f33860869b97ca2c3e5f4b3a89acd32
                                                      • Opcode Fuzzy Hash: 1962b123a4c78921b83aa8cd31218d1d9fcd1b92d43f4588d11d96f6262ea011
                                                      • Instruction Fuzzy Hash: 13E1AC756087419FE710CF68C982F1AB7E1FF84354F104A69F9A58B2D0DB74E845EB42
                                                      Function 35A251EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • WindowsExcludedProcs, xrefs: 35A2522A
                                                      • Kernel-MUI-Language-Disallowed, xrefs: 35A25352
                                                      • Kernel-MUI-Language-Allowed, xrefs: 35A2527B
                                                      • Kernel-MUI-Number-Allowed, xrefs: 35A25247
                                                      • Kernel-MUI-Language-SKU, xrefs: 35A2542B
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                      • API String ID: 0-258546922
                                                      • Opcode ID: dd02f903b5c5ad551f70b4ca57684a199f3c2954be7cf9e8dd32c1ce64c8ac96
                                                      • Instruction ID: 73a2d37ad38a07fc1cdacfd9d6d5666c377255ebd278d241fbb7748fcb4bfd02
                                                      • Opcode Fuzzy Hash: dd02f903b5c5ad551f70b4ca57684a199f3c2954be7cf9e8dd32c1ce64c8ac96
                                                      • Instruction Fuzzy Hash: 97F12CB6E10219EFDB05CF98C981DDEBBF9FF4C650F51405AE911AB210EB749E01AB90
                                                      Function 35A8FD2A Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Item:$ Language:$ Name:$SR - $Type:
                                                      • API String ID: 0-3082644519
                                                      • Opcode ID: 09bdd13bfd677168f6c0ffdd588c8b811744a310cbf84c7d9064e6267a4d6ff7
                                                      • Instruction ID: 844d6fcfe26e8fa5b015ad383597426f5e3765cda5b4c19ced76d023d9d8f0de
                                                      • Opcode Fuzzy Hash: 09bdd13bfd677168f6c0ffdd588c8b811744a310cbf84c7d9064e6267a4d6ff7
                                                      • Instruction Fuzzy Hash: F341AF72A00269AFDB21CB64CC48FDABBBCEF46304F4441D5A849A7241DE349E84DF61
                                                      Function 359F76B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlReAllocateHeap
                                                      • API String ID: 0-941669491
                                                      • Opcode ID: d7eaeae4789f5ffae6f7c3d22d8cf47194f9816aa9a7a73603ab55650bde97a3
                                                      • Instruction ID: 98c9f876c71bf0b1627a8d20aecda63bb39709a88a26887e7566cddf9372f290
                                                      • Opcode Fuzzy Hash: d7eaeae4789f5ffae6f7c3d22d8cf47194f9816aa9a7a73603ab55650bde97a3
                                                      • Instruction Fuzzy Hash: 4B014737118280DFE2158B18E809F92F7E4EB82732F298489F56187662CEB5ACC5D720
                                                      Function 359FF626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                      • API String ID: 0-2586055223
                                                      • Opcode ID: 9b89d13766b96f1a8e53a22283ad0624efe1dcb5a984354589ae48c5d45c58d7
                                                      • Instruction ID: 74ed83d75966649e839dfa5a766adc86a5dea147dbf7a530ce5c8f6cc90ccf3b
                                                      • Opcode Fuzzy Hash: 9b89d13766b96f1a8e53a22283ad0624efe1dcb5a984354589ae48c5d45c58d7
                                                      • Instruction Fuzzy Hash: 4F611176204780AFE312CF64C944F16B7F9FF80764F0408A9EEA58B291DB75E940DB61
                                                      Function 35AB11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                      • API String ID: 0-336120773
                                                      • Opcode ID: 7ba4a4091b48a2ea8732a122c442000a8d4aa346eeb0a0a84c32d1695cad5327
                                                      • Instruction ID: 6c378b13573d4df70f4357bcacf39638f6e6de3b8cb696a61fe52556b1297ca7
                                                      • Opcode Fuzzy Hash: 7ba4a4091b48a2ea8732a122c442000a8d4aa346eeb0a0a84c32d1695cad5327
                                                      • Instruction Fuzzy Hash: EE310336214284EFEF00CBA8CC80F5673EDFF04764F214065E912CB251DAB1AC80EBA0
                                                      Function 359F9148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                      • API String ID: 0-1391187441
                                                      • Opcode ID: b50f8060ba9021df1f5f5212cc50eca3963141931f9a8ce7d2f3dcbabde426f0
                                                      • Instruction ID: b88d41e802b3d2ce8e476336e36ba8b3822233917714d56eb1d7b5952ca615d2
                                                      • Opcode Fuzzy Hash: b50f8060ba9021df1f5f5212cc50eca3963141931f9a8ce7d2f3dcbabde426f0
                                                      • Instruction Fuzzy Hash: 0C31CE36600208EFD701CB95DC84F9AB7F9EF84771F2144A5EA25AB291DB71E980CB60
                                                      Function 35AAFCDF Relevance: 5.1, Strings: 4, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP[%wZ]: $May not destroy the process heap at %p$RtlDestroyHeap
                                                      • API String ID: 0-4256168463
                                                      • Opcode ID: 4bf515b206e5a17b18ac763cc7a4b61a34b2bcbe13f99651f0cbcb3e3045687d
                                                      • Instruction ID: dbcfcb5895f681f6ba734536ca3c58b1599ed4ac00efb2eaf9f04643e1d4901c
                                                      • Opcode Fuzzy Hash: 4bf515b206e5a17b18ac763cc7a4b61a34b2bcbe13f99651f0cbcb3e3045687d
                                                      • Instruction Fuzzy Hash: 9501003B204640DFCB16DF64C800F86B3F9FF46268F108486E9428B241DB35E885DB64
                                                      Function 35A07152 Relevance: 4.7, APIs: 3, Instructions: 158timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID:
                                                      • API String ID: 3446177414-0
                                                      • Opcode ID: bae039cbd9306b8e945d5424b8f2b4db32e8a9325eda88471c34d45ec9fd00ca
                                                      • Instruction ID: f15f4158b267eb20a04d659bee4e28aa3fddd513b1373a6c3e4023c84683f5bb
                                                      • Opcode Fuzzy Hash: bae039cbd9306b8e945d5424b8f2b4db32e8a9325eda88471c34d45ec9fd00ca
                                                      • Instruction Fuzzy Hash: 4951CD35A14709AFEB05CF64D944FADBBF5BF04356F108069EC62932A0EBB49901EF91
                                                      Function 35AA7F3E Relevance: 4.6, APIs: 3, Instructions: 85timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID:
                                                      • API String ID: 3446177414-0
                                                      • Opcode ID: 38c2ae1204fcfc789f38373fffc25f481707dd34fb0d0f6c5ef9342e749aa954
                                                      • Instruction ID: 0761151c41208d9a921c233e6b2d117cca4d6e0fd61b32c3b25681e4b1cafb74
                                                      • Opcode Fuzzy Hash: 38c2ae1204fcfc789f38373fffc25f481707dd34fb0d0f6c5ef9342e749aa954
                                                      • Instruction Fuzzy Hash: 673102B6E1421A8FCB01CF99D844A9EFBF5BB48351F15802AEC11B3210DB349942EF64
                                                      Function 35A11F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                      • API String ID: 0-3178619729
                                                      • Opcode ID: 911e57809c243a304727f6e7975b54b5c4de93d1129a030750ac016376938f9e
                                                      • Instruction ID: 10a4a408ccf390b0042df841ca7ae750a97769c963471b1bc7af209296127cf1
                                                      • Opcode Fuzzy Hash: 911e57809c243a304727f6e7975b54b5c4de93d1129a030750ac016376938f9e
                                                      • Instruction Fuzzy Hash: 1322F0746043469FEB01CF24C890F6ABBF6FF45708F148599ED668B282DB71E981DB90
                                                      Function 35A017EC Relevance: 4.3, Strings: 3, Instructions: 520COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 35A5F8CC
                                                      • HEAP: , xrefs: 35A5F8B7
                                                      • HEAP[%wZ]: , xrefs: 35A5F8AA
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                      • API String ID: 0-3178619729
                                                      • Opcode ID: 80624b4a3dc313e565e6e3afa20cfba3a84bd5a3502a02deeb768fd3c1364c2b
                                                      • Instruction ID: 04cc6f8b6d1c08364ebbc05cefd17fe9aac9eaf83341e0395d24f4dbf4bd48f6
                                                      • Opcode Fuzzy Hash: 80624b4a3dc313e565e6e3afa20cfba3a84bd5a3502a02deeb768fd3c1364c2b
                                                      • Instruction Fuzzy Hash: 4912CFB4704795EFEB14CF24D880FA6BBE1BF05354F148999E8998B281E770E841EB90
                                                      Function 35A01460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 35A01728
                                                      • HEAP: , xrefs: 35A01596
                                                      • HEAP[%wZ]: , xrefs: 35A01712
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                      • API String ID: 0-3178619729
                                                      • Opcode ID: 804682aa6ae64c97d519b6f2cde2bdaff7f66059334c12e4cc23b5cac1c526de
                                                      • Instruction ID: 87207a1daffe9ca2657e3090bb1d4f4b5b84543eb37b854de3f3585c77b033ad
                                                      • Opcode Fuzzy Hash: 804682aa6ae64c97d519b6f2cde2bdaff7f66059334c12e4cc23b5cac1c526de
                                                      • Instruction Fuzzy Hash: D1E1DFB4A143859BE715CF28D890EBABBF1BF44310F148859E9A68B245DB74E841EB50
                                                      Function 35A0B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                      • API String ID: 0-1145731471
                                                      • Opcode ID: 64568c772829bc702baae880fb0232650641644356fce805a5eb8c008e4f7741
                                                      • Instruction ID: 8636ec3b2c9f1dd181923bf674b6761de221eb8acc2df1ecf0a4f284c54d9314
                                                      • Opcode Fuzzy Hash: 64568c772829bc702baae880fb0232650641644356fce805a5eb8c008e4f7741
                                                      • Instruction Fuzzy Hash: AAB19B75A197088BDB15CF69DA80F9DBBB2FF44398F14442AEC61EB280D770A841DB50
                                                      Function 35A87410 Relevance: 4.0, Strings: 3, Instructions: 233COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Objects=%4u$Objects>%4u$VirtualAlloc
                                                      • API String ID: 0-3870751728
                                                      • Opcode ID: a99fa094fddd954a43ef306b4b0eb1857e191ddd3be8a4244d1267d45a82e047
                                                      • Instruction ID: 51ec5bb7069ed1e68faa8fe5fc6d8e4d44504d673cc8745a738be41ee977fdd3
                                                      • Opcode Fuzzy Hash: a99fa094fddd954a43ef306b4b0eb1857e191ddd3be8a4244d1267d45a82e047
                                                      • Instruction Fuzzy Hash: 2D915DB0E002159FEB14CF59C880B9DBBF1FF48345F148169E915AB391EB759842DF50
                                                      Function 35A3909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: %$&$@
                                                      • API String ID: 0-1537733988
                                                      • Opcode ID: fa2d5a2ef709ab1387510d77efb26ada94078ae573d6ffb4099925f2294fdf05
                                                      • Instruction ID: dda8110c9159b7db1e6a44ff460dc07fece6f6b9d05ec2889a4c319cfa09bfef
                                                      • Opcode Fuzzy Hash: fa2d5a2ef709ab1387510d77efb26ada94078ae573d6ffb4099925f2294fdf05
                                                      • Instruction Fuzzy Hash: 7A71CF7460E7019FE700CF54CA81E0BBBFABF88658F50491DECAA57241D771D905EB92
                                                      Function 35ADB73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • GlobalizationUserSettings, xrefs: 35ADB834
                                                      • TargetNtPath, xrefs: 35ADB82F
                                                      • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 35ADB82A
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                      • API String ID: 0-505981995
                                                      • Opcode ID: 3a6831ff8fadcd16c67d93b5ab5ce1cee0b3c924721733c735083ebb5dd0f778
                                                      • Instruction ID: 53a6e89a13dfbf1307e12271794c74bb0f1f72b872df880f00d1c7158dc27ead
                                                      • Opcode Fuzzy Hash: 3a6831ff8fadcd16c67d93b5ab5ce1cee0b3c924721733c735083ebb5dd0f778
                                                      • Instruction Fuzzy Hash: 27616D72D0126DABDB21EF54DC98FDAB7F8BB04750F4101E5A908A7250DB749E84DF90
                                                      Function 359FF7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • HEAP: , xrefs: 35A5E6B3
                                                      • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 35A5E6C6
                                                      • HEAP[%wZ]: , xrefs: 35A5E6A6
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                      • API String ID: 0-1340214556
                                                      • Opcode ID: 27e97062f67cfad522d3e62da25dfb293a324779fef2edef3a67138f14af24c7
                                                      • Instruction ID: 749ba21b0b43fd36a6976719c30aea7f2f2117b23e94c9181a884721fceb43f6
                                                      • Opcode Fuzzy Hash: 27e97062f67cfad522d3e62da25dfb293a324779fef2edef3a67138f14af24c7
                                                      • Instruction Fuzzy Hash: C6513575304784EFE312CBA8D984F9ABBF9FF04350F0444A1EA918B692D779E940DB60
                                                      Function 35A215F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • minkernel\ntdll\ldrmap.c, xrefs: 35A6A59A
                                                      • LdrpCompleteMapModule, xrefs: 35A6A590
                                                      • Could not validate the crypto signature for DLL %wZ, xrefs: 35A6A589
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                      • API String ID: 0-1676968949
                                                      • Opcode ID: ecf24a3a42b5cf21fffca6554e115e22829e97eae900379c57f816af8fe890d9
                                                      • Instruction ID: 95d3b595a458b167e5be62f65f9e357b0d0f02781b3d5126d9ab349ae27bf36e
                                                      • Opcode Fuzzy Hash: ecf24a3a42b5cf21fffca6554e115e22829e97eae900379c57f816af8fe890d9
                                                      • Instruction Fuzzy Hash: 29510F78704785EFE712CA58CE41F0A77EAFB00758F0485A5ED619B2E1DB74E900AB40
                                                      Function 359F758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                                      • API String ID: 0-1151232445
                                                      • Opcode ID: e4b5dee4a88a201a8f301cb619eb5d313d2b5ce2c4f58443cd473984b166ba56
                                                      • Instruction ID: 181906f707e95dd987bf13624f50fa4180fb5cfbe077e85db8f2f12658c5794f
                                                      • Opcode Fuzzy Hash: e4b5dee4a88a201a8f301cb619eb5d313d2b5ce2c4f58443cd473984b166ba56
                                                      • Instruction Fuzzy Hash: A54148B4304341AFFB14CF18C880F6977E1AF013A6F544869EC968B257DB76D88ADB52
                                                      Function 35A316CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • LdrpAllocateTls, xrefs: 35A71B40
                                                      • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 35A71B39
                                                      • minkernel\ntdll\ldrtls.c, xrefs: 35A71B4A
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                      • API String ID: 0-4274184382
                                                      • Opcode ID: 7ea37d78d82af3083ecc3b1cf4a6095634328471832fc501e6a6792906a7ad15
                                                      • Instruction ID: 0d93e434f70ed2097959f977083a29ce7f409b087155bf50183961751558262e
                                                      • Opcode Fuzzy Hash: 7ea37d78d82af3083ecc3b1cf4a6095634328471832fc501e6a6792906a7ad15
                                                      • Instruction Fuzzy Hash: 484178B5A01645AFDB15CFA8ED41EAEBBF5FF48304F144119E805A7240DB75A901EFA0
                                                      Function 35AB5180 Relevance: 3.9, Strings: 3, Instructions: 114COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Leaked Block 0x%p size 0x%p (stack %p depth %u)$HEAP: $HEAP[%wZ]:
                                                      • API String ID: 0-964947082
                                                      • Opcode ID: c8ef2796145855f8c517aa6aecce31c07150c3203530d3d7259db7388f85e040
                                                      • Instruction ID: 15737edc27f920cc97ffac20716790e1a49394be175448446e6601fc209e2da9
                                                      • Opcode Fuzzy Hash: c8ef2796145855f8c517aa6aecce31c07150c3203530d3d7259db7388f85e040
                                                      • Instruction Fuzzy Hash: 3141E2B5616354AFDF00CF99D980F6A37BDFB08300F00406AEE6297241EAB1D845EBE0
                                                      Function 35A333A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • SXS: %s() passed the empty activation context data, xrefs: 35A729FE
                                                      • Actx , xrefs: 35A333AC
                                                      • RtlCreateActivationContext, xrefs: 35A729F9
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                      • API String ID: 0-859632880
                                                      • Opcode ID: 7bb2ef0369eca864988338762249c36ab8ebf2030db03aecfa04a13a6e4aeff2
                                                      • Instruction ID: 1e4ea46f922a3a2c827f6d6c4e69b9aab127dd90305bbb617e9fbf1e405b2d4c
                                                      • Opcode Fuzzy Hash: 7bb2ef0369eca864988338762249c36ab8ebf2030db03aecfa04a13a6e4aeff2
                                                      • Instruction Fuzzy Hash: 413142326093059FEB12CFA8D881F9A37A4FF84725F49846AFE059F281CB70D941DB90
                                                      Function 35A8B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • GlobalFlag, xrefs: 35A8B68F
                                                      • @, xrefs: 35A8B670
                                                      • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 35A8B632
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                                      • API String ID: 0-4192008846
                                                      • Opcode ID: b1a876ee6fe585126031c7c7fa9d49cfd2945ff8216046cf1ed67028e9a9f641
                                                      • Instruction ID: c357920ba4a78d46bbac437d51d0856f48165f3ffd37f32159845ec5103055b5
                                                      • Opcode Fuzzy Hash: b1a876ee6fe585126031c7c7fa9d49cfd2945ff8216046cf1ed67028e9a9f641
                                                      • Instruction Fuzzy Hash: F73136B5E0021DAEDB01DFA4DD80FEEBBB8EF44744F500469EA15A7250E7749A04ABA4
                                                      Function 35AA13B9 Relevance: 3.9, Strings: 3, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$OsBootstatPath$\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control
                                                      • API String ID: 0-1050206962
                                                      • Opcode ID: 68c806d48bf855a08712fb12927e3cc7757ec5a3c2796a6c616f85218450649a
                                                      • Instruction ID: 2d38fe63bedbf5dc20a7c77f77c61daf92b8e4be27800818c6eba7ce2a86b29f
                                                      • Opcode Fuzzy Hash: 68c806d48bf855a08712fb12927e3cc7757ec5a3c2796a6c616f85218450649a
                                                      • Instruction Fuzzy Hash: EF3180B2D00659BFEB12DFE8CD80E9EBBBDEB44654F410065EE00B7210D7349D05ABA0
                                                      Function 35A31607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • DLL "%wZ" has TLS information at %p, xrefs: 35A71A40
                                                      • LdrpInitializeTls, xrefs: 35A71A47
                                                      • minkernel\ntdll\ldrtls.c, xrefs: 35A71A51
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                      • API String ID: 0-931879808
                                                      • Opcode ID: 2a26396d7bd875fc58cb40d2b56511abf86bc671b1d267814e93b66be7304b09
                                                      • Instruction ID: 54a624e416aa3855187fbc4a41ff702db58f2c1b432e9cb7b1e920d7e1eb2f92
                                                      • Opcode Fuzzy Hash: 2a26396d7bd875fc58cb40d2b56511abf86bc671b1d267814e93b66be7304b09
                                                      • Instruction Fuzzy Hash: 6831F871A12341ABE710CB98DD46F5A7BB9FB4839DF450169ED01B7180DB70AD02B7A0
                                                      Function 35A41270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • @, xrefs: 35A412A5
                                                      • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 35A4127B
                                                      • BuildLabEx, xrefs: 35A4130F
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                      • API String ID: 0-3051831665
                                                      • Opcode ID: 7d6f6c08da050ecea75a61c851b86a540ace896b7b25012a07e5170d6e1b4328
                                                      • Instruction ID: e54f353276cc117c3fbf8f3c3e373218588ba116faf50c0bd7470389ad3f7441
                                                      • Opcode Fuzzy Hash: 7d6f6c08da050ecea75a61c851b86a540ace896b7b25012a07e5170d6e1b4328
                                                      • Instruction Fuzzy Hash: 95318FB2E00659AFDB11DFD5CD44E9EBBB9EF84750F104026ED14A7260EB30DA05AB90
                                                      Function 359F74B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID: RtlValidateHeap
                                                      • API String ID: 3446177414-1797218451
                                                      • Opcode ID: ce5ae9c08bf3db26d47d38883ecbcc6e4c03ff2c1ea7c46787e40239569ed5e4
                                                      • Instruction ID: 1807eaab28c96728b473250a91dcc0e9a62d8a29c73608602aabe85c165a5a24
                                                      • Opcode Fuzzy Hash: ce5ae9c08bf3db26d47d38883ecbcc6e4c03ff2c1ea7c46787e40239569ed5e4
                                                      • Instruction Fuzzy Hash: 30412976B043559FDB02CF64C890FADB7B2BF44266F048669DCA15B281CB359901EBE0
                                                      Function 35A07703 Relevance: 3.2, APIs: 2, Instructions: 179COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 990a82ba6384ad22e45b23d5373c8c9dfe5f3879de1eeac53f801338b08abadc
                                                      • Instruction ID: a5e442c961b831e0a4ba21e4ae55bbd467c4d8d02b756cce5dd912e66cc193cb
                                                      • Opcode Fuzzy Hash: 990a82ba6384ad22e45b23d5373c8c9dfe5f3879de1eeac53f801338b08abadc
                                                      • Instruction Fuzzy Hash: 48615F75F10605AFDB08CF68D990E9DFBB6BF48244F14816AD819A7300DB30A945DFD0
                                                      Function 35A152A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$@
                                                      • API String ID: 0-149943524
                                                      • Opcode ID: 272718d7b8c37fa5d8e0db9b852658501a6cd51b0067da0be02c58fbb2af0376
                                                      • Instruction ID: c07bb1f0415c50ee0d382558c8f8d295eca9ff5fb2fca827ff41a68788479ee0
                                                      • Opcode Fuzzy Hash: 272718d7b8c37fa5d8e0db9b852658501a6cd51b0067da0be02c58fbb2af0376
                                                      • Instruction Fuzzy Hash: D9329BB86083118BD714CF15C990F6AB7E2BF88784F54491EEDA687390E774CA44EF92
                                                      Function 35A05702 Relevance: 3.1, APIs: 2, Instructions: 104timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID:
                                                      • API String ID: 3446177414-0
                                                      • Opcode ID: 244ade47f4c1ca00b27249ef2cdc4ed95bb1f899dc3526e7e58cb52e740451c2
                                                      • Instruction ID: 86567f08b1c356bc57541e8b592089c8e83c959999c4881bb3f167ad22413608
                                                      • Opcode Fuzzy Hash: 244ade47f4c1ca00b27249ef2cdc4ed95bb1f899dc3526e7e58cb52e740451c2
                                                      • Instruction Fuzzy Hash: 1F31AB75311B02EFE745DB24DA80E9AFBAABF48354F004425EC1047A50DBB0A821FFD0
                                                      Function 35A35CC0 Relevance: 2.7, Strings: 2, Instructions: 241COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$TargetPath
                                                      • API String ID: 0-4164548946
                                                      • Opcode ID: 1e649edcf71be67e4b2f7397d8769ce8069da42f2be809d5b7c0b89df9dc3ab4
                                                      • Instruction ID: b8cbe7ef4ab265815086a9f917c9f6009503aa3323051b2e4cf49013a8262698
                                                      • Opcode Fuzzy Hash: 1e649edcf71be67e4b2f7397d8769ce8069da42f2be809d5b7c0b89df9dc3ab4
                                                      • Instruction Fuzzy Hash: 458110B59053029FE711CE98C885E5BB7A4FF48388F42492EED559B210D734DD06EBA2
                                                      Function 35A8BC10 Relevance: 2.7, Strings: 2, Instructions: 234COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: \REGISTRY\USER\$\Software\Microsoft\Windows
                                                      • API String ID: 0-4122831824
                                                      • Opcode ID: 41ee5b594a2079d68e2030475a01141a5d5338e6cd6a2b7769e86e8ae4322d7f
                                                      • Instruction ID: ad8659ddd35da4c7cb40c57d5355de37f8133f2374bfb21a3396ebf3a54d3cbb
                                                      • Opcode Fuzzy Hash: 41ee5b594a2079d68e2030475a01141a5d5338e6cd6a2b7769e86e8ae4322d7f
                                                      • Instruction Fuzzy Hash: AE917CB52187059FD311CF68C880FABBBF5BB88754F200A2DE9A5C7290EB34D945DB52
                                                      Function 35A95DA0 Relevance: 2.7, Strings: 2, Instructions: 201COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Log$RXACT
                                                      • API String ID: 0-2401810139
                                                      • Opcode ID: 8e41a9000108ffee45b461c5275af40b97e09f3f2530c006e9411d67b0b01b72
                                                      • Instruction ID: 7211ea51248bbfb5f7b62ccf36d368135943129b29de6bfc99cabd89bf48823f
                                                      • Opcode Fuzzy Hash: 8e41a9000108ffee45b461c5275af40b97e09f3f2530c006e9411d67b0b01b72
                                                      • Instruction Fuzzy Hash: A1715BB1608359AFE315CF94C980EABB7E8FF88254F40492DF98597220D771DD04EB92
                                                      Function 35A1F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID: $$$
                                                      • API String ID: 3446177414-233714265
                                                      • Opcode ID: 0e57e95ab4d24940150ff5ffcd07b3cea25b6d40bfbe72a5294bdb57c9405ad8
                                                      • Instruction ID: 1450d3acb95f7af2c3a93a058fe1577ae4c02eacd40b30972988db3338d02631
                                                      • Opcode Fuzzy Hash: 0e57e95ab4d24940150ff5ffcd07b3cea25b6d40bfbe72a5294bdb57c9405ad8
                                                      • Instruction Fuzzy Hash: 3361BB75A04789DFEB20CFA4CA80F9DBBF2BF04304F144469DD156B241DB74AA85EBA0
                                                      Function 35A935BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                                      • API String ID: 0-118005554
                                                      • Opcode ID: 5b5da51ad41b354ac91b9d4bfde2d63083e2aedb3286ca0eb17498bf17150a4e
                                                      • Instruction ID: d6204f80a73eac5d96e34d9e39e97ca0950094b36fe772a930717ea76c9e0d5b
                                                      • Opcode Fuzzy Hash: 5b5da51ad41b354ac91b9d4bfde2d63083e2aedb3286ca0eb17498bf17150a4e
                                                      • Instruction Fuzzy Hash: 4B31DA762083999BD305CF68D944F5BB7F8EF84350F00082ABD618B380EA34D901DB62
                                                      Function 35A334B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RtlpInitializeAssemblyStorageMap, xrefs: 35A72A90
                                                      • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 35A72A95
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                                      • API String ID: 0-2653619699
                                                      • Opcode ID: 80ab4879a8d0b688729e9bcf86a7e2b3078660e31e29c7518a0e4e000a5708e7
                                                      • Instruction ID: 8f63263a56bd280788c71d7bba3628fa02ca1ab667767621f1ae5c4de9d66e7b
                                                      • Opcode Fuzzy Hash: 80ab4879a8d0b688729e9bcf86a7e2b3078660e31e29c7518a0e4e000a5708e7
                                                      • Instruction Fuzzy Hash: E611EC75B09305BBE726CB88DD42F5F77A9AF94B58F15806A7E04DB240D674CD00E7A0
                                                      Function 35AD31E1 Relevance: 1.8, APIs: 1, Instructions: 281COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 35AD3356
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: CallFilterFunc@8
                                                      • String ID:
                                                      • API String ID: 4062629308-0
                                                      • Opcode ID: f61b2f5859d5e9a7d2c3905ad521fde852b8ddd0e6a8e365517cc97b61737b34
                                                      • Instruction ID: 9e8fd71645a66ff26607304003df19230f41ae98f6c501f712a4528f394c54a8
                                                      • Opcode Fuzzy Hash: f61b2f5859d5e9a7d2c3905ad521fde852b8ddd0e6a8e365517cc97b61737b34
                                                      • Instruction Fuzzy Hash: A2C165B99017198FDB20DF1AC994A99FBF1FF88314F5081AED95EA7210D774AA81DF00
                                                      Function 35A01131 Relevance: 1.8, APIs: 1, Instructions: 259timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID:
                                                      • API String ID: 3446177414-0
                                                      • Opcode ID: f9ff1b8edf36f2d8ad4d4cf4a5a3cd566bae92aa0d29b4d8469008954e3acd43
                                                      • Instruction ID: 949df87e4cb8da9106ea873ef7d7c42793ebda32129cb28b885b03dbd0af08f3
                                                      • Opcode Fuzzy Hash: f9ff1b8edf36f2d8ad4d4cf4a5a3cd566bae92aa0d29b4d8469008954e3acd43
                                                      • Instruction Fuzzy Hash: E7B110B56083808FD355CF28C980A5ABBF1BB88314F544A6EF999CB352D770E945DB82
                                                      Function 35A07370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 35aea94d75537816d74164f76c986bed3a26620f81c7d9ca81fe211c9175c858
                                                      • Instruction ID: 3946f046f331dab8901c490318d435b0687d553bc7c331c9003b01f36380a4f7
                                                      • Opcode Fuzzy Hash: 35aea94d75537816d74164f76c986bed3a26620f81c7d9ca81fe211c9175c858
                                                      • Instruction Fuzzy Hash: 04A145B56183418FE310CF28E580E1ABBF6BB88345F10492EEA9597350EB70E945DF92
                                                      Function 35A3F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9be37111f428a08d68af57e4ad2783e58a583bcbe76aba5acb3e932f46904a5f
                                                      • Instruction ID: b1e0aaa07abe18acc4be40d15cf33a3134e2f18f5f193bb57496e13ebba465d3
                                                      • Opcode Fuzzy Hash: 9be37111f428a08d68af57e4ad2783e58a583bcbe76aba5acb3e932f46904a5f
                                                      • Instruction Fuzzy Hash: 42415EB4D113889FDB10CFA9D881EAEBBF4FB48344F50416EE855A7211DB359905EFA0
                                                      Function 359FB480 Relevance: 1.6, APIs: 1, Instructions: 100timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID:
                                                      • API String ID: 3446177414-0
                                                      • Opcode ID: f523fcfd49c7de6b0adbca25884138ddef0726f3612b363c9313e44668825cfb
                                                      • Instruction ID: 016d490a07b521072dd2c6f5f0e11bb014706a70b5a7e6ccd7733465d7d34b24
                                                      • Opcode Fuzzy Hash: f523fcfd49c7de6b0adbca25884138ddef0726f3612b363c9313e44668825cfb
                                                      • Instruction Fuzzy Hash: DE310072600304AFC321DF18C980E5A77BAFF843A4F544269ED459B291DB32ED06CBE0
                                                      Function 35A057C0 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID:
                                                      • API String ID: 3446177414-0
                                                      • Opcode ID: 7349f9bb2a6f56925f4239cdfd4f48671763345217b72f6ebc78e26e9ed1ead3
                                                      • Instruction ID: 1b38237ff20519410b1cd67c53ab2b67e99655cc6dcfd59f43a6a337993d8bb9
                                                      • Opcode Fuzzy Hash: 7349f9bb2a6f56925f4239cdfd4f48671763345217b72f6ebc78e26e9ed1ead3
                                                      • Instruction Fuzzy Hash: 63316975725A05AFE741DB24DE90E99BBA6FF88244F405025EC1187A50DB70E831EF90
                                                      Function 35A03616 Relevance: 1.6, APIs: 1, Instructions: 84timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID:
                                                      • API String ID: 3446177414-0
                                                      • Opcode ID: 63493f0e43210e025f52b2e8d7382934a5607641b3e1d2bd576cf3ee2a344eff
                                                      • Instruction ID: 6a2ef0be29ee4a88b021d5853fb54ca43108e6c350790a083554b5e2b6d80eb1
                                                      • Opcode Fuzzy Hash: 63493f0e43210e025f52b2e8d7382934a5607641b3e1d2bd576cf3ee2a344eff
                                                      • Instruction Fuzzy Hash: 5721EC352292509FD721DF06DA94F2ABBA6FF80B20F41096AED520B650CB71E904EFC1
                                                      Function 35A11CC7 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 992e2be3c5c09840aaa3d4abaa13a2eea0ad36902b9571120fdab10aeb478a37
                                                      • Instruction ID: b7fcf84c967d4e040ede99fc97286b61e8569c625048a75b429d6bb6317d1a35
                                                      • Opcode Fuzzy Hash: 992e2be3c5c09840aaa3d4abaa13a2eea0ad36902b9571120fdab10aeb478a37
                                                      • Instruction Fuzzy Hash: D621AD35701F408FD721CB28C850F46B7F5FF88754F548969EDA287AA0DBB0A902DB90
                                                      Function 35AD5D50 Relevance: 1.6, APIs: 1, Instructions: 77timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID:
                                                      • API String ID: 3446177414-0
                                                      • Opcode ID: 4637abdecf4863b60a3da09b89482a7af9cd38030d784972d05e0d3e0da999e7
                                                      • Instruction ID: cbaf0ef8c1c7f506acc1e276c6b949811b04215b209a528588550910e4792b1a
                                                      • Opcode Fuzzy Hash: 4637abdecf4863b60a3da09b89482a7af9cd38030d784972d05e0d3e0da999e7
                                                      • Instruction Fuzzy Hash: 30217776601545EFCF12EF18CA94E9EBBB6FF49740F1440A0EC015B269CB35E915EBA0
                                                      Function 35A1DDB1 Relevance: 1.6, APIs: 1, Instructions: 62timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID:
                                                      • API String ID: 3446177414-0
                                                      • Opcode ID: 2bdfd9529924341c03df5b2ae0168888278575f634d4d5c4ccde93c1ebb70b34
                                                      • Instruction ID: da9c7dc1c4dcf984d4a2fdfb92678d290a360f87d37da66b0ec759a68eefae26
                                                      • Opcode Fuzzy Hash: 2bdfd9529924341c03df5b2ae0168888278575f634d4d5c4ccde93c1ebb70b34
                                                      • Instruction Fuzzy Hash: DE21D2B57057889FEB028BA8C940F9DBBB5FF05788F0040A5ED145B291C7798A00E764
                                                      Function 359F92FF Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID:
                                                      • API String ID: 3446177414-0
                                                      • Opcode ID: d0f0c78eecc5cbfaf0f4786b14128f592b72c495e3ebf829332041333a45213d
                                                      • Instruction ID: 06bafcadd12a9627ce05de90c67e73449fc5676973add5b487e37bd6b2b98188
                                                      • Opcode Fuzzy Hash: d0f0c78eecc5cbfaf0f4786b14128f592b72c495e3ebf829332041333a45213d
                                                      • Instruction Fuzzy Hash: 80F09A32204744AFD7319B59DD04F9ABBFDEF84B50F180529A94693191DAA2B909CB60
                                                      Function 35AD16A6 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: W
                                                      • API String ID: 0-655174618
                                                      • Opcode ID: 0cab8b25d67b2e0c0b12ff448bfab3e9d6931cd6400edc337904154b4822e6a4
                                                      • Instruction ID: 1ce6cc7b43db7ce10a4720f841c8eb158d9b57acf92de4a14ae2b74d5d951028
                                                      • Opcode Fuzzy Hash: 0cab8b25d67b2e0c0b12ff448bfab3e9d6931cd6400edc337904154b4822e6a4
                                                      • Instruction Fuzzy Hash: 1BA145B5E047A98FEB21DF28CD90BD9B7F1BB49315F0040EAD849A7251DB749A81DF80
                                                      Function 35A83CDB Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: CWDIllegalInDLLSearch
                                                      • API String ID: 0-473384322
                                                      • Opcode ID: abec84acdf4a7b4853085d4aa49bc300450480116f134c26d96c4be7905c1d16
                                                      • Instruction ID: 7dec2b82946abbdedf6f1686a0130904726986a7a3786dac231b038126fb6ce4
                                                      • Opcode Fuzzy Hash: abec84acdf4a7b4853085d4aa49bc300450480116f134c26d96c4be7905c1d16
                                                      • Instruction Fuzzy Hash: 5E51AEB5A087019BE711CE54DC81F1ABBE9FB44760F400A2AFD69D7240D770DD09ABD2
                                                      Function 35A8F7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @
                                                      • API String ID: 0-2766056989
                                                      • Opcode ID: ad200ca859f885c0e1a3e25109151c89108cf32f6a54a55232162c83674939fc
                                                      • Instruction ID: 977a53b4ee12088cfbb73c2128477c9e02e511c119945be54fba6e4d02c0e888
                                                      • Opcode Fuzzy Hash: ad200ca859f885c0e1a3e25109151c89108cf32f6a54a55232162c83674939fc
                                                      • Instruction Fuzzy Hash: 10519DB2618706AFE711CF54C940F5BBBE8FB84750F400929BDA497290EBB4DD04DBA2
                                                      Function 35ABB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PreferredUILanguages
                                                      • API String ID: 0-1884656846
                                                      • Opcode ID: b7f71f3041733f6ae2b29e97a8c40c724bd276db039897bc9e56bbd77ea76050
                                                      • Instruction ID: 5927967a18d9f7df88ee5f2bfa21867b0d118b853ac0ecc927ad724755a9d67a
                                                      • Opcode Fuzzy Hash: b7f71f3041733f6ae2b29e97a8c40c724bd276db039897bc9e56bbd77ea76050
                                                      • Instruction Fuzzy Hash: FA41AD76A0421DABDF11DAD4C840EEEB7FDBF44750F010266AC52AB650DAB5DE40D7E0
                                                      Function 35A897A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: verifier.dll
                                                      • API String ID: 0-3265496382
                                                      • Opcode ID: 225283ef4782cf18dd51b8795bbb8aac96beb345dcc74b5f3ce2120ac5d3c8fb
                                                      • Instruction ID: c5210aa67c7946750385f9d33c8cbe71361691e8b72c428ae8c6ebea8e50073d
                                                      • Opcode Fuzzy Hash: 225283ef4782cf18dd51b8795bbb8aac96beb345dcc74b5f3ce2120ac5d3c8fb
                                                      • Instruction Fuzzy Hash: 1B3163B5B183029FE7249F69D850E2A7EF5FB48350F90447AED499B281EA718881A790
                                                      Function 35A3BC3B Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrpInitializeProcess
                                                      • API String ID: 0-2689506271
                                                      • Opcode ID: 433ad008ed15f1cc46dd42147a7b7657b821709187d297f51c880a83ad396c77
                                                      • Instruction ID: f1d7416067ddb473dba3befce9359458da2e2818f6114e64a8d6f07d07c9adc4
                                                      • Opcode Fuzzy Hash: 433ad008ed15f1cc46dd42147a7b7657b821709187d297f51c880a83ad396c77
                                                      • Instruction Fuzzy Hash: 8441D87251A308AFE311DEA4DE41E6BB7ECFB84714F00492BF961D2140DB70D545EB52
                                                      Function 35A37505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: #
                                                      • API String ID: 0-1885708031
                                                      • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                      • Instruction ID: b600df5f4dc23be9f030432e46af16abb03ef3bf183ca678f1c9f11d84dd3d5c
                                                      • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                      • Instruction Fuzzy Hash: 6A41AE79A01616ABEB19CF84C891FBEB7B5FF84746F00405AEC51A7240DB70DA41EBE1
                                                      Function 359FFF90 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 35A00058
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode
                                                      • API String ID: 0-996340685
                                                      • Opcode ID: 9784852579ad642c7af0197890726ddcbc73285c41fcf2a93c8e8c04ce336a9b
                                                      • Instruction ID: 96946111d075f93a9f63030c3609a8bd46a18e0b6a1f91e08f7ea5405d18b4c3
                                                      • Opcode Fuzzy Hash: 9784852579ad642c7af0197890726ddcbc73285c41fcf2a93c8e8c04ce336a9b
                                                      • Instruction Fuzzy Hash: 52418075A10746AAD724DFB4D440EEBB7F4BF49300F40482EDAAAD3640E774A644EBA1
                                                      Function 35A3329E Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @
                                                      • API String ID: 0-2766056989
                                                      • Opcode ID: b14a2473e1d894bfa93f3135f6d73b99898a464e60d4dcea2eb25e2f1a18e83c
                                                      • Instruction ID: 9b0300b9c65bc9d78712fde935da1b23e0fdeb2f94d21c4b236e356108f2eabf
                                                      • Opcode Fuzzy Hash: b14a2473e1d894bfa93f3135f6d73b99898a464e60d4dcea2eb25e2f1a18e83c
                                                      • Instruction Fuzzy Hash: 90316DB550E3049FD311CF28C981E5BBBE8EB84698F48492EFD9583210DA31DD09EB92
                                                      Function 35A05096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Actx
                                                      • API String ID: 0-89312691
                                                      • Opcode ID: 42f25c9a968a32a6dd9c85489664fe1177acc751530e926705323022295a0010
                                                      • Instruction ID: 6b15818f78685d88a6997bb4131e4139ddc95edf16e74f5ee886f705a19ce5e1
                                                      • Opcode Fuzzy Hash: 42f25c9a968a32a6dd9c85489664fe1177acc751530e926705323022295a0010
                                                      • Instruction Fuzzy Hash: 531172F43687028FFB149D19FC60E1B73D6BB99254F30852ADC62CB250EAB1D841AF91
                                                      Function 35A8106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrCreateEnclave
                                                      • API String ID: 0-3262589265
                                                      • Opcode ID: 8af325d69414ebfa673f64f8d91230a436b30f87fda10e7f89a24ea527601cfd
                                                      • Instruction ID: b1d119c59b3b6d5b35d34bfbc6603a700d257fc745725034e77ab59f38707bf8
                                                      • Opcode Fuzzy Hash: 8af325d69414ebfa673f64f8d91230a436b30f87fda10e7f89a24ea527601cfd
                                                      • Instruction Fuzzy Hash: 8A21E2B1A183849BC310CF1A8844A5BFBF8FBD5B40F404A1EF9A097250DBB59505DB92
                                                      Function 35A5739A Relevance: .7, Instructions: 705COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 018f9bcf20734a41173d740ad2abc96bb0de6dcd1dc69301cef4395f317ebcf0
                                                      • Instruction ID: 643b9f5958f98e3866e4a916e23e8bd343d95fd485e8a06cf28b8ecbc88137df
                                                      • Opcode Fuzzy Hash: 018f9bcf20734a41173d740ad2abc96bb0de6dcd1dc69301cef4395f317ebcf0
                                                      • Instruction Fuzzy Hash: 3A42A275A046168FDB05CF59C880EADB7B2FF883A5F148959DD92BB340DB30E942DB90
                                                      Function 35AC16CC Relevance: .6, Instructions: 571COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6ad5e12f6a490cb5c3cedce6ac132cf2b69c40a90285e8d300f0d90518637b9b
                                                      • Instruction ID: 78db7f570beff7074140cfee9d54181369c33fc445221f874f8742e12cd4c390
                                                      • Opcode Fuzzy Hash: 6ad5e12f6a490cb5c3cedce6ac132cf2b69c40a90285e8d300f0d90518637b9b
                                                      • Instruction Fuzzy Hash: 5622AF79B042568BDB09CF58C490EAAB7F2BF89354B1485ADDC62DB340DB30E942DB90
                                                      Function 35AC1D5A Relevance: .6, Instructions: 559COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5e5e42c1bdfff907da8fabbf276811596ff950092d89fded58befd9aa4352a88
                                                      • Instruction ID: 716c0d6af279602cbea933887246afe3cadb3c063c97ed67883aba94d6697906
                                                      • Opcode Fuzzy Hash: 5e5e42c1bdfff907da8fabbf276811596ff950092d89fded58befd9aa4352a88
                                                      • Instruction Fuzzy Hash: 29227F757047118FD709CF18C490E2AB3E2FF89354B548AADE9A6DB351DB30E842DB91
                                                      Function 35A0D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4b49d2fd8a50f1de3aaf473736d32be0f373c45fdc6c03df31e76dbbbe64ab9a
                                                      • Instruction ID: e9dc0ae74893133443cb2d782ab55824b69df05bf0924fecf54c3c0145ac3620
                                                      • Opcode Fuzzy Hash: 4b49d2fd8a50f1de3aaf473736d32be0f373c45fdc6c03df31e76dbbbe64ab9a
                                                      • Instruction Fuzzy Hash: 6BC1AE76A143169BEB14CF58DC80FAEBBB6FF84354F158269DC25AB280D770E941DB80
                                                      Function 35A1F460 Relevance: .3, Instructions: 321COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: edadb16b3e1f6cb08bdb2f83f83bae60198926f39d4f7d53e97820b893d8a54a
                                                      • Instruction ID: 61351070c76958d2400951c7518e7844b08aace97ad659222903979ca62cbeb6
                                                      • Opcode Fuzzy Hash: edadb16b3e1f6cb08bdb2f83f83bae60198926f39d4f7d53e97820b893d8a54a
                                                      • Instruction Fuzzy Hash: A3C13479A043908FEB14CF18C9D0F6977B2FB44764F054159EC629F3A2DB308A42E7A0
                                                      Function 35A290DB Relevance: .3, Instructions: 287COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5b78b7f51ab90eaaf99a3a64b30b256d6f67142523ddb1be2ef1b3bb777eb19e
                                                      • Instruction ID: 100cb1a04a03f7dd790055bd9e78dbc5617878122410f5a51515bb27d1bad1fc
                                                      • Opcode Fuzzy Hash: 5b78b7f51ab90eaaf99a3a64b30b256d6f67142523ddb1be2ef1b3bb777eb19e
                                                      • Instruction Fuzzy Hash: CFA14AB5A04215AFEB12CFA4CC81FAE3BB9AF49794F410054FD10BB2A0D7759D51EBA0
                                                      Function 35AAB550 Relevance: .3, Instructions: 263COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ac246e365be52c827deb6f138a6d6fdea14e4f5b4d99e6f0a6564c7e226997bc
                                                      • Instruction ID: 57673d2531ef7e48ea3998b6c81912b1c31bfdc92ba619b06577ee6493fc2683
                                                      • Opcode Fuzzy Hash: ac246e365be52c827deb6f138a6d6fdea14e4f5b4d99e6f0a6564c7e226997bc
                                                      • Instruction Fuzzy Hash: 2AA1677A610609DFD715CF18C980E1AF7F6FF88340F24856AD96A8B660E770E981DF80
                                                      Function 35A09486 Relevance: .3, Instructions: 259COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f4648d852a2a178987b3daa63ff103cfd258de9acd8677ce10d0c0c3e106aa57
                                                      • Instruction ID: be76e9863de1f11af3a40850c9fcf968f51d13359110412592054e54c12ebd9a
                                                      • Opcode Fuzzy Hash: f4648d852a2a178987b3daa63ff103cfd258de9acd8677ce10d0c0c3e106aa57
                                                      • Instruction Fuzzy Hash: A0B19DB8A283058FDB14CF19E880F98B7B1BF08358F508569DC259B291DB75E847EF90
                                                      Function 35ABB52F Relevance: .2, Instructions: 222COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                      • Instruction ID: 79ef17a12f9f3a3c1a178fbc3ef4eb08fd84b94c320d8ec595c8a6a749955b7a
                                                      • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                      • Instruction Fuzzy Hash: 1F71B079A0521E9BDF10CE65C990EAEB7FEBF04780F55411AEC11AB240E7B4D981EBD0
                                                      Function 35A2D090 Relevance: .2, Instructions: 217COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                      • Instruction ID: 88a4148b9fb7b04b74f55ccdc7fe4d12f1a30e6c5113c5a77e5d2c4ee9d89be5
                                                      • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                      • Instruction Fuzzy Hash: 9081AC76E04215DFDF04CF59C981FAEB7B2FB84348F55812ACC25A7344DA3199429B91
                                                      Function 35A31FCD Relevance: .2, Instructions: 210COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0464d46f93bfd7c0701c97f52f54e66cd3f1ed5944733c344c1e60a05eef4066
                                                      • Instruction ID: 88cbbb729128e74a06bdd59c3646c12392ed7245511eef02340eb7b24b4d313c
                                                      • Opcode Fuzzy Hash: 0464d46f93bfd7c0701c97f52f54e66cd3f1ed5944733c344c1e60a05eef4066
                                                      • Instruction Fuzzy Hash: 82819974A00705AFDB15CF68CA81F9ABBF5FF48304F10856AE956C7281D770EA85DBA0
                                                      Function 35AA375F Relevance: .2, Instructions: 201COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1570d2c19de636973f75cccfc50477a0a5fa4b7d102a1ba7683935591ebf6ceb
                                                      • Instruction ID: 507efd2d3da46c19623567c1ea0cc9a56e90959bd8d1543ff60b003f9e4ef09f
                                                      • Opcode Fuzzy Hash: 1570d2c19de636973f75cccfc50477a0a5fa4b7d102a1ba7683935591ebf6ceb
                                                      • Instruction Fuzzy Hash: 00718F76A00618EFDB11DFA8D990EAEB7B5FF48740F504016EC51AB260D731ED42EBA0
                                                      Function 35AC132D Relevance: .2, Instructions: 188COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bf1c962be8a1e73dfffb066c112a7669f194787fc6e7209020b19ff3e3586a2a
                                                      • Instruction ID: bbc3882e4e456151249890e4aa825934765be7450c63f85f7ff94d0e441a043a
                                                      • Opcode Fuzzy Hash: bf1c962be8a1e73dfffb066c112a7669f194787fc6e7209020b19ff3e3586a2a
                                                      • Instruction Fuzzy Hash: 09819275A00249DFDB09CFA8C590AAEBBF1FF48300F1581A9D859EB351D734EA51DB90
                                                      Function 35AC903E Relevance: .2, Instructions: 186COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e3d55b40388d022f06aa73d92d769ce3e5fb60e142e0eede00108e9d5e556f6e
                                                      • Instruction ID: eb4a201ab80bd16e6d2200db59b1cd3f7539f1797412df24892baae21a9fd464
                                                      • Opcode Fuzzy Hash: e3d55b40388d022f06aa73d92d769ce3e5fb60e142e0eede00108e9d5e556f6e
                                                      • Instruction Fuzzy Hash: CF619DB5608716AFD711CF64C980F9BBBB9FB48750F004699FCA9C7240DB34A511EBA1
                                                      Function 35AC92A6 Relevance: .2, Instructions: 174COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c0b1730ce53a4f6110c2174e65082ed14f5baa127272dc2c0c0848aff89f0966
                                                      • Instruction ID: 9a0e13223bee9c88f58ce3223f7f2c6d8d252a91224fd68e1244f69ee7dc362c
                                                      • Opcode Fuzzy Hash: c0b1730ce53a4f6110c2174e65082ed14f5baa127272dc2c0c0848aff89f0966
                                                      • Instruction Fuzzy Hash: 5F619BB520C7428FE301CB64C994F6AB7F4BF80B44F1444ADACA6CB291DB75E906DB91
                                                      Function 35AA3F90 Relevance: .2, Instructions: 171COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d25f01b78f8c1d5a735c58250ae5cb008cb2a835bfd56f0abe6899a7a1280bcb
                                                      • Instruction ID: 2f16560de8524a39f8c0ccb4882fc4b86c2aed7bf6d771a7c5324cffdf4a4c02
                                                      • Opcode Fuzzy Hash: d25f01b78f8c1d5a735c58250ae5cb008cb2a835bfd56f0abe6899a7a1280bcb
                                                      • Instruction Fuzzy Hash: BA519C722083019FD704DF28D840E2BB7E6FB98354F55892EF8A6C7240E774E805AB92
                                                      Function 35ABBFC0 Relevance: .2, Instructions: 162COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 560d1a90ac210632884dd5a0a744483c9fa966326aad27594260bc11b19a8f02
                                                      • Instruction ID: 9772e20eed9fc24e854eb15ab3af50e67230fbe1771e2a566ccb2f982d3102c0
                                                      • Opcode Fuzzy Hash: 560d1a90ac210632884dd5a0a744483c9fa966326aad27594260bc11b19a8f02
                                                      • Instruction Fuzzy Hash: AB51FA796042579ADF04DF58D8A0EBAB3FDBF40784B50405EEC659B201EBB4C942E7E0
                                                      Function 35A7D5D0 Relevance: .2, Instructions: 161COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d422902d4e08a2debf60f1392b088e6f68e8f87425b902b48cb937cea7153806
                                                      • Instruction ID: c1db27ce20dbe0084c6659dd5f6a96d226cf1b420f09e86454b2dc13e7b52360
                                                      • Opcode Fuzzy Hash: d422902d4e08a2debf60f1392b088e6f68e8f87425b902b48cb937cea7153806
                                                      • Instruction Fuzzy Hash: BC51F2BA7143029BCB019FA08C40E6B77B6FF84284F460869FD55D7251EB34C855E7E2
                                                      Function 35A3B570 Relevance: .2, Instructions: 161COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ddc49879827d298f7b25c3c2c21af5ea90e20627d7a581ae8fedbaaad11dd52f
                                                      • Instruction ID: d7eb0643c2634395a75371d6972256bc56d69fd7cd9cc9afede9cfafdc2e1c93
                                                      • Opcode Fuzzy Hash: ddc49879827d298f7b25c3c2c21af5ea90e20627d7a581ae8fedbaaad11dd52f
                                                      • Instruction Fuzzy Hash: 10518BB16183449FE320DFA4CE81F5A77B9EF85765F10062DED2197291DB309842EBA1
                                                      Function 359FB2D3 Relevance: .2, Instructions: 161COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d2019a139798a6370f39ef226dd72650b8bd7773d69865c98e1f4541c870e4ac
                                                      • Instruction ID: 082c546fc438db9d7df723ecc0e788512b12a02a1c763734d72d98365f05dee4
                                                      • Opcode Fuzzy Hash: d2019a139798a6370f39ef226dd72650b8bd7773d69865c98e1f4541c870e4ac
                                                      • Instruction Fuzzy Hash: 9D4122713417009FD7258F19EE90F1A7BBAFF44761F20442AFD499B290EB71D801AB90
                                                      Function 35A295DA Relevance: .2, Instructions: 160COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b1e18611bda844e18627878cddd2a467b0d9bfe4de26793a6f70e82279150973
                                                      • Instruction ID: a5ebcb470db6ba05c6da7cb930d9306c0ddd3c0d2553c8d8db9d8cbde3c7e39d
                                                      • Opcode Fuzzy Hash: b1e18611bda844e18627878cddd2a467b0d9bfe4de26793a6f70e82279150973
                                                      • Instruction Fuzzy Hash: FA51AC70A04308AFEB218FB5CD91F9DBBB5FF05784F60412AEDA0A7191DBB18845AF10
                                                      Function 35ACD26B Relevance: .2, Instructions: 153COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9494c81df5ccc1a451dab61a47dc24b071b9867a3c689b1a819d7ec41018edee
                                                      • Instruction ID: 5fe8688f49e8b61c3c2a131b2705230fc9d479d20fcf557896ec0ae3b44ff344
                                                      • Opcode Fuzzy Hash: 9494c81df5ccc1a451dab61a47dc24b071b9867a3c689b1a819d7ec41018edee
                                                      • Instruction Fuzzy Hash: 285158766083829FD700CF68C980F5ABBE5BB88344F0589ADFA95CB380D774E945DB52
                                                      Function 35A051ED Relevance: .1, Instructions: 149COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cda017554c2b837196e1ee4ffb984f1988879899ece179eba0636729df8acaa9
                                                      • Instruction ID: bb8669b0f62eae608fd04919f7f05007f9319aac42b989ad986b8d077529a9b6
                                                      • Opcode Fuzzy Hash: cda017554c2b837196e1ee4ffb984f1988879899ece179eba0636729df8acaa9
                                                      • Instruction Fuzzy Hash: C6516AB5B25715DBEB11CAA8ED50FDEB3B5BF0C798F100019EC21A7240DBB49940AF92
                                                      Function 35A93140 Relevance: .1, Instructions: 149COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b16e3ff2d41887090ab491505d542b8501c083e65967dd53f3d5d8744d7e98c1
                                                      • Instruction ID: 2a7b18bb737317a1917b2329f84cd065458b0ceab443e0fe3dbe42f34ea681fd
                                                      • Opcode Fuzzy Hash: b16e3ff2d41887090ab491505d542b8501c083e65967dd53f3d5d8744d7e98c1
                                                      • Instruction Fuzzy Hash: FD51C9726083299FD719CF18C840E9AB7F5FF88354F11852AFCA49B2A0D774E945DB82
                                                      Function 35A03FC0 Relevance: .1, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a1b33a2f120d7f2fc696dfe3ace6505ff7e114db6bb5b54db645d694102f35cf
                                                      • Instruction ID: c080b243eab0929e61de7cd2c394a2166af49850767069e52d13843dae0a6160
                                                      • Opcode Fuzzy Hash: a1b33a2f120d7f2fc696dfe3ace6505ff7e114db6bb5b54db645d694102f35cf
                                                      • Instruction Fuzzy Hash: 0A519A75A10305DBCB04CFA8E990E8EBBF6BF48350F20855ADE64A7340DB34AA41DF90
                                                      Function 35A3F71F Relevance: .1, Instructions: 143COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e56ffcf92ce6db59c688e0088aa7aa3acf45df98300f49d7f5b21ec807e5572c
                                                      • Instruction ID: 00e1b2f2b8252b4afc993c521c1880bbcf764a8e15bef099ea9b2742fc28f43a
                                                      • Opcode Fuzzy Hash: e56ffcf92ce6db59c688e0088aa7aa3acf45df98300f49d7f5b21ec807e5572c
                                                      • Instruction Fuzzy Hash: FE4185B6D05229AFD712DBD4D981EAF7BBCAF04698F460166AD10F7200DA34CE01A7E4
                                                      Function 35AA1CF9 Relevance: .1, Instructions: 143COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9103339e66cdf15444abf4378066a2b48a826036b288962e8b7ee6210dcc849d
                                                      • Instruction ID: 45d5e23a358127d81375032e4b694c72e79949f9d6b6a01b64f13cb631749be7
                                                      • Opcode Fuzzy Hash: 9103339e66cdf15444abf4378066a2b48a826036b288962e8b7ee6210dcc849d
                                                      • Instruction Fuzzy Hash: 23410477B04695BFEB14DF58C980E7AB7BAFB44794F81806AEC119B251EB70CD00A790
                                                      Function 35AD35D7 Relevance: .1, Instructions: 139COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f4c63050b20938965604f5818725b43de162a394ccbcaacf747af7d50b83a47f
                                                      • Instruction ID: 21316ca6d4197121eb80ace75d9ec5507472c1a56ba4e7b03593a6f1f6f428c7
                                                      • Opcode Fuzzy Hash: f4c63050b20938965604f5818725b43de162a394ccbcaacf747af7d50b83a47f
                                                      • Instruction Fuzzy Hash: 9F518AB5600A06EFDB05DF14C980E46FBF5FF45304F1580AAE9089F262E7B1E985DB90
                                                      Function 35A0D534 Relevance: .1, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 50295b2fed3fb3555c7675028db921dae89f5455af4ffab3e86d393a0d512db7
                                                      • Instruction ID: 1fa037aa0e2df61e2c36cf1a3eea4f8958d114eb6dbb8d693a192567255149c4
                                                      • Opcode Fuzzy Hash: 50295b2fed3fb3555c7675028db921dae89f5455af4ffab3e86d393a0d512db7
                                                      • Instruction Fuzzy Hash: 5951CE767147928FD311CB18D940F1A77F5BB40B98F4644A6FC218B690DB78EC41EA61
                                                      Function 359FB136 Relevance: .1, Instructions: 131COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6d59850a4a8823a9d9b8cdcc2af65016108e4d43499c512211e34a51aff6f425
                                                      • Instruction ID: 1da1962e31ed0ef1c0cbd5b12765a68c503d9d6bdcc1583908740b21b0f5fdd6
                                                      • Opcode Fuzzy Hash: 6d59850a4a8823a9d9b8cdcc2af65016108e4d43499c512211e34a51aff6f425
                                                      • Instruction Fuzzy Hash: E34199B1641301EFE7219F68CA81F4EBBBAFF147A4F104469ED519B250EB71D904EB90
                                                      Function 35AD14F6 Relevance: .1, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 08946cb16fadb5339e6a8372f7758bc2e4b8e4bdfae30da6946973b5591d1f5d
                                                      • Instruction ID: 97cf5017fcb7b2ea78f7f16ed8ae6a460239c7881821c3972067d8de2f5c859f
                                                      • Opcode Fuzzy Hash: 08946cb16fadb5339e6a8372f7758bc2e4b8e4bdfae30da6946973b5591d1f5d
                                                      • Instruction Fuzzy Hash: BC41F6B5B006819FEB09EF64C8A0F9DF7F6BF08340F04012AED1657291D77A9891EB90
                                                      Function 35A2D6E0 Relevance: .1, Instructions: 126COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8ebb44fd47834e735ade05f8693976ef0127ff330e9e93a6ca6c7d0215fe95ce
                                                      • Instruction ID: e587d36e273923cf3e00f92610e25af81cf7d012748ef812c8ad6c3257bfdae0
                                                      • Opcode Fuzzy Hash: 8ebb44fd47834e735ade05f8693976ef0127ff330e9e93a6ca6c7d0215fe95ce
                                                      • Instruction Fuzzy Hash: 4641BEB52183109FD320DF69DE90E5A77F9EB89364F01062DEC2597291DB30A852EB91
                                                      Function 35ACDC27 Relevance: .1, Instructions: 120COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 63468654f8bcedbc79ab6bf2b08f8a8ab9b961b562a814641b08fc5089b44517
                                                      • Instruction ID: e0b85b5325be481e8e990d3ef5d7ad1bc2ebb412f56ef167f768d287aa3f1abc
                                                      • Opcode Fuzzy Hash: 63468654f8bcedbc79ab6bf2b08f8a8ab9b961b562a814641b08fc5089b44517
                                                      • Instruction Fuzzy Hash: 8141E1B17083818BD712CF29C980F2BB7E5EB84340F0549ADEC96C7341DA74D846E7A1
                                                      Function 35A2FCA0 Relevance: .1, Instructions: 114COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ddf1090813c5d303e160af6020124356dbabceb6c98fd636e5f24a39faf6387e
                                                      • Instruction ID: 6ea3b383e2936d90410802547635839a6ca17687382e5164d6ca288e6067697c
                                                      • Opcode Fuzzy Hash: ddf1090813c5d303e160af6020124356dbabceb6c98fd636e5f24a39faf6387e
                                                      • Instruction Fuzzy Hash: 2541D174A18B448FF724CF28D946F1677F5BB44768F004A1AECA68B6C0CB78D581EB91
                                                      Function 35AD7120 Relevance: .1, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 77983db0ee4efd29504245c8b0c60adcde2ac02822aae8fb7883e0c33a483b4c
                                                      • Instruction ID: 6a8213009d0b83b582c57cf8e8e76bf8e9b3b212679297b764ac8ddc651c2737
                                                      • Opcode Fuzzy Hash: 77983db0ee4efd29504245c8b0c60adcde2ac02822aae8fb7883e0c33a483b4c
                                                      • Instruction Fuzzy Hash: 7D413CB5601B049BD7259FA5C950F97F7FCFF40A51F004A1EA8B6932A0D630EA01DB50
                                                      Function 35AA74B0 Relevance: .1, Instructions: 107COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 54fe397ce786f17054bcacbbdf00bf933bde15d7308f2ad666cb1cb722a31535
                                                      • Instruction ID: 64ff5ac872c93d4752de2e7960f493556ebfab8f5289897fe64960d8cfe83be2
                                                      • Opcode Fuzzy Hash: 54fe397ce786f17054bcacbbdf00bf933bde15d7308f2ad666cb1cb722a31535
                                                      • Instruction Fuzzy Hash: 0641B2B5A043068FDB04CF59C580B9ABBB2FF48345F64C46DD85A9B251D731D942EBD0
                                                      Function 359F7C40 Relevance: .1, Instructions: 107COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: da40589689b8787a932091f69af60f0bd67ddd6bd72b1dd66e17ee0219f565d4
                                                      • Instruction ID: 5af7650f52d8be70561373b23ce1d7476a0d6683ee0ec660b6119152249e75f5
                                                      • Opcode Fuzzy Hash: da40589689b8787a932091f69af60f0bd67ddd6bd72b1dd66e17ee0219f565d4
                                                      • Instruction Fuzzy Hash: A331D031604B18EBD3219F24CD41F1E77B5FF107B6F914929ECAA0B2A0DB719941EBA0
                                                      Function 35A7FF42 Relevance: .1, Instructions: 107COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 15a3b09684505d9874ffa7bd75c7f0bcc7a63d508fe4e80a990797ba8f82bdef
                                                      • Instruction ID: 6396b87bd4a67ba11b73b6cdf2723980b7d234a69d4fa4517ad3e7034e5a0b09
                                                      • Opcode Fuzzy Hash: 15a3b09684505d9874ffa7bd75c7f0bcc7a63d508fe4e80a990797ba8f82bdef
                                                      • Instruction Fuzzy Hash: 234169B1E00308AFDB14CFA5D980BEEBBF9FF48310F10452AE925A7250EB349901EB50
                                                      Function 35A29274 Relevance: .1, Instructions: 105COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9428d155ec1b3acefef90406eb3b186bb8da6c5683ef04275f2c15b74ef1905c
                                                      • Instruction ID: 0553f80cc2641c9f318c097b16a8d7babf77ef96d81bca923ce12dff5b6aa5ea
                                                      • Opcode Fuzzy Hash: 9428d155ec1b3acefef90406eb3b186bb8da6c5683ef04275f2c15b74ef1905c
                                                      • Instruction Fuzzy Hash: 3131A476A08328AFDB21CB64CC41F9A77B5FF85B50F510199A84CA7380DB309E84DF91
                                                      Function 35AAB2F0 Relevance: .1, Instructions: 103COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b022692fe8b9e9848fdc1893cbbaccaa8075d22d17f181ab9d2aff15b1c15f9d
                                                      • Instruction ID: 4a4283ee57fe70aa80aa9b0cf4b39a475873855a45dadeb95a4bc0531fca5269
                                                      • Opcode Fuzzy Hash: b022692fe8b9e9848fdc1893cbbaccaa8075d22d17f181ab9d2aff15b1c15f9d
                                                      • Instruction Fuzzy Hash: 13316D76610B19DFD720CF69C880E1ABBF5FF48250B64C56DD86A8BA50EB31E841DB50
                                                      Function 35A250E4 Relevance: .1, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                      • Instruction ID: d20d00a4791dfdb95dec57db6010357e9536b8d0e61ff5b6a0882ae5a0e2301d
                                                      • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                      • Instruction Fuzzy Hash: 193101357083459FE711EA2AC801F66B7E5BF89794F44812AFCA58F284E774C841E7A2
                                                      Function 359F9730 Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID:
                                                      • API String ID: 3446177414-0
                                                      • Opcode ID: 76f60a64071c34c4707121e28d2e348815a102323a5231e4088188fe223a6b21
                                                      • Instruction ID: 9018b06fb916e6268163bc48dc0147a1e86cd98e85dfde637f1e5156d0dfba50
                                                      • Opcode Fuzzy Hash: 76f60a64071c34c4707121e28d2e348815a102323a5231e4088188fe223a6b21
                                                      • Instruction Fuzzy Hash: 5B21B076A04718AFD3229F59C800F0A7BB9FB84762F16046AAD559B340DB72E901DB90
                                                      Function 359FD6AA Relevance: .1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                      • Instruction ID: f957ea30c8107fc5988eb00a5c6f656ef54810d3d513a2db36c67dcbde5d817d
                                                      • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                      • Instruction Fuzzy Hash: 4531AEBAA00304EBEB12CE54C980F5E73A9EB84752F2A8428ED199F240E771DD40CB90
                                                      Function 35A3BD4E Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a371a86a7af55990c7ab9fb4fc5084ee8d2b577d555ae7f43de173b16804b274
                                                      • Instruction ID: 8a1b87faa72a1e477a2759681aff3910e17ce8b62f465854c099550a7fdc7b01
                                                      • Opcode Fuzzy Hash: a371a86a7af55990c7ab9fb4fc5084ee8d2b577d555ae7f43de173b16804b274
                                                      • Instruction Fuzzy Hash: 7C31E371A00619AFDB019FA4CD42EBFB7B9FF44744B050069EC01EB250EB749A51EBA0
                                                      Function 35AD1C3C Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
                                                      • Instruction ID: 60400bb105469328c09edf544236d9c43350535348d5fda1c313eef537bbe0cd
                                                      • Opcode Fuzzy Hash: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
                                                      • Instruction Fuzzy Hash: CE31CFB2E00219EFC714DF69C880AADB7F1FF58315F15816AE8A4DB341D734AA51DBA0
                                                      Function 359F9D96 Relevance: .1, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3f7ef6010d119159a70e55a1c2896d0bec07369feaf947745203de0cc9ded3fb
                                                      • Instruction ID: 3780cb0bf78c4a86be406a75c9a9ae44bad6315ed4687ced4eba0174a9ec91e9
                                                      • Opcode Fuzzy Hash: 3f7ef6010d119159a70e55a1c2896d0bec07369feaf947745203de0cc9ded3fb
                                                      • Instruction Fuzzy Hash: 5A3104B2700604EFD712CF58CC80F5ABBB9EB88714F184069E949CF252DA76DE41DBA0
                                                      Function 35A57190 Relevance: .1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                      • Instruction ID: 6f977198639c95424dbc45d5d34f89d106f0d513093a20b7a8a5cf2b306a61ae
                                                      • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                      • Instruction Fuzzy Hash: 3E313C75604206CFC700CF18C480D4AB7F6FF893A4B6589A9E998AB325D730ED46DB91
                                                      Function 35A092C5 Relevance: .1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0171a2baa2b8cdd056ef179b2b248265a098a023d2b9874c2263a76dccc0d455
                                                      • Instruction ID: fa0292f4bb979c95f6d368ddbfe1b5cbc1b6e7638287591a1bdf5ef707a07a2f
                                                      • Opcode Fuzzy Hash: 0171a2baa2b8cdd056ef179b2b248265a098a023d2b9874c2263a76dccc0d455
                                                      • Instruction Fuzzy Hash: F33145B66083498FC701CF18E940D4A7BE9EF89754F00056AFC51973A0DA34DD15DBA6
                                                      Function 35A31C7C Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2c1c735bce2465f56eac9f516879d2220c33b762a8c92a6c34a776765f0e4d60
                                                      • Instruction ID: ba785afda8e1e20a04e6a0030bbc1f066c899f0c4c251ed58dd8efd7121ed87c
                                                      • Opcode Fuzzy Hash: 2c1c735bce2465f56eac9f516879d2220c33b762a8c92a6c34a776765f0e4d60
                                                      • Instruction Fuzzy Hash: B0310379615B519FD701DF58C881B9977B5FF19394F404065EC08EB200EB74EA03AB90
                                                      Function 35A3D530 Relevance: .1, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 12ffa20ded7f4158e0d155e6f74ccb682477308f62cc0380426ea7187b4e7ffb
                                                      • Instruction ID: a9a1ac915064d33862f8dc80d6d628ff2e18afecaff4a871b6e9738ebb5c3c99
                                                      • Opcode Fuzzy Hash: 12ffa20ded7f4158e0d155e6f74ccb682477308f62cc0380426ea7187b4e7ffb
                                                      • Instruction Fuzzy Hash: D921D1B16193019BD610DBA8CE41F0A77F9AF44A98F41082AFD1497250EB20DA05E7E6
                                                      Function 35A03DD0 Relevance: .1, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b82280cf5d69606ce3a11b192ef054848eb2dbc88c60f4f5a7f448c83e8549a0
                                                      • Instruction ID: a073039a33bd2cf46ae89f01e223fa7f6299a64f3736c2169b88a711a6c30916
                                                      • Opcode Fuzzy Hash: b82280cf5d69606ce3a11b192ef054848eb2dbc88c60f4f5a7f448c83e8549a0
                                                      • Instruction Fuzzy Hash: 553178B6A107448FDB10CF59D940F8AB7F1BB84764F11851AEC259B381C779A941EF90
                                                      Function 35A2F32A Relevance: .1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 15be0f2ed3ab9c153ae689d563b4bc27d39d8ba02e9ec5db6489e363e3dfbca8
                                                      • Instruction ID: 7721b0eac6ad1f3382f36a3bc283e83a559435384c52229ae9efd7fd78dc221a
                                                      • Opcode Fuzzy Hash: 15be0f2ed3ab9c153ae689d563b4bc27d39d8ba02e9ec5db6489e363e3dfbca8
                                                      • Instruction Fuzzy Hash: 0A2192722003009FD719CF15C542F56B7FAFF85365F15416DE9268B690EBB0E801DB94
                                                      Function 35A39660 Relevance: .1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 27df9e98d852709f5af99a303f5733b183ef7cddbd65b63015f4f28b24794773
                                                      • Instruction ID: 740bbf05a2f0cfc12c23294018b258a06b6ab4e509e651d2066b89d52afed60c
                                                      • Opcode Fuzzy Hash: 27df9e98d852709f5af99a303f5733b183ef7cddbd65b63015f4f28b24794773
                                                      • Instruction Fuzzy Hash: 1621D13021A7019FEB219F25DD11F0A7BB3BF442A8F10462AEC66475A0DB31A842FBD5
                                                      Function 35ADBC01 Relevance: .1, Instructions: 77COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d1b1916cf7b05ad7c52c3c6338cc6565dc6c9e8bd64bb825d3b91767332033ac
                                                      • Instruction ID: 5300aaaaa204db1c0794d05e1bc64c4ed5928538cf15c187f83c223d820479de
                                                      • Opcode Fuzzy Hash: d1b1916cf7b05ad7c52c3c6338cc6565dc6c9e8bd64bb825d3b91767332033ac
                                                      • Instruction Fuzzy Hash: 7E21BD7AA0021DEBEB11AF45C8A4F4ABBF4FF49790F014025EC149B210DB349E00DF91
                                                      Function 35AB9D70 Relevance: .1, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0b4583521cd041948444ad7c81ba414c1066f68a659bf6f85508b554ff3b64f1
                                                      • Instruction ID: c1efc83eb9cae9a37294894f41d83e81c850fd858b58068dde0d9e4ca63ef303
                                                      • Opcode Fuzzy Hash: 0b4583521cd041948444ad7c81ba414c1066f68a659bf6f85508b554ff3b64f1
                                                      • Instruction Fuzzy Hash: 31219F76600705AFDB228F95D944E5B7BB9EF847A0F104029F9089B350DA71DD15EBA0
                                                      Function 35A41FB8 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3929694f3905af1f749a0eb407148cf8a485d6ad2bbe172017e1e65db35563ae
                                                      • Instruction ID: 8922cc44bebfef3a8fb638ce0688510189e10531994cbbda59ff3c74731e3d29
                                                      • Opcode Fuzzy Hash: 3929694f3905af1f749a0eb407148cf8a485d6ad2bbe172017e1e65db35563ae
                                                      • Instruction Fuzzy Hash: 56218CB5A00308EFE721DF98C940E6ABBF8EF84390F10846AE956A7340D3709E41DB50
                                                      Function 35AA71F9 Relevance: .1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f7335b21bf40d7844a4eacec393849ae1b926ee39d9a3ba620931c99c2f0f7f7
                                                      • Instruction ID: e8a115e9f5c290df3cb0a3f0d5f55f51a220bf71b0dc25ecf4899d486e5666f3
                                                      • Opcode Fuzzy Hash: f7335b21bf40d7844a4eacec393849ae1b926ee39d9a3ba620931c99c2f0f7f7
                                                      • Instruction Fuzzy Hash: A3210032B087408BE311CE698940E0BB7EABFC4255F10492DFCA683140EB70E949A791
                                                      Function 35A7D0C0 Relevance: .1, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d46874f361187609d27c1141274a74c462cca7b595567fe5ec3b62160846347e
                                                      • Instruction ID: 03832c94324245cbb43e9612052e96061111dc3899565b2569ad4df7f44c9541
                                                      • Opcode Fuzzy Hash: d46874f361187609d27c1141274a74c462cca7b595567fe5ec3b62160846347e
                                                      • Instruction Fuzzy Hash: 9221BE72648700ABD311DE68DC41F4ABBE5FF88760F11062AFD599B3A0D770D901ABA9
                                                      Function 35A2BF60 Relevance: .1, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 19fbe81a76a7bab36870bacfead848d2842580e3975fedad8fbeaf469d2acc23
                                                      • Instruction ID: 4d26078365dfd8998c7ac46c2e855a1633819151074f34462ea6c7d53ee2f05d
                                                      • Opcode Fuzzy Hash: 19fbe81a76a7bab36870bacfead848d2842580e3975fedad8fbeaf469d2acc23
                                                      • Instruction Fuzzy Hash: 372148B2608305DFEB108F55C990F06BBE5FB45754F058069ED155F289CBB9E805AFE0
                                                      Function 35A215A9 Relevance: .1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                      • Instruction ID: f97771a86103debb9a4d49c54dd3480e15b0e3d076db5479848551ca24b524dc
                                                      • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                      • Instruction Fuzzy Hash: 7121CD75704685DFE302CB99C948F1177EABF40388F0504A1ED068B292EB74DC41E660
                                                      Function 359FB765 Relevance: .1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7b23e9d4c6f72067aa056e572590cb9dce5968fa31a72eb4a095cefcf3cc5f30
                                                      • Instruction ID: 15773ab8ef74aaedff3614fae6d4f5c7cad9f81db8abaee17b42bdc407ebccbe
                                                      • Opcode Fuzzy Hash: 7b23e9d4c6f72067aa056e572590cb9dce5968fa31a72eb4a095cefcf3cc5f30
                                                      • Instruction Fuzzy Hash: 0C219872210A00DFC726DF68DA00F09B7F6FF08719F14496DE406976A1DB39E906EB84
                                                      Function 35ABD7B0 Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: daf68e1b4d23d71c5daa321b25c2cfc10a28dd3ccee10eecca44f8ba842d00d5
                                                      • Instruction ID: eb4237af755cdddaf4860d06a530258285530db53bf01f5c484f004e1972f9a5
                                                      • Opcode Fuzzy Hash: daf68e1b4d23d71c5daa321b25c2cfc10a28dd3ccee10eecca44f8ba842d00d5
                                                      • Instruction Fuzzy Hash: 7511AF76900620ABDB228F85CC40F6B7B7DEF85B61F560015BD198B251D7A0D900E7E0
                                                      Function 35A03720 Relevance: .1, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 01e80c5f30242c52741945cb4272463cdc9d22e1585209bc215258e8ab97dcf1
                                                      • Instruction ID: 3e09287527cedfd92e295df6542c3f4bb27ebf21dac814803e28ebd4e7437ceb
                                                      • Opcode Fuzzy Hash: 01e80c5f30242c52741945cb4272463cdc9d22e1585209bc215258e8ab97dcf1
                                                      • Instruction Fuzzy Hash: 0221D4B4A242098BE701CF69E544FEE77B4FB88718F258019DC22572D0CBB89945EB50
                                                      Function 35A9D5B0 Relevance: .1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d35c2daabecb58837b95d5de6b89fb568d42d686b2e539fb9ee09ad0372dd24b
                                                      • Instruction ID: c9346bc7392055ee7f2209a37efa0f6a6cb9ea84278a98f011680435bb515b69
                                                      • Opcode Fuzzy Hash: d35c2daabecb58837b95d5de6b89fb568d42d686b2e539fb9ee09ad0372dd24b
                                                      • Instruction Fuzzy Hash: AD110036220714AFD715CF24CD80F8AB3F9FF842A0F114819E8599B680E730FA41EB64
                                                      Function 35A8D080 Relevance: .1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3f6d3c424d50178295251ee9e9cb0558dc706db5aa695a31269b3f5375f8aef4
                                                      • Instruction ID: 2b285a1767325c666dc31c9530757ca45ddbc371f625bd5d977f76d05739e9cd
                                                      • Opcode Fuzzy Hash: 3f6d3c424d50178295251ee9e9cb0558dc706db5aa695a31269b3f5375f8aef4
                                                      • Instruction Fuzzy Hash: 37114C72250240ABC7229B25CE40F167BB9EF817B4F110439FE154B150DB35DD01F790
                                                      Function 35A8DDC0 Relevance: .1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID:
                                                      • API String ID: 3446177414-0
                                                      • Opcode ID: bc3aa8106ddc7c2dffdd141f4efa65a806722e0c51a69d99e8bb378022ec2446
                                                      • Instruction ID: e7533134762a7ef3be0ac62b507f2b35bc86c8e37136d766762e4dfb31b42280
                                                      • Opcode Fuzzy Hash: bc3aa8106ddc7c2dffdd141f4efa65a806722e0c51a69d99e8bb378022ec2446
                                                      • Instruction Fuzzy Hash: F5217A72612700DFC315DF18E580E08BBF2FB55265F21C56EC8169B690DB329442EF90
                                                      Function 35A3BCA0 Relevance: .1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 109bfa96e08b3e94b9d156ece0e3f409da99140b23dacb51828ef1d12fa01cd8
                                                      • Instruction ID: dec30f02e8726c0e3e0e09e4a09267b0769bd600f1d99dbe70dc2ba6e244edb0
                                                      • Opcode Fuzzy Hash: 109bfa96e08b3e94b9d156ece0e3f409da99140b23dacb51828ef1d12fa01cd8
                                                      • Instruction Fuzzy Hash: D811E436705A898BE3118B98DD40F1577AABF49294F0444A1EC508B391EF65DD11E6A1
                                                      Function 359F9240 Relevance: .1, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 67dcad2d8e06b3c3c93fa4f4eaf37d0094d86dc9f00b0e25afb263f431ec4850
                                                      • Instruction ID: e96831da2888f5576289c7efd6a4dcf2da1984f71b757b1a89feb91c891edaee
                                                      • Opcode Fuzzy Hash: 67dcad2d8e06b3c3c93fa4f4eaf37d0094d86dc9f00b0e25afb263f431ec4850
                                                      • Instruction Fuzzy Hash: 1411E67A121341ABD724CF69ED41E6977F8EB54790F504026E801A7350EB75DD03EB94
                                                      Function 35A3BFEC Relevance: .1, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4a298ea729856d7e4743ef265540a9eae18cb3c6b10357e826a781909cb4af5b
                                                      • Instruction ID: 06ee2fd4f2136de1dacf50375ac0ade13371f2955690511877cea9b28de60481
                                                      • Opcode Fuzzy Hash: 4a298ea729856d7e4743ef265540a9eae18cb3c6b10357e826a781909cb4af5b
                                                      • Instruction Fuzzy Hash: 7211B779306695CFE314CB69C8A1F65B7E5FF01758F04089AECD28B650D779D881EB10
                                                      Function 35A9D660 Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
                                                      • Instruction ID: 48f6e825afd88d289e94ed07c3887fec2573e0c40922c9f779b3d6f86c4166ef
                                                      • Opcode Fuzzy Hash: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
                                                      • Instruction Fuzzy Hash: EA1122356102A89FEB09CF68C940FCABBF6FF85250F114419DD9A9B300D770E981EB50
                                                      Function 35ACDDC6 Relevance: .1, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0f275280f2173359b8f333690d230814556f4b0893fcb6723b4a0d5a35ff7d29
                                                      • Instruction ID: a3460fa8e44f7e8f035ff2a0a49939290135f45918d8c72f551613f00eb7ea03
                                                      • Opcode Fuzzy Hash: 0f275280f2173359b8f333690d230814556f4b0893fcb6723b4a0d5a35ff7d29
                                                      • Instruction Fuzzy Hash: A8012866B045849BCB028A1D8C80F7AB3DBABD5260F5642B5ED65C7381DE74DC13F2B1
                                                      Function 35ABD6F0 Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 48feba08e217dd03babd9b8f16e5b0c0122133f862b657e1e875308af4b3e7b0
                                                      • Instruction ID: 3784a64b6396cad564c7993a73ac43f11fa389c5744ba433dffe5b404edf52c1
                                                      • Opcode Fuzzy Hash: 48feba08e217dd03babd9b8f16e5b0c0122133f862b657e1e875308af4b3e7b0
                                                      • Instruction Fuzzy Hash: FA016175B04209AB9F05CAA6DA44EEF7BBDEF85A84F010059AD05D7210E770EE45E7E0
                                                      Function 35A2B052 Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 04dfd78a7ee611ecb89d022e696cc74c4d112505286867d6fdbf25a8471e7abf
                                                      • Instruction ID: 6b598bea6291f9aca9e90f1bc1a5991c647349144d6edcfc1b3befb428f64151
                                                      • Opcode Fuzzy Hash: 04dfd78a7ee611ecb89d022e696cc74c4d112505286867d6fdbf25a8471e7abf
                                                      • Instruction Fuzzy Hash: CA01F9B6B087046FD7119BA99D82F6B77F8EF84354F000028EF15D3241DA70E901A661
                                                      Function 359F7D41 Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9360c89ab77bfe7edf65008fe29236a900b053b4a09fedbdc6f13ed96d080170
                                                      • Instruction ID: 8df3d75c22f29337c73a9fd94ca89d9acd2e444700e01e8062c362affb9cda85
                                                      • Opcode Fuzzy Hash: 9360c89ab77bfe7edf65008fe29236a900b053b4a09fedbdc6f13ed96d080170
                                                      • Instruction Fuzzy Hash: 3A01C4756016119BD316CB19DD50D267BBBEFC56A27558069E8498F301DB32C802C7D0
                                                      Function 359F7330 Relevance: .1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 04369999021b18411bd178affd8c72fc9385c1bbe5f94a5cb0d4e95562b80d5a
                                                      • Instruction ID: eb0594b3bcc3ea1558756ce53049d4dc9ae04fc6f3761e3127dec0810465f490
                                                      • Opcode Fuzzy Hash: 04369999021b18411bd178affd8c72fc9385c1bbe5f94a5cb0d4e95562b80d5a
                                                      • Instruction Fuzzy Hash: 34119AB5600704AFE721CF68EC41F9B77E8FB44345F014829E986CB210EBB6E8009BA0
                                                      Function 35A2F2D0 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7d4e77764b5051e867c2478fed16ebf7812b84802bc502ce0d6f42dcb7591aa2
                                                      • Instruction ID: 6cef86169f4b155c52adae59942753df8ff45c5b1d7ffc2d34b9bf42bb5d6174
                                                      • Opcode Fuzzy Hash: 7d4e77764b5051e867c2478fed16ebf7812b84802bc502ce0d6f42dcb7591aa2
                                                      • Instruction Fuzzy Hash: 8111ECB57007489FD710CFA8C985F9EBBB8BF44740F14006AED01EB641EA38D902EB60
                                                      Function 35A972A0 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1e881c47e10832a36ac091a1fcb317b4b9639d5e2bcfd7cfeeb42b6a99c4f250
                                                      • Instruction ID: 29839a55285d6c93cfc07d92193400996bd49f9aa925b025a4edb73c6bd36d8a
                                                      • Opcode Fuzzy Hash: 1e881c47e10832a36ac091a1fcb317b4b9639d5e2bcfd7cfeeb42b6a99c4f250
                                                      • Instruction Fuzzy Hash: 1201F5B6240509BFD7059F52CD80EA2F77DFF41391F900525F91042560C731ACA1EBA4
                                                      Function 35A03C84 Relevance: .1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f67d8731ba89fd94d28b962bc4502077ed325036e0664ead88be03f213f46c88
                                                      • Instruction ID: 4664606c42678c20dd9a38f2883d026a005045fd45968c7faa7381aec095e697
                                                      • Opcode Fuzzy Hash: f67d8731ba89fd94d28b962bc4502077ed325036e0664ead88be03f213f46c88
                                                      • Instruction Fuzzy Hash: AC111876621610DFCB29CF58CE51F6E73B9FB48648F56006DE812B7610E738AC01EB94
                                                      Function 35AAB450 Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b010affa2c9c17b8fcbaf56ed93a20b011c1e6f153da428dac7c50b91225a3f0
                                                      • Instruction ID: 53c8207d4fc9a8268a16303ac9faa4ca87d507441fc5ae11c95e7e192ef0fbf0
                                                      • Opcode Fuzzy Hash: b010affa2c9c17b8fcbaf56ed93a20b011c1e6f153da428dac7c50b91225a3f0
                                                      • Instruction Fuzzy Hash: 6B01F137251A94EFD3228F65CE80F16BBB8FB51B90F540020BF421B5B1D264E890E680
                                                      Function 359F9353 Relevance: .0, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b47f002d4c5c3137ef9f3c7ac66e8fe835558dfe2b56b935eeb7350b9ae74f28
                                                      • Instruction ID: 88be74b1e971353d542a2e1550e90d81168f4a468502212b50837e7e572cc512
                                                      • Opcode Fuzzy Hash: b47f002d4c5c3137ef9f3c7ac66e8fe835558dfe2b56b935eeb7350b9ae74f28
                                                      • Instruction Fuzzy Hash: 7F11AD72900B12CFE7218F15C880F12B3F9FF40BA7F15886DD8994A5A5D7B6E881DB10
                                                      Function 35ABF5BE Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f95f64045334e8146345406673f67d3f1d458778d9a28c8c8b4c3daf75f6c8a5
                                                      • Instruction ID: fcdc27ae6beef55e393bf13a75e16045259efc7dfaa516759a74a804e8d56ecc
                                                      • Opcode Fuzzy Hash: f95f64045334e8146345406673f67d3f1d458778d9a28c8c8b4c3daf75f6c8a5
                                                      • Instruction Fuzzy Hash: 51014C71A10348ABDB04DFA9D951EAEBBB8EF44740F444066BD00EB380DAB4DA01DB94
                                                      Function 35ABF453 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5d0dc9c46eb1b5e47105cdb9c436cdd91b0b737084e57e7f19fb704376db7557
                                                      • Instruction ID: a65d1802fefbd614698bfbe7dc80a75e9e9f8cd900f136a671005b6dbbe84548
                                                      • Opcode Fuzzy Hash: 5d0dc9c46eb1b5e47105cdb9c436cdd91b0b737084e57e7f19fb704376db7557
                                                      • Instruction Fuzzy Hash: 3F015E71A10348AFDB04DFA9D941FAEBBB8EF84750F444066BD00EB381DAB4DA41DB95
                                                      Function 35A3D1D0 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f2de0d86effeacf548bdde4d36220a0e2c1ba5d78ef3e9e4a4e5e3cb4c4b035e
                                                      • Instruction ID: 81a44774e7194e94cf8bbfedf4ead6ae7f7c1767446d112798d3af83795d5278
                                                      • Opcode Fuzzy Hash: f2de0d86effeacf548bdde4d36220a0e2c1ba5d78ef3e9e4a4e5e3cb4c4b035e
                                                      • Instruction Fuzzy Hash: B101FC76B06244DBE701DAD4F901F5973AAEB846A8F124116FD248B280DB74D901E791
                                                      Function 35A233A5 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                      • Instruction ID: ad6fa25167ef09269efbef791bb3a170c73aa646e57d8438ae5a51cc0b6f4110
                                                      • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                      • Instruction Fuzzy Hash: 5101D672704205AFCB16CA9ADD02E5F3ABCAF95785F10006ABE15D7560EA30D902E760
                                                      Function 35ABF367 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 26d35a3812bcd65c8e4e0b3b948df127467505b89895196ba8e2154903b7d52b
                                                      • Instruction ID: fd1b56e364f8fdba94342abfc06034086a702084942132271e0a25b0e27e1b2f
                                                      • Opcode Fuzzy Hash: 26d35a3812bcd65c8e4e0b3b948df127467505b89895196ba8e2154903b7d52b
                                                      • Instruction Fuzzy Hash: E9017171A10358ABDB00DBE9D905FAE77B8EF84740F444166B910EB380DAB4D901D794
                                                      Function 35ABDDC7 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b8059a0d885677ca7125431a6dee4324abbc239da28ddd41bf09ae115d7711c3
                                                      • Instruction ID: 619f7d5985fe87fbe7349fa9103fa36fd73cb3402c75e5f729927b27ada75264
                                                      • Opcode Fuzzy Hash: b8059a0d885677ca7125431a6dee4324abbc239da28ddd41bf09ae115d7711c3
                                                      • Instruction Fuzzy Hash: 2D018471B10308ABDB14DFA9D845FAEB7B8EF44740F004026BD00EB380DA75D901D794
                                                      Function 35ABDF2F Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 29c616f1efdad5cc8b9a5c6af8bbc168ca458de1f09a0bd692bbbf5bf4a32861
                                                      • Instruction ID: c864d05bbdd34741644095891964daa3ee7f6f3c05645914eca820dad79db646
                                                      • Opcode Fuzzy Hash: 29c616f1efdad5cc8b9a5c6af8bbc168ca458de1f09a0bd692bbbf5bf4a32861
                                                      • Instruction Fuzzy Hash: 82018471A14308ABDB04DFA9D945FAEBBB8EF44740F004026BD00EB380DA75DA01D795
                                                      Function 35AC972B Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                      • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                      • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                      • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                      Function 35AD5636 Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7de36d952f94135ce8c353c1ca62fdab15679a75e658a788294ac0492875d30f
                                                      • Instruction ID: f38fb5458bc7c9e58a068577cd9f7b8f7cacd63ed0302df8ecfb3cc9bee3d008
                                                      • Opcode Fuzzy Hash: 7de36d952f94135ce8c353c1ca62fdab15679a75e658a788294ac0492875d30f
                                                      • Instruction Fuzzy Hash: DE116D74E10249EBCB04DFA8D540EAEB7B4EF08304F14845AA814EB340DB34DA02CB64
                                                      Function 35AA3370 Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ed034e48ead1e6b79cc9206741e1bdfe31b1bc05f27bdd404418cb4b64f8afe9
                                                      • Instruction ID: 4b37ed9ad5c91725c8c7c3bbf086ca97461135808fb825e58103e7f4aa41f355
                                                      • Opcode Fuzzy Hash: ed034e48ead1e6b79cc9206741e1bdfe31b1bc05f27bdd404418cb4b64f8afe9
                                                      • Instruction Fuzzy Hash: EB114F76640A44CFC375CB04C551FA5B7A1EB48B14F14843DD90E4BB80CF3AA846EF90
                                                      Function 35AD5537 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0bb81e6ab45da64ad07fb6f985b4c99ae0361413f2322d61d7752096a3ca25d4
                                                      • Instruction ID: e6443b5380165f8c3c67ba7332e1e13a1c90f04a0f5ea8fee9e280be0fa6ca05
                                                      • Opcode Fuzzy Hash: 0bb81e6ab45da64ad07fb6f985b4c99ae0361413f2322d61d7752096a3ca25d4
                                                      • Instruction Fuzzy Hash: A3110CB0A10249DFDB04DFA9D551AADF7F4BF08340F144266E914EB381D634DA419B50
                                                      Function 35A35734 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                      • Instruction ID: 931e70e173c03c12dc12e421356ae675a51e1a13804041fa749782686f5a2a0c
                                                      • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                      • Instruction Fuzzy Hash: 0CF02273A06214BFE30ACF5CC982F6ABBEDEB49694F014069D901DB270E671DE04CA94
                                                      Function 35AD5152 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c716797352d8dfb3822df3f40565863a114144bcb3a202907f0eb00e6b17da3f
                                                      • Instruction ID: 3ceb66999227ff1f7a1729c55b24a4a7a1223b219201e467cebb0b8be086fafc
                                                      • Opcode Fuzzy Hash: c716797352d8dfb3822df3f40565863a114144bcb3a202907f0eb00e6b17da3f
                                                      • Instruction Fuzzy Hash: 53011AB1A10209ABDB00DFA9D951DEEBBF8EF48340F10405AF900E7340EA74EA019BA0
                                                      Function 35AD50D9 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c3e8696ff6d0e1bb9e7f5d68c0ef8c07b054f2547c908efa8288a194271f8544
                                                      • Instruction ID: 90c19ca3af84f079f99a78fdd69702da2510ad0a95633712d70177c54e4168b3
                                                      • Opcode Fuzzy Hash: c3e8696ff6d0e1bb9e7f5d68c0ef8c07b054f2547c908efa8288a194271f8544
                                                      • Instruction Fuzzy Hash: D3011AB1A10309ABDB00DFA9D951DAEB7F8FF48340F50405AF900F7380EB74AA019BA0
                                                      Function 35AD5060 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bcd0a17d2e7df2fbcfde09aa661d173b6de078fd3ba98568e1484f6c9de9d725
                                                      • Instruction ID: 27b1bf97496b2082ca424b1294718ae5859dfcbb6135503faab8eafc1662e9ff
                                                      • Opcode Fuzzy Hash: bcd0a17d2e7df2fbcfde09aa661d173b6de078fd3ba98568e1484f6c9de9d725
                                                      • Instruction Fuzzy Hash: F7011AB5A10309AFCB04DFA9D951DAEB7F8EF48340F50405AE901E7341DA74AA019BA0
                                                      Function 35ABF78A Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 69b3806b25514b2516c8013a77fdae4093fef08bf0fa0cb0e939ee03f5ef6173
                                                      • Instruction ID: 30136dbd968d050013b04186d739e855845984a32a97b64de708163a1fb569b1
                                                      • Opcode Fuzzy Hash: 69b3806b25514b2516c8013a77fdae4093fef08bf0fa0cb0e939ee03f5ef6173
                                                      • Instruction Fuzzy Hash: C0012DB4E003499FCB04CFA9D541A9EB7F8AF08340F108056A815E7340EA74DA00DB90
                                                      Function 35ABF2F8 Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d1fb9b68665f55d77719504356af01a2f08cf72cc0351d343be2797860da1658
                                                      • Instruction ID: f0d74911af3e0a455993be2e24dea6af04132e0e3d77c51e894a52f4598dc652
                                                      • Opcode Fuzzy Hash: d1fb9b68665f55d77719504356af01a2f08cf72cc0351d343be2797860da1658
                                                      • Instruction Fuzzy Hash: 24F0A472B10348ABDB04DFF9C905EAEB7B8EF44750F008156E911E7280DEB4DA0197A0
                                                      Function 35A3724D Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9d0b015fb0c04695dfbfde3504c10ef05b2c76684e297c194321e65d78031ea4
                                                      • Instruction ID: 884aa666e9fb53238f9c5fffa7e9aedafdb14981fac76dd119b1b2c02ff5df96
                                                      • Opcode Fuzzy Hash: 9d0b015fb0c04695dfbfde3504c10ef05b2c76684e297c194321e65d78031ea4
                                                      • Instruction Fuzzy Hash: DEF0F6B9B16355ABEB40D7E8CA41FEAB7B8AF80759F048165BD0197240DA30DB40EB50
                                                      Function 35AD53FC Relevance: .0, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: adfd4f2123a2470de39c5a2b42d709c8ad5dcc246ee17ceff40cb8c27bf2d773
                                                      • Instruction ID: 0df195b678c78283ff9ce1fe0da4407131f9a9ad527b6c58d96674cc04277e32
                                                      • Opcode Fuzzy Hash: adfd4f2123a2470de39c5a2b42d709c8ad5dcc246ee17ceff40cb8c27bf2d773
                                                      • Instruction Fuzzy Hash: 8E015EB0A003099FDB04DFA9C541FAEF7F4FF08300F108266A919EB381DA349A419B91
                                                      Function 35AD3749 Relevance: .0, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                      • Instruction ID: 6bab5f5ffd151019e135f1a3424f5395fce225ccca68893502db70ca0a3111b5
                                                      • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                      • Instruction Fuzzy Hash: AFF04FB6A40644BFE711DBA4CD41FDAB7FCEB04710F000166AE55D7290EAB0AA44DB90
                                                      Function 359FFD80 Relevance: .0, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e0d73a26b3e8383723c32c2c44191d41c5054dc1d22ff2d8a6fecc646a264c28
                                                      • Instruction ID: d10df9735528558cbbc241644bb9dd23ec6e9f9282e90eab2f84003c3bc787b8
                                                      • Opcode Fuzzy Hash: e0d73a26b3e8383723c32c2c44191d41c5054dc1d22ff2d8a6fecc646a264c28
                                                      • Instruction Fuzzy Hash: C9F0B437B2D2225BC2209B4DBD80D4AB734FBD17A6B11066BFA81A7140DF658543F390
                                                      Function 359FBFD0 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 61a05f2e583a7f8459c8a446ac862a951a5c744327d893a3cbcb345d9d0b580d
                                                      • Instruction ID: 2fed5d21eef6ff2206758412ef573d676bbd86f47a37a9d634403dec2a099187
                                                      • Opcode Fuzzy Hash: 61a05f2e583a7f8459c8a446ac862a951a5c744327d893a3cbcb345d9d0b580d
                                                      • Instruction Fuzzy Hash: 9CF0B4B6600114BFDB14DF88CD40D9B7BBCEF447A0B11426AB915DB250D670DE00CBA0
                                                      Function 35AD55C9 Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 173d81a0229dcf94119b3c2c2789d3634fe577f9ea41dbcf27fbfe3bdd7ec660
                                                      • Instruction ID: b90143764578bdef70e39a21a4557bbe6b4596d8c07bf0c8092a14e3d024b10a
                                                      • Opcode Fuzzy Hash: 173d81a0229dcf94119b3c2c2789d3634fe577f9ea41dbcf27fbfe3bdd7ec660
                                                      • Instruction Fuzzy Hash: 69F03CB4A10248AFDB04EFA8D655EAEB7F4EF08340F50845AB805EB380DA74DA01DB54
                                                      Function 35ABF3E6 Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ab614f153624a3061aefd737036c92326ee34b9c26c422a8bde6fe3291e605d7
                                                      • Instruction ID: 50acc2e0040913dd7a7beee46dd28e2f7112db13fa8e50350989f4af472c6d3f
                                                      • Opcode Fuzzy Hash: ab614f153624a3061aefd737036c92326ee34b9c26c422a8bde6fe3291e605d7
                                                      • Instruction Fuzzy Hash: AFF069B0A10208ABCB04DFE8D505E9EB7F8AF08300F40806AAD05EB381DA74DA01DB54
                                                      Function 35ABF6C7 Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 33605216d25cd01951a8e0b9f3d220de2387684265ad66b6ed360d45bb291540
                                                      • Instruction ID: 17bcc255678bf7db1d8bc1a2d8382d8199e3fde18bf9a3fd92d5990afe4042f4
                                                      • Opcode Fuzzy Hash: 33605216d25cd01951a8e0b9f3d220de2387684265ad66b6ed360d45bb291540
                                                      • Instruction Fuzzy Hash: 9EF062B5A10348EBDB04DFE9D905EAEB7F8AF44344F444059E901EB381DA74D901DB54
                                                      Function 35AD539D Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9af277fd10641aa55d78449e1401dbfcbf5eac701ec53e258d1a99b283b8953c
                                                      • Instruction ID: 71feb4aaa106090e6a02832aa3d526afc1a0ecb4b9ff2f337ec3a61265794e72
                                                      • Opcode Fuzzy Hash: 9af277fd10641aa55d78449e1401dbfcbf5eac701ec53e258d1a99b283b8953c
                                                      • Instruction Fuzzy Hash: F7F0B470A1034C9FDB04DFB8D551E6EB7F4AF08700F508055ED01EB380DA74D9019B14
                                                      Function 35AD5283 Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2138bdd45f913c451c5833c2a05f9759083b10908c6cbe7632d7616c17bcef6c
                                                      • Instruction ID: 7bb7db69b43eb9031448de071fc1895d2f642d4b40baf978362a282258869295
                                                      • Opcode Fuzzy Hash: 2138bdd45f913c451c5833c2a05f9759083b10908c6cbe7632d7616c17bcef6c
                                                      • Instruction Fuzzy Hash: 52F0BEB0B10308ABDB04EFA8DA15EAEB3F8BF08300F404459A801EB381EA34D9019B50
                                                      Function 35AD52E2 Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a2142735d555b6ee0c7731c234b2bc2bf7b3d403eb8d58311cd29f34556ef8b8
                                                      • Instruction ID: 14e316310047a0083dd2c64957db5eb26649d4bfbe81e7decd55ca30c5b48fc0
                                                      • Opcode Fuzzy Hash: a2142735d555b6ee0c7731c234b2bc2bf7b3d403eb8d58311cd29f34556ef8b8
                                                      • Instruction Fuzzy Hash: A2F0BEB0A10348ABDB04EFB9EA11E6EB3F8BF08300F404459AC01EB380EA74D901DB14
                                                      Function 35AD54DB Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dd543f06c1fb1bcfa4a58aa180d510438c537e9ab453662630bea0e1feaefdba
                                                      • Instruction ID: f640c47c3deb101d258b116c1cc419999ec135ef099c3893d1cc48b6e161060f
                                                      • Opcode Fuzzy Hash: dd543f06c1fb1bcfa4a58aa180d510438c537e9ab453662630bea0e1feaefdba
                                                      • Instruction Fuzzy Hash: 67F082B0A10348ABDB04DBA9D955E9EB7F9AF08344F500059A902EB380EA74D901A714
                                                      Function 35AD547F Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6d38fab13c6e2e57f04ebbeb89a29dbacc95cf7a49754711bf6f948b185f58cc
                                                      • Instruction ID: 17510132c6ae0bf6a4ac3366dbf937ae77bea3bae06aed727dbe9766ad5d17a9
                                                      • Opcode Fuzzy Hash: 6d38fab13c6e2e57f04ebbeb89a29dbacc95cf7a49754711bf6f948b185f58cc
                                                      • Instruction Fuzzy Hash: AAF082B0B11348ABDB04DBA9DA55EAEB7F8AF08344F500055EA01EB380EE74D9019755
                                                      Function 35ABF72E Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 034bd17c9f49a965ad634bf9328ade6982a249e9962289e9a0b715bef5f0c011
                                                      • Instruction ID: e14be0f913c1469c7ce92a95346939b48c695ed46caa294368e4b20ee6079b12
                                                      • Opcode Fuzzy Hash: 034bd17c9f49a965ad634bf9328ade6982a249e9962289e9a0b715bef5f0c011
                                                      • Instruction Fuzzy Hash: 9EF082B1A10348ABDB04DBE9DA55E9E77B8EF08744F440095E901EB380D974D9419754
                                                      Function 35AD51CB Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d48495f29715f1da5ba8d01ab6b81de1cd42840c13fcbbbea8f65c67c0bb0d5d
                                                      • Instruction ID: 7025032c7f796aeda74961a8af921920f5080aae7b559a13a9a898550c658963
                                                      • Opcode Fuzzy Hash: d48495f29715f1da5ba8d01ab6b81de1cd42840c13fcbbbea8f65c67c0bb0d5d
                                                      • Instruction Fuzzy Hash: 8BF082B0B1434CABDB04DBE8DA15E6EB3F8AF08344F540459AD11EB3C0EA74D901D754
                                                      Function 35A7D070 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                      • Instruction ID: ab0579eca433cbb778ff15016863c12b144a5ac10aa9f6ff385b23b5555c70ce
                                                      • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                      • Instruction Fuzzy Hash: 77F0E53360461467C231AA49CC05F5BBBACDBD5B70F24031ABD249B2D0DA709A02D7D6
                                                      Function 35AD5341 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3a965f6f9c6ba2c04207475b12fbf37aca89ef37f19c9cd3c67255f86763b488
                                                      • Instruction ID: a82f548385a930063528e29695ac46c22284fd258d5561eed242e5c81e552b37
                                                      • Opcode Fuzzy Hash: 3a965f6f9c6ba2c04207475b12fbf37aca89ef37f19c9cd3c67255f86763b488
                                                      • Instruction Fuzzy Hash: 20F0E2B0A04308ABCB04DBA8E955E9EB7F8AF09340F500159AC01EB3D0EA74D9009714
                                                      Function 35AD5227 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 39be747e2e42700c4afaa51896d2fcfb2835dd483310122f8d6f26575c58ef82
                                                      • Instruction ID: 9f7bc85a1f98c99971bf7624eaf44e113a6b4a564e0afd998325ae2579a5f55d
                                                      • Opcode Fuzzy Hash: 39be747e2e42700c4afaa51896d2fcfb2835dd483310122f8d6f26575c58ef82
                                                      • Instruction Fuzzy Hash: F4F082B0B14348ABDB04EBE8DA15E6EB3F8AF48744F540459AD11EB381EA74D9019754
                                                      Function 35A37208 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: caca98f109c23524fe19702e1a6bdfbf8c0dca6c1da68df32ee68403b1eeb2b1
                                                      • Instruction ID: 44aca0e1e0a5ddfdea4a339f5739f34c5d3a57e0ab7683128623545f4eff5e57
                                                      • Opcode Fuzzy Hash: caca98f109c23524fe19702e1a6bdfbf8c0dca6c1da68df32ee68403b1eeb2b1
                                                      • Instruction Fuzzy Hash: 46F0A0BAA55794AFE312C79CC184F02B7E9AF00BB0F058661DCA98B501D7A8DC80E651
                                                      Function 35ABFC4F Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1f3bf405b7ff560746f68691779aaf5b96d2d64bd587bd7155aa38292a4d223d
                                                      • Instruction ID: ab5689b2826227be3ba634a12fe4cc65e411e62bbde7ee66ac8e09514c7c52e4
                                                      • Opcode Fuzzy Hash: 1f3bf405b7ff560746f68691779aaf5b96d2d64bd587bd7155aa38292a4d223d
                                                      • Instruction Fuzzy Hash: 96F082B1B11348ABDB04CBE9D945EAE77B8AF08344F440055E902EB380D9B4D9419758
                                                      Function 35A355C0 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 33ae750fe0e35d52d6f8fa8871320200eba950d351eab4f53aa53274c8de4c45
                                                      • Instruction ID: 31c2fc482ab545a6158f764979034a535564a1bc7700e534b876c498594b6f3b
                                                      • Opcode Fuzzy Hash: 33ae750fe0e35d52d6f8fa8871320200eba950d351eab4f53aa53274c8de4c45
                                                      • Instruction Fuzzy Hash: 68E0E533106714ABD2125A1ADC01F42BBA9FF507B0F114116A968175908B60B811EAD4
                                                      Function 35A07D75 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0c99eea831e8c372547ff993b47625d00daa4fee31464509104c19dceea5e268
                                                      • Instruction ID: f12e58d009b67260701cde4d333134036da7bc4644c752c6a4ba07b74f151f96
                                                      • Opcode Fuzzy Hash: 0c99eea831e8c372547ff993b47625d00daa4fee31464509104c19dceea5e268
                                                      • Instruction Fuzzy Hash: 14F0A03D6203C49EE311D728E140F01BBF9AB102B8F04C565DCA5C7601C774D881E650
                                                      Function 35AD37B6 Relevance: .0, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                      • Instruction ID: cf0c6df4cd70e45ad2dd60e41a1b349c66ed090dacd3ed3274abc0aa886700c8
                                                      • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                      • Instruction Fuzzy Hash: AFE06DB2610600ABD794DB54DE01FA673ECFB40760F500259B926930D0DAB0AE40DA60
                                                      Function 35A8DD47 Relevance: .0, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8cdbd8b9e07cd199a807e6689bb366e617232b9a4a6fc9e28f3c5288fa21173d
                                                      • Instruction ID: c6f6016fe9c89c6600338ff1ecd85639d45a74fdb3448c34f5881f33ed95405f
                                                      • Opcode Fuzzy Hash: 8cdbd8b9e07cd199a807e6689bb366e617232b9a4a6fc9e28f3c5288fa21173d
                                                      • Instruction Fuzzy Hash: C4F017B2A21300DFDB50EF58FD42B087BB1F740321F20846AD802A7680DB374407AF60
                                                      Function 35A11C60 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2cc62dcc46cefeb06f6713f5f413ceb30c68a275a210854608be74e1febdc331
                                                      • Instruction ID: e2bee01dab363912280cfb9256f4f46666c5926d5310f9a40ccbae61a92c72a8
                                                      • Opcode Fuzzy Hash: 2cc62dcc46cefeb06f6713f5f413ceb30c68a275a210854608be74e1febdc331
                                                      • Instruction Fuzzy Hash: FFE02039705BD85BD701D7155240D7EF3E7AF80EA0B058415DC2557601EF20DF00F691
                                                      Function 35AD3FC0 Relevance: .0, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 20c16674a9e390939da292bfd352d0eff1de3ca93f6ad0acb61356b8cb51665e
                                                      • Instruction ID: 771956f1f66ddb47f4dc85593504b425959f42dab5c6162c9883372068b763a3
                                                      • Opcode Fuzzy Hash: 20c16674a9e390939da292bfd352d0eff1de3ca93f6ad0acb61356b8cb51665e
                                                      • Instruction Fuzzy Hash: 83E092323205006BC6159A19EE00F4EB3BDFFD0760F010126E60497690CB70B902DB94
                                                      Function 35A3BFB0 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f6067274c2ada818ddb195711b39d58936e667c7980b62c0cf2dc4fb6a9a8ec9
                                                      • Instruction ID: 8423f99743ba6d793620aab0449e291280ad019e5bfeb749c3e769453664f829
                                                      • Opcode Fuzzy Hash: f6067274c2ada818ddb195711b39d58936e667c7980b62c0cf2dc4fb6a9a8ec9
                                                      • Instruction Fuzzy Hash: 9BE0DF7920634CABE700DB08C542F74B7EAAB44B28F009015FD288B150CBB0D980EF00
                                                      Function 35ABB3D0 Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                      • Instruction ID: ffa101ebbb64b68625cc74107859ba631e7b9ce5dcd4e68e9df74004028b001d
                                                      • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                      • Instruction Fuzzy Hash: 54E0CD31344218B7DB125E40CC00F557769EB407D1F104031FF085A650CAB1AD51E6D4
                                                      Function 35A892BC Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 63ba74d96cad0af6f082141b301e98b57edbe336ace5056671719e565fe9528f
                                                      • Instruction ID: d49736a6792797b63a50633a123a657d921f00fe52f2de191ef5d41bfac9fe1e
                                                      • Opcode Fuzzy Hash: 63ba74d96cad0af6f082141b301e98b57edbe336ace5056671719e565fe9528f
                                                      • Instruction Fuzzy Hash: 28F06578219B80CFE30ADF08D1E1F1537F9FB45B40F800058C8428BBA2CB3AA942EA40
                                                      Function 35A13D00 Relevance: .0, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bf4effa38bb9532a18e4269c2f2655c9e1f250e0372df2da82f61a5d4cc3f4de
                                                      • Instruction ID: 51fb5705173234a20801e387c8975e370e77ad4b3f8bc538a8e2a82ce19b1062
                                                      • Opcode Fuzzy Hash: bf4effa38bb9532a18e4269c2f2655c9e1f250e0372df2da82f61a5d4cc3f4de
                                                      • Instruction Fuzzy Hash: B3E012B83195008FDB068E18D951F493776BB81B85F1444A8E902A3564DB34D95BFB40
                                                      Function 35A01F50 Relevance: .0, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c71b0c9ef145b42926eaac37b1b97a6522bd3345b7d35bc122438fe3aad4b280
                                                      • Instruction ID: 730577e5270c8215910782f50cbc283fa586a9063c6b191b702338c00f07e1a9
                                                      • Opcode Fuzzy Hash: c71b0c9ef145b42926eaac37b1b97a6522bd3345b7d35bc122438fe3aad4b280
                                                      • Instruction Fuzzy Hash: AEE08C3D2203899BE700DA19A894F95B7E66B886A0F048026AC284B551CB79D884EE00
                                                      Function 359FB562 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                      • Instruction ID: c962064b30254da6f8ca23c7a0254d6ba0e9d460d972a3e3d9c8de865d93d927
                                                      • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                      • Instruction Fuzzy Hash: 39D05E32261660AFC7325F11EE05F827BBAAF80F11F550529B402264F096A6ED88D790
                                                      Function 35A39DAF Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 309ed1e5f96a4483f4d83767c6f7dd4d11ab120c17893c50c39a7d74864cd2e2
                                                      • Instruction ID: 848a7fcd2266ed3ace070e4b11acab6710035519b11d59be439e219d0cf13395
                                                      • Opcode Fuzzy Hash: 309ed1e5f96a4483f4d83767c6f7dd4d11ab120c17893c50c39a7d74864cd2e2
                                                      • Instruction Fuzzy Hash: D1D05E368056209FDB668F88CE46F1B77B6FFC0B54F950094AC21A3211CB389C15EB90
                                                      Function 35A8930B Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                      • Instruction ID: f4f076e8c257dae60f29d38a4cc2a503872d7e985f8286da6d13d34744329637
                                                      • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                      • Instruction Fuzzy Hash: 00D01779949AC48FE317CB04C161F407BF8F705F40F850098E45347AA2C37C9984DB00
                                                      Function 359FDCA0 Relevance: .0, Instructions: 11COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 768b791705985fef6bbd48d24f8a2b4910ff65960d9034aae90c2b5012bdc449
                                                      • Instruction ID: f4e69cb0f0ce9b5d8f4f506f7b379b24d7d5c7b5dc20af57f7a1d415146b16c8
                                                      • Opcode Fuzzy Hash: 768b791705985fef6bbd48d24f8a2b4910ff65960d9034aae90c2b5012bdc449
                                                      • Instruction Fuzzy Hash: 75C08C74380B009AEB260B20CE01F003AA5BB00B45F8100A06B02DA0F0DBB9C900EA40
                                                      Function 35A83FD7 Relevance: .0, Instructions: 11COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 895cff13260a136efc98224cd98e335f51e5c33e053c25b97dff692c1297d986
                                                      • Instruction ID: c4ff5dde8821fd4a341d0695035fa69f6a73a0d8f57db9f8f1d90017404e3eb7
                                                      • Opcode Fuzzy Hash: 895cff13260a136efc98224cd98e335f51e5c33e053c25b97dff692c1297d986
                                                      • Instruction Fuzzy Hash: 06C01232180248BBCB126E86CD00F067B2AEB94B60F008010BA180A6618A32EA60EA84
                                                      Function 35AD35B6 Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fcfb85a4c58582e884ff618cf81e7b206b1561464208c9731accca16da9c68f1
                                                      • Instruction ID: dc323d602dd91b060d0f02541f33f26f36be0b0327cc2da27b15e3f28236a67d
                                                      • Opcode Fuzzy Hash: fcfb85a4c58582e884ff618cf81e7b206b1561464208c9731accca16da9c68f1
                                                      • Instruction Fuzzy Hash: 0EC012319410249BCF219E14C944E85B7B9BB407C0FA50091D40463550D634DE41DB90
                                                      Function 35A2340D Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                      • Instruction ID: 9e99d7d916cfa62f72eaffb11b1ee4d26d0956676a756e97462bcefb20e41ed3
                                                      • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                      • Instruction Fuzzy Hash: 15C08CBC2415806EEB0B4B00CA02F2C3660BB02787FD401DDAF41294A1C3689802A218
                                                      Function 35A81F13 Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 07c694c599e1b16b79b47981cf59cde3638a41ea684abd8e8d19adb151df7d5f
                                                      • Instruction ID: 0924c495acccbf69d9d8f20d3da2b609f7c07bd6777d9240b949270e15adf546
                                                      • Opcode Fuzzy Hash: 07c694c599e1b16b79b47981cf59cde3638a41ea684abd8e8d19adb151df7d5f
                                                      • Instruction Fuzzy Hash: 1CD012B093A2C08ED30ACF2C65419157FF0BB09B04B4644ADE085C7201CA24444BE614
                                                      Function 35A13D20 Relevance: .0, Instructions: 7COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                      • Instruction ID: 2d949b9ef0ad9e35c031bd7336c8908f4eb3e58019b47558aa449f8d9d230665
                                                      • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                      • Instruction Fuzzy Hash: EBB092383019408FDE42CF19C080F0533F8BB44A80B8444D0E804CBA10D328E9009900
                                                      Function 35A43090 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 59a7767f178ec4077e26b390d28a5b5bad141083d5344bb1cdd814a543acf542
                                                      • Instruction ID: 52b644c8ac45eff6989a2ce46a533a443f58fc1cc4aa62d72c668fce967451af
                                                      • Opcode Fuzzy Hash: 59a7767f178ec4077e26b390d28a5b5bad141083d5344bb1cdd814a543acf542
                                                      • Instruction Fuzzy Hash: F690022224140E02D54071589414F07001687D0611FA6C452B5424514E86268A697AB1
                                                      Function 35A43010 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 525690c70f9ed15fb44d73f4d5976dd0594ce1c631cafb90ac9db8ef8a2d4cdd
                                                      • Instruction ID: dc45871b24cd4ed869bbaa828975308b0dcfca3440b0069b9c97a12b2d678e56
                                                      • Opcode Fuzzy Hash: 525690c70f9ed15fb44d73f4d5976dd0594ce1c631cafb90ac9db8ef8a2d4cdd
                                                      • Instruction Fuzzy Hash: E390022220184A42D54072585804F0F411547E1212FE6C45AB9556514DC92589596B21
                                                      Function 35A8DDB1 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                      • Instruction ID: 4fb13b01c3c572211e7da9334493b8c41fa6e4ac05fa5802d07a9d3415b41377
                                                      • Opcode Fuzzy Hash: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                      • Instruction Fuzzy Hash: B6A02232230880EFCB03AF00EB00F00BB30FB00B00FC008A8A00003830822CE800FE00
                                                      Function 35A43D10 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7a3b33867208425719183c4dbf84978ddaff58b57b7295c8bf5f01541751985e
                                                      • Instruction ID: 59251e166ed9c5b655f61417ab082352c2f1326a2447e9a424d171a6ee059513
                                                      • Opcode Fuzzy Hash: 7a3b33867208425719183c4dbf84978ddaff58b57b7295c8bf5f01541751985e
                                                      • Instruction Fuzzy Hash: 1390023220240742994072586804E4E411547E1312BE6D856B5415514DC92489656621
                                                      Function 35A43D70 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a4741a72fadd2ec2a7626c7b3ff440e884ef82f9b88adfe917ebd585de2c2e35
                                                      • Instruction ID: 5afa7a3cb018ffa43d642decbd97d39d99d55a9392e30d29bcac18c04bad6989
                                                      • Opcode Fuzzy Hash: a4741a72fadd2ec2a7626c7b3ff440e884ef82f9b88adfe917ebd585de2c2e35
                                                      • Instruction Fuzzy Hash: C190023620140A02D91071586804E46005647D0311FA6D852B5824518E866489A5B521
                                                      Function 35A8DF10 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                      • Instruction ID: 4fb13b01c3c572211e7da9334493b8c41fa6e4ac05fa5802d07a9d3415b41377
                                                      • Opcode Fuzzy Hash: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                      • Instruction Fuzzy Hash: B6A02232230880EFCB03AF00EB00F00BB30FB00B00FC008A8A00003830822CE800FE00
                                                      Function 35A439B0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ddef146a006909ba5e80b7cb9aa7401a24261cde0ec16f086a0e6e146f24f088
                                                      • Instruction ID: 88e9413fd7b85cfb6496192dcdd8b8808ad92ff585b3649773c39ea2cae0bf03
                                                      • Opcode Fuzzy Hash: ddef146a006909ba5e80b7cb9aa7401a24261cde0ec16f086a0e6e146f24f088
                                                      • Instruction Fuzzy Hash: A290022224545702D550715C5404E16401567E0211FA6C462B5C14554E856589597621
                                                      Function 35A44650 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2541a4a916288b18fdfcae8312f2c55a15073b83c65156dbd4f6daafb7cb82fa
                                                      • Instruction ID: a10b635b959d280b67d74876a17578392b1fcf3e3313ddefe3f9fad44578ccf5
                                                      • Opcode Fuzzy Hash: 2541a4a916288b18fdfcae8312f2c55a15073b83c65156dbd4f6daafb7cb82fa
                                                      • Instruction Fuzzy Hash: A590026260150642454071585804C06601557E13113E6C556B5954520D86288959A669
                                                      Function 35A44340 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d152382c768d105f799365c2219807858cab4c463f0b660f90143a193eba94d8
                                                      • Instruction ID: fcb57ad1c89fdd5a0f9a96c054536ffbd08ac405113627f20fb16eee65e1c080
                                                      • Opcode Fuzzy Hash: d152382c768d105f799365c2219807858cab4c463f0b660f90143a193eba94d8
                                                      • Instruction Fuzzy Hash: 8690023260580612954071585884D46401557E0311BA6C452F5824514D8A248A5A6761
                                                      Function 35A42DB0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9ba6cfa95d0385003e0d06213f8793ba66ce3618d412acb1123d3bf6537a11cc
                                                      • Instruction ID: 47ca6ad1e4e250a14a0e2193adee6f4a217cbb3f0e0610cb8ae1b57d6537a162
                                                      • Opcode Fuzzy Hash: 9ba6cfa95d0385003e0d06213f8793ba66ce3618d412acb1123d3bf6537a11cc
                                                      • Instruction Fuzzy Hash: 5790023224140A02D54171585404E06001957D0251FE6C453B5824514F86658B5ABE61
                                                      Function 35A42DD0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dcaaa70df640d2674e28fee4e110a3a74f83c9c0687a9448a5ba257ed69f1d37
                                                      • Instruction ID: a4db1b1646e28acf8fdf3b020f9b70b3087b20aea9fe43f22fc7a736be08b0ae
                                                      • Opcode Fuzzy Hash: dcaaa70df640d2674e28fee4e110a3a74f83c9c0687a9448a5ba257ed69f1d37
                                                      • Instruction Fuzzy Hash: BA900222242447525945B1585404D07401657E02517E6C453B6814910D8536995AEA21
                                                      Function 35A42D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a05372d45575551282bb48782685d665386a78ab7a34101fe9580eea8245d1a5
                                                      • Instruction ID: 916162d0d5b9d644300c81061c41ef2603aa6f708277d8b37a802d07c316b602
                                                      • Opcode Fuzzy Hash: a05372d45575551282bb48782685d665386a78ab7a34101fe9580eea8245d1a5
                                                      • Instruction Fuzzy Hash: 2890022230140603D54071586418E06401597E1311FA6D452F5814514DD925895A6622
                                                      Function 35A42D00 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5aee286c4b0ca278b0ef2be301363b3366516f93f0e73d6c44bf9acad16ca545
                                                      • Instruction ID: 5686a5fbc074ccdd0286e3b25e7d83a0afedaf2cd0e1052fb381e843b4701b57
                                                      • Opcode Fuzzy Hash: 5aee286c4b0ca278b0ef2be301363b3366516f93f0e73d6c44bf9acad16ca545
                                                      • Instruction Fuzzy Hash: B990022220544A42D50075586408E06001547D0215FA6D452B6464555EC6358955B531
                                                      Function 35A42D10 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a38d9564b7dfae2223de0a726200e913c2d48ece8495899c3d83b401985a5a57
                                                      • Instruction ID: 884d3e7ae4a0f8252518cb9beeb9294313cf98dc458911a1e94add4bbdabf71b
                                                      • Opcode Fuzzy Hash: a38d9564b7dfae2223de0a726200e913c2d48ece8495899c3d83b401985a5a57
                                                      • Instruction Fuzzy Hash: EF90022A21340602D58071586408E0A001547D1212FE6D856B5415518DC925896D6721
                                                      Function 35A42CA0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6b227d3ddd3660a29feef708116facea89df2a7f8266e50b25d4171bd5de6978
                                                      • Instruction ID: ac4b2a2f3b94c1cb0c5b56d27ccb4a1c51c0b8e347e5d1dfcc563375d3ba5bbe
                                                      • Opcode Fuzzy Hash: 6b227d3ddd3660a29feef708116facea89df2a7f8266e50b25d4171bd5de6978
                                                      • Instruction Fuzzy Hash: 6990023220140A02D50075986408E46001547E0311FA6D452BA424515FC67589957531
                                                      Function 35A42CF0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7d0fef4e8f27031f428d137ae80ad1f29e66754a67cab099a8eda7f9e9ee2ae4
                                                      • Instruction ID: 9835094b24a3a5390d9a505597fda2ef389a3ef35349fe0ca0bfaddd6612c85e
                                                      • Opcode Fuzzy Hash: 7d0fef4e8f27031f428d137ae80ad1f29e66754a67cab099a8eda7f9e9ee2ae4
                                                      • Instruction Fuzzy Hash: B290023220140A03D50071586508F07001547D0211FA6D852B5824518ED66689557521
                                                      Function 35A42CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d4642b4a8392f93777f5002b8ac30d22e142f9d84b3276072ced7ea7fc5e2d30
                                                      • Instruction ID: 57320d4513dbf504f68cce9479924dd2bddbffcdbed40177d1c4a0cb86fd5b96
                                                      • Opcode Fuzzy Hash: d4642b4a8392f93777f5002b8ac30d22e142f9d84b3276072ced7ea7fc5e2d30
                                                      • Instruction Fuzzy Hash: C490022260540A02D54071586418F06002547D0211FA6D452B5424514EC6698B597AA1
                                                      Function 35A42C60 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d83d228e8244ca7abf28b6f22c791902e34204bcfb301677cd051cd94826acd1
                                                      • Instruction ID: 6606926d7349842096183ed06d2d8e0be6b5e28fedd7ef5557ccc11eef25f72b
                                                      • Opcode Fuzzy Hash: d83d228e8244ca7abf28b6f22c791902e34204bcfb301677cd051cd94826acd1
                                                      • Instruction Fuzzy Hash: 0E90023220140E42D50071585404F46001547E0311FA6C457B5524614E8625C9557921
                                                      Function 35A42C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 10f6d776b45efa7d6af4b7f71f3da16b6c4d80c1247468521c7181303fa1e081
                                                      • Instruction ID: 13939d19ba1b1e5c841192cee29d3bd252790b044b9449e948b5184b4d9fc57c
                                                      • Opcode Fuzzy Hash: 10f6d776b45efa7d6af4b7f71f3da16b6c4d80c1247468521c7181303fa1e081
                                                      • Instruction Fuzzy Hash: 9590023220148E02D51071589404F4A001547D0311FAAC852B9824618E86A589957521
                                                      Function 35A42FA0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 850e48b776f9bc5ac5dd216b63598ddf97a7c384f9250b9624d88f2aba0cc055
                                                      • Instruction ID: 8474558a6e4b666761e338fa862622984fefdbe5500e4e58f8942e292391f755
                                                      • Opcode Fuzzy Hash: 850e48b776f9bc5ac5dd216b63598ddf97a7c384f9250b9624d88f2aba0cc055
                                                      • Instruction Fuzzy Hash: CC90023220180A02D50071585808F47001547D0312FA6C452BA564515F8675C9957931
                                                      Function 35A42FB0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c3b4604b48b7b937a53121c5479c6ea86d5d5cbe28371e36e8009807c09c04a2
                                                      • Instruction ID: f1dd8f1aabf68e3775fb94727996a2991de36b0305ba5ccd9732276395f064ee
                                                      • Opcode Fuzzy Hash: c3b4604b48b7b937a53121c5479c6ea86d5d5cbe28371e36e8009807c09c04a2
                                                      • Instruction Fuzzy Hash: 6F90022260140642454071689844D0640156BE12217A6C562B5D98510E856989696A65
                                                      Function 35A42F90 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2f61dcf69ad1a652e14231a88e8a19bc2f838b4a415d06bb792dda97ba9f6036
                                                      • Instruction ID: 0ca073c3e2b0081034faea38105758bf3cf513c0c5ef963110ecbaa240f72c1b
                                                      • Opcode Fuzzy Hash: 2f61dcf69ad1a652e14231a88e8a19bc2f838b4a415d06bb792dda97ba9f6036
                                                      • Instruction Fuzzy Hash: 1C90023220180A02D50071585814F0B001547D0312FA6C452B6564515E863589557971
                                                      Function 35A42FE0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 10cbe337a1edceb2a475b33bdccb0e95f116b95a8b0406829cb2bb0d85de03b4
                                                      • Instruction ID: 419bf36bce786989a4e4f296ce9017bc4aaa813e3ffd6b756fbb82d897cf1204
                                                      • Opcode Fuzzy Hash: 10cbe337a1edceb2a475b33bdccb0e95f116b95a8b0406829cb2bb0d85de03b4
                                                      • Instruction Fuzzy Hash: 85900222211C0642D60075685C14F07001547D0313FA6C556B5554514DC92589656921
                                                      Function 35A42F30 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 870c7856436cd4c0be22cfada84f6ce2933e8901c14bd7730df1d41d34e8efe8
                                                      • Instruction ID: 4e4cca886c3fb28700994f81ebb2146d2fcd0358125e9afa5f6e6876308a3078
                                                      • Opcode Fuzzy Hash: 870c7856436cd4c0be22cfada84f6ce2933e8901c14bd7730df1d41d34e8efe8
                                                      • Instruction Fuzzy Hash: 4190026234140A42D50071585414F06001587E1311FA6C456F6464514E8629CD567526
                                                      Function 35A42F60 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bb2496394e4f1ed975554f6f089e0999c6db8d2746f80a4f13a4ea25bc9e8554
                                                      • Instruction ID: 14141ccb727ee1fa50d6afee1317d8df64dff54a224ba81c865efcc122dd41ef
                                                      • Opcode Fuzzy Hash: bb2496394e4f1ed975554f6f089e0999c6db8d2746f80a4f13a4ea25bc9e8554
                                                      • Instruction Fuzzy Hash: A790026221140642D50471585404F06005547E1211FA6C453B7554514DC5398D656525
                                                      Function 35A42EA0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 950382903d6f52b945a37af5b4e829db767afaeab50dbcf00d082e4da8ef92c4
                                                      • Instruction ID: d52243d29fe09781d2e80b2d328629aa03715027ca5840deaab11e934873b211
                                                      • Opcode Fuzzy Hash: 950382903d6f52b945a37af5b4e829db767afaeab50dbcf00d082e4da8ef92c4
                                                      • Instruction Fuzzy Hash: 0390027220140A02D54071585404F46001547D0311FA6C452BA464514F86698ED97A65
                                                      Function 35A42E80 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 51e0412eb304dc22477b30672a1f0f950bedab283428ad735e86329d6edc957c
                                                      • Instruction ID: b018a417a92eef74cbd1b1eebadd0c80dc61ad88ce48ae08a1722360fa9564a9
                                                      • Opcode Fuzzy Hash: 51e0412eb304dc22477b30672a1f0f950bedab283428ad735e86329d6edc957c
                                                      • Instruction Fuzzy Hash: 6A90022260140B02D50171585404E16001A47D0251FE6C463B6424515FCA358A96B531
                                                      Function 35A42EE0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 27f28ca6904252c14d4cdee4143d02c919352213ca8a65408e3365eed00838b4
                                                      • Instruction ID: 3813c294485b057fcdcf33eb97f0caf570d1fd7530d124edcf267f896fe1243e
                                                      • Opcode Fuzzy Hash: 27f28ca6904252c14d4cdee4143d02c919352213ca8a65408e3365eed00838b4
                                                      • Instruction Fuzzy Hash: 7690026220180A03D54075585804E07001547D0312FA6C452B7464515F8A398D557535
                                                      Function 35A42E30 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ec3d6646320fe86e3d00235779ede849aca0cabd5c65fcefb19a0b4450254ed0
                                                      • Instruction ID: 332f12bea4e9bc242e65d0581daeb6fe9ca48421b6df08344d23ba443418e3f2
                                                      • Opcode Fuzzy Hash: ec3d6646320fe86e3d00235779ede849aca0cabd5c65fcefb19a0b4450254ed0
                                                      • Instruction Fuzzy Hash: 1890022230140A02D50271585414E06001987D1355FE6C453F6824515E86358A57B532
                                                      Function 35A42BA0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: be073f8586f225ccfad6bd372501b3599f346f2be7bfd75ecb3beb18ab4ee7e7
                                                      • Instruction ID: 01420c729f2e73b889f12e2f71da4370aad181cc77071d549dbfb38653f3196f
                                                      • Opcode Fuzzy Hash: be073f8586f225ccfad6bd372501b3599f346f2be7bfd75ecb3beb18ab4ee7e7
                                                      • Instruction Fuzzy Hash: B790023260540E02D55071585414F46001547D0311FA6C452B5424614E87658B597AA1
                                                      Function 35A42B80 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 949a65939571e7f20bf9763806f5a8eb3a207ab513ac241ee16b7d4ecb5cdcd7
                                                      • Instruction ID: bda4b25c13640d0ddd851adde461f424864279261f928fa0932b7b9b7948ee6d
                                                      • Opcode Fuzzy Hash: 949a65939571e7f20bf9763806f5a8eb3a207ab513ac241ee16b7d4ecb5cdcd7
                                                      • Instruction Fuzzy Hash: FF90023220140E02D50471585804E86001547D0311FA6C452BB424615F967589957531
                                                      Function 35A42BE0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4d468e7576c517b2349402a246d2d87e43128e3ad1c6153121d34227cc591d9b
                                                      • Instruction ID: 0e8781bac96fb34a67b001e6b7f90fe7ed014347e57f262b737197c21afe9c8b
                                                      • Opcode Fuzzy Hash: 4d468e7576c517b2349402a246d2d87e43128e3ad1c6153121d34227cc591d9b
                                                      • Instruction Fuzzy Hash: 6390023220544E42D54071585404E46002547D0315FA6C452B5464654E96358E59BA61
                                                      Function 35A42BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6b56d53d68e3c09b692e6efe4fa33176be969649c2847f17a02822e32b8be42c
                                                      • Instruction ID: 8cb4cd2614e4347265906fe9e8825f5b73251934a02d1d33c98f31821fb5be10
                                                      • Opcode Fuzzy Hash: 6b56d53d68e3c09b692e6efe4fa33176be969649c2847f17a02822e32b8be42c
                                                      • Instruction Fuzzy Hash: FF90023220140E02D58071585404E4A001547D1311FE6C456B5425614ECA258B5D7BA1
                                                      Function 35A42B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7bd34fc7781d944deb960174e3545bbb335e43fbb99aa24c16dfbeb0eb32ebde
                                                      • Instruction ID: f782e180605a8ce97085290c306a52d33a7d2b97ae4ea59e85e6743914927843
                                                      • Opcode Fuzzy Hash: 7bd34fc7781d944deb960174e3545bbb335e43fbb99aa24c16dfbeb0eb32ebde
                                                      • Instruction Fuzzy Hash: 8190026220240603450571585414E16401A47E0211BA6C462F6414550EC53589957525
                                                      Function 35A42AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 77adf05f4d1893a809e0ea6080d84f9fe5f008bc1efdaf427c0b44261a91cab1
                                                      • Instruction ID: 7c27800dc47039002c996c9a6bc72528e051ac56baadcfec60490511c96b31ad
                                                      • Opcode Fuzzy Hash: 77adf05f4d1893a809e0ea6080d84f9fe5f008bc1efdaf427c0b44261a91cab1
                                                      • Instruction Fuzzy Hash: 3E9002A2201546924900B2589404F0A451547E0211BA6C457F6454520DC5358955A535
                                                      Function 35A42AF0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5a4cc8f11d578a4d9cd78f0a1ed9046d9c97c9140ade787ea9f1caae14319c27
                                                      • Instruction ID: 113cec72a2a13cdb697f2e6cf9cdae864852d0d9352ded5dfa6e79ebcf6f1766
                                                      • Opcode Fuzzy Hash: 5a4cc8f11d578a4d9cd78f0a1ed9046d9c97c9140ade787ea9f1caae14319c27
                                                      • Instruction Fuzzy Hash: AB900226221406020545B5581604D0B045557D63613E6C456F6816550DC63189696721
                                                      Function 35A42AD0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4f735a182606567987f512a09421a5f011347ce067eb90dc8a2fa465d65d0bc3
                                                      • Instruction ID: 2ea0a4e35ac83440c90e97c83cc53df24384b288e3170c7c818ac398d0607314
                                                      • Opcode Fuzzy Hash: 4f735a182606567987f512a09421a5f011347ce067eb90dc8a2fa465d65d0bc3
                                                      • Instruction Fuzzy Hash: 66900226211406030505B5581704D07005647D53613A6C462F6415510DD63189656521
                                                      Function 35A42C00 Relevance: .0, Instructions: 1COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c302c58efd76b85a4ce481e756adcff9e2826d97265cee25fad13d595f16b223
                                                      • Instruction ID: c3d9aa221953d091c38835bc86f040f9f4a3f11c5d8827b9111ea5b8d25530b9
                                                      • Opcode Fuzzy Hash: c302c58efd76b85a4ce481e756adcff9e2826d97265cee25fad13d595f16b223
                                                      • Instruction Fuzzy Hash:
                                                      Function 35A42890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1125 35a42890-35a428b3 1126 35a7a4bc-35a7a4c0 1125->1126 1127 35a428b9-35a428cc 1125->1127 1126->1127 1128 35a7a4c6-35a7a4ca 1126->1128 1129 35a428dd-35a428df 1127->1129 1130 35a428ce-35a428d7 1127->1130 1128->1127 1131 35a7a4d0-35a7a4d4 1128->1131 1132 35a428e1-35a428e5 1129->1132 1130->1129 1133 35a7a57e-35a7a585 1130->1133 1131->1127 1134 35a7a4da-35a7a4de 1131->1134 1135 35a42988-35a4298e 1132->1135 1136 35a428eb-35a428fa 1132->1136 1133->1129 1134->1127 1137 35a7a4e4-35a7a4eb 1134->1137 1140 35a42908-35a4290c 1135->1140 1138 35a42900-35a42905 1136->1138 1139 35a7a58a-35a7a58d 1136->1139 1141 35a7a564-35a7a56c 1137->1141 1142 35a7a4ed-35a7a4f4 1137->1142 1138->1140 1139->1140 1140->1132 1143 35a4290e-35a4291b 1140->1143 1141->1127 1144 35a7a572-35a7a576 1141->1144 1145 35a7a4f6-35a7a4fe 1142->1145 1146 35a7a50b 1142->1146 1147 35a7a592-35a7a599 1143->1147 1148 35a42921 1143->1148 1144->1127 1149 35a7a57c call 35a50050 1144->1149 1145->1127 1150 35a7a504-35a7a509 1145->1150 1151 35a7a510-35a7a536 call 35a50050 1146->1151 1154 35a7a5a1-35a7a5c9 call 35a50050 1147->1154 1152 35a42924-35a42926 1148->1152 1167 35a7a55d-35a7a55f 1149->1167 1150->1151 1151->1167 1156 35a42993-35a42995 1152->1156 1157 35a42928-35a4292a 1152->1157 1156->1157 1161 35a42997-35a429b1 call 35a50050 1156->1161 1162 35a42946-35a42966 call 35a50050 1157->1162 1163 35a4292c-35a4292e 1157->1163 1175 35a42969-35a42974 1161->1175 1162->1175 1163->1162 1164 35a42930-35a42944 call 35a50050 1163->1164 1164->1162 1172 35a42981-35a42985 1167->1172 1175->1152 1176 35a42976-35a42979 1175->1176 1176->1154 1177 35a4297f 1176->1177 1177->1172
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                      • API String ID: 48624451-2108815105
                                                      • Opcode ID: 132299691b4b9de27102cd069624f848f9b77666db34b563e9f0ff252e90d595
                                                      • Instruction ID: ad52fe4393de9198d0e83e19cdf15d0eec9252af5236dfdb7f0889c44dbb740f
                                                      • Opcode Fuzzy Hash: 132299691b4b9de27102cd069624f848f9b77666db34b563e9f0ff252e90d595
                                                      • Instruction Fuzzy Hash: D351D4F6A04216BBDB10DBD8C990D7EFBB8BF48241B508169ECA5D7741D774DE00ABA0
                                                      Function 35AB2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1178 35ab2410-35ab2433 1179 35ab2439-35ab243d 1178->1179 1180 35ab24ec-35ab24ff 1178->1180 1179->1180 1181 35ab2443-35ab2447 1179->1181 1182 35ab2513-35ab2515 1180->1182 1183 35ab2501-35ab250a 1180->1183 1181->1180 1184 35ab244d-35ab2451 1181->1184 1186 35ab2517-35ab251b 1182->1186 1183->1182 1185 35ab250c 1183->1185 1184->1180 1187 35ab2457-35ab245b 1184->1187 1185->1182 1188 35ab2538-35ab253e 1186->1188 1189 35ab251d-35ab252c 1186->1189 1187->1180 1193 35ab2461-35ab2468 1187->1193 1192 35ab2543-35ab2547 1188->1192 1190 35ab252e-35ab2536 1189->1190 1191 35ab2540 1189->1191 1190->1192 1191->1192 1192->1186 1194 35ab2549-35ab2556 1192->1194 1195 35ab246a-35ab2471 1193->1195 1196 35ab24b6-35ab24be 1193->1196 1197 35ab2558-35ab2562 1194->1197 1198 35ab2564 1194->1198 1200 35ab2473-35ab247b 1195->1200 1201 35ab2484 1195->1201 1196->1180 1199 35ab24c0-35ab24c4 1196->1199 1203 35ab2567-35ab2569 1197->1203 1198->1203 1199->1180 1204 35ab24c6-35ab24ea call 35a50510 1199->1204 1200->1180 1205 35ab247d-35ab2482 1200->1205 1202 35ab2489-35ab24ab call 35a50510 1201->1202 1216 35ab24ae-35ab24b1 1202->1216 1207 35ab256b-35ab256d 1203->1207 1208 35ab258d-35ab258f 1203->1208 1204->1216 1205->1202 1207->1208 1211 35ab256f-35ab258b call 35a50510 1207->1211 1213 35ab25ae-35ab25d0 call 35a50510 1208->1213 1214 35ab2591-35ab2593 1208->1214 1224 35ab25d3-35ab25df 1211->1224 1213->1224 1214->1213 1218 35ab2595-35ab25ab call 35a50510 1214->1218 1220 35ab2615-35ab2619 1216->1220 1218->1213 1224->1203 1225 35ab25e1-35ab25e4 1224->1225 1226 35ab2613 1225->1226 1227 35ab25e6-35ab2610 call 35a50510 1225->1227 1226->1220 1227->1226
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                      • API String ID: 48624451-2108815105
                                                      • Opcode ID: ec40232d57262d6d9ea14cd188702119f014c5705b3a12209ca937836abe7c53
                                                      • Instruction ID: 4b0a83b2605bbb473caa8e14334bc5c20a8e6f7649096aa5b5dab755b45f54e3
                                                      • Opcode Fuzzy Hash: ec40232d57262d6d9ea14cd188702119f014c5705b3a12209ca937836abe7c53
                                                      • Instruction Fuzzy Hash: E5513974600645AEDF20DE58CD90D7FB7FEEF48240B40855AE9E6C7641DBB8DA00A7E0
                                                      Function 35ADA670 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1427 35ada670-35ada6e9 call 35a12410 * 2 RtlDebugPrintTimes 1433 35ada89f-35ada8c4 call 35a125b0 * 2 call 35a44c30 1427->1433 1434 35ada6ef-35ada6fa 1427->1434 1436 35ada6fc-35ada709 1434->1436 1437 35ada724 1434->1437 1440 35ada70f-35ada715 1436->1440 1441 35ada70b-35ada70d 1436->1441 1438 35ada728-35ada734 1437->1438 1444 35ada741-35ada743 1438->1444 1442 35ada71b-35ada722 1440->1442 1443 35ada7f3-35ada7f5 1440->1443 1441->1440 1442->1438 1447 35ada81f-35ada821 1443->1447 1448 35ada745-35ada747 1444->1448 1449 35ada736-35ada73c 1444->1449 1453 35ada755-35ada77d RtlDebugPrintTimes 1447->1453 1454 35ada827-35ada834 1447->1454 1448->1447 1451 35ada74c-35ada750 1449->1451 1452 35ada73e 1449->1452 1456 35ada86c-35ada86e 1451->1456 1452->1444 1453->1433 1467 35ada783-35ada7a0 RtlDebugPrintTimes 1453->1467 1457 35ada85a-35ada866 1454->1457 1458 35ada836-35ada843 1454->1458 1456->1447 1459 35ada87b-35ada87d 1457->1459 1461 35ada84b-35ada851 1458->1461 1462 35ada845-35ada849 1458->1462 1465 35ada87f-35ada881 1459->1465 1466 35ada870-35ada876 1459->1466 1463 35ada96b-35ada96d 1461->1463 1464 35ada857 1461->1464 1462->1461 1468 35ada883-35ada889 1463->1468 1464->1457 1465->1468 1469 35ada878 1466->1469 1470 35ada8c7-35ada8cb 1466->1470 1467->1433 1475 35ada7a6-35ada7cc RtlDebugPrintTimes 1467->1475 1472 35ada88b-35ada89d RtlDebugPrintTimes 1468->1472 1473 35ada8d0-35ada8f4 RtlDebugPrintTimes 1468->1473 1469->1459 1471 35ada99f-35ada9a1 1470->1471 1472->1433 1473->1433 1479 35ada8f6-35ada913 RtlDebugPrintTimes 1473->1479 1475->1433 1480 35ada7d2-35ada7d4 1475->1480 1479->1433 1487 35ada915-35ada944 RtlDebugPrintTimes 1479->1487 1481 35ada7f7-35ada80a 1480->1481 1482 35ada7d6-35ada7e3 1480->1482 1486 35ada817-35ada819 1481->1486 1484 35ada7eb-35ada7f1 1482->1484 1485 35ada7e5-35ada7e9 1482->1485 1484->1443 1484->1481 1485->1484 1488 35ada80c-35ada812 1486->1488 1489 35ada81b-35ada81d 1486->1489 1487->1433 1493 35ada94a-35ada94c 1487->1493 1490 35ada868-35ada86a 1488->1490 1491 35ada814 1488->1491 1489->1447 1490->1456 1491->1486 1494 35ada94e-35ada95b 1493->1494 1495 35ada972-35ada985 1493->1495 1497 35ada95d-35ada961 1494->1497 1498 35ada963-35ada969 1494->1498 1496 35ada992-35ada994 1495->1496 1499 35ada987-35ada98d 1496->1499 1500 35ada996 1496->1500 1497->1498 1498->1463 1498->1495 1501 35ada98f 1499->1501 1502 35ada99b-35ada99d 1499->1502 1500->1465 1501->1496 1502->1471
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID: HEAP:
                                                      • API String ID: 3446177414-2466845122
                                                      • Opcode ID: 98e03917e1ab842f0109b696c917d90abff0c13da95a43ffae277f8a43994826
                                                      • Instruction ID: 93b7769936f430ffca28987af429585a2b8bbd00765c04ffec44861dc9e08582
                                                      • Opcode Fuzzy Hash: 98e03917e1ab842f0109b696c917d90abff0c13da95a43ffae277f8a43994826
                                                      • Instruction Fuzzy Hash: 2EA17875A083118FD705EE28C8A0E1ABBF6BF88350F154569ED56DB310EB70ED06DB91
                                                      Function 35A37630 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1503 35a37630-35a37651 1504 35a37653-35a3766f call 35a0e660 1503->1504 1505 35a3768b-35a37699 call 35a44c30 1503->1505 1510 35a37675-35a37682 1504->1510 1511 35a74638 1504->1511 1512 35a37684 1510->1512 1513 35a3769a-35a376a9 call 35a37818 1510->1513 1515 35a7463f-35a74645 1511->1515 1512->1505 1519 35a37701-35a3770a 1513->1519 1520 35a376ab-35a376c1 call 35a377cd 1513->1520 1517 35a376c7-35a376d0 call 35a37728 1515->1517 1518 35a7464b-35a746b8 call 35a8f290 call 35a49020 RtlDebugPrintTimes BaseQueryModuleData 1515->1518 1517->1519 1527 35a376d2 1517->1527 1518->1517 1535 35a746be-35a746c6 1518->1535 1524 35a376d8-35a376e1 1519->1524 1520->1515 1520->1517 1529 35a376e3-35a376f2 call 35a3771b 1524->1529 1530 35a3770c-35a3770e 1524->1530 1527->1524 1534 35a376f4-35a376f6 1529->1534 1530->1534 1537 35a37710-35a37719 1534->1537 1538 35a376f8-35a376fa 1534->1538 1535->1517 1539 35a746cc-35a746d3 1535->1539 1537->1538 1538->1512 1540 35a376fc 1538->1540 1539->1517 1541 35a746d9-35a746e4 1539->1541 1542 35a747be-35a747d0 call 35a42c50 1540->1542 1543 35a746ea-35a74723 call 35a8f290 call 35a4aaa0 1541->1543 1544 35a747b9 call 35a44d48 1541->1544 1542->1512 1552 35a74725-35a74736 call 35a8f290 1543->1552 1553 35a7473b-35a7476b call 35a8f290 1543->1553 1544->1542 1552->1519 1553->1517 1558 35a74771-35a7477f call 35a4a770 1553->1558 1561 35a74786-35a747a3 call 35a8f290 call 35a7cf9e 1558->1561 1562 35a74781-35a74783 1558->1562 1561->1517 1567 35a747a9-35a747b2 1561->1567 1562->1561 1567->1558 1568 35a747b4 1567->1568 1568->1517
                                                      Strings
                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 35A74725
                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 35A74742
                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 35A74787
                                                      • Execute=1, xrefs: 35A74713
                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 35A746FC
                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 35A74655
                                                      • ExecuteOptions, xrefs: 35A746A0
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                      • API String ID: 0-484625025
                                                      • Opcode ID: ff8c7d3b492c4361f5a271af08c09ed45c7614a0d7a6d3894056971316885a21
                                                      • Instruction ID: 8b747012cc322fe057636a65a9fc7b52a4982bf0c278d3d071a38d4bd07980a7
                                                      • Opcode Fuzzy Hash: ff8c7d3b492c4361f5a271af08c09ed45c7614a0d7a6d3894056971316885a21
                                                      • Instruction Fuzzy Hash: DD5126757013197AEB11DAA4ED96FAE77B8BF04349F4000E9ED05A7180EB709B41EF50
                                                      Function 35A1D770 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      • GsHd, xrefs: 35A1D874
                                                      • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 35A6936B
                                                      • RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 35A69565
                                                      • Actx , xrefs: 35A69508
                                                      • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 35A69346
                                                      • RtlpFindActivationContextSection_CheckParameters, xrefs: 35A69341, 35A69366
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                                      • API String ID: 3446177414-2196497285
                                                      • Opcode ID: b25e320b1cb3082bd0a7a133d8237e82a8b72b1d3614f4387ff3a3d0e8217e39
                                                      • Instruction ID: 079d3dd81150d0dcb60b4147f614dff834190b0a38317e2b50b32d6a4594bd0f
                                                      • Opcode Fuzzy Hash: b25e320b1cb3082bd0a7a133d8237e82a8b72b1d3614f4387ff3a3d0e8217e39
                                                      • Instruction Fuzzy Hash: B1E1A2746083028FE710CF64C880F5AB7F5BF88358F454A6DEDA68B281D771EA45DB92
                                                      Function 359F645D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlDebugPrintTimes.NTDLL ref: 359F656C
                                                        • Part of subcall function 359F65B5: RtlDebugPrintTimes.NTDLL ref: 359F6664
                                                        • Part of subcall function 359F65B5: RtlDebugPrintTimes.NTDLL ref: 359F66AF
                                                      Strings
                                                      • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 35A59A2A
                                                      • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 35A599ED
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 35A59A11, 35A59A3A
                                                      • apphelp.dll, xrefs: 359F6496
                                                      • Getting the shim engine exports failed with status 0x%08lx, xrefs: 35A59A01
                                                      • LdrpInitShimEngine, xrefs: 35A599F4, 35A59A07, 35A59A30
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 3446177414-204845295
                                                      • Opcode ID: d2db1d59f5ff4ff1b69c136214d00db7ee45c10bbe54b37d1ecf441fec8a64be
                                                      • Instruction ID: 9f63650c2d6bd7de35d8b81e476fc27d882a933b16dfa9b8d688ea5f793f62af
                                                      • Opcode Fuzzy Hash: d2db1d59f5ff4ff1b69c136214d00db7ee45c10bbe54b37d1ecf441fec8a64be
                                                      • Instruction Fuzzy Hash: D751BE712183049FE721DF24ED41E5B77F8FB84694F40091AFA95AB190DB31E906EBA2
                                                      Function 35A7FD82 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
                                                      • API String ID: 3446177414-4227709934
                                                      • Opcode ID: fc7ec57fd4498ffd7f42ae00aa7b5d30e24feb5d4f383354cad0cfdf5ed4e4c6
                                                      • Instruction ID: c546452ab8f70dd8cf7627be106f38d5127cb9321e5108e70f7bb3ff07f8b617
                                                      • Opcode Fuzzy Hash: fc7ec57fd4498ffd7f42ae00aa7b5d30e24feb5d4f383354cad0cfdf5ed4e4c6
                                                      • Instruction Fuzzy Hash: E1416DB9A00209ABDF01DF99C980EDEBBB5BF48354F100169ED25A7341D771AA11EBA0
                                                      Function 359F65B5 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      • LdrpLoadShimEngine, xrefs: 35A59ABB, 35A59AFC
                                                      • Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 35A59AF6
                                                      • Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 35A59AB4
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 35A59AC5, 35A59B06
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 3446177414-3589223738
                                                      • Opcode ID: 43f9d12358623b987b17bcbe79f0241b1fe07b4869181d590dd3aca2d305a16c
                                                      • Instruction ID: 0575520dece17ca5b6392bdced2ba3c2bfe51e3bb7889bc0251425521c6a4b80
                                                      • Opcode Fuzzy Hash: 43f9d12358623b987b17bcbe79f0241b1fe07b4869181d590dd3aca2d305a16c
                                                      • Instruction Fuzzy Hash: AD511076B143489FDB04DBACDC44E9D77B6BB84354F050129E991BF285CB71AC42EB90
                                                      Function 35A2DB00 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
                                                      • API String ID: 3446177414-3224558752
                                                      • Opcode ID: 9a399a1ce301577b23b76cb16af92371e111d3faf8f51dc7895a97473decf2d5
                                                      • Instruction ID: a0108d911e85c89056d1b4cd88e8c3af3883538fd5f705dff86ef66a1903fff8
                                                      • Opcode Fuzzy Hash: 9a399a1ce301577b23b76cb16af92371e111d3faf8f51dc7895a97473decf2d5
                                                      • Instruction Fuzzy Hash: 69414479604380DFE701CF24C995F9AB3F5FF40368F108569DD2197292CB74A881EB91
                                                      Function 35AAF157 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      • ---------------------------------------, xrefs: 35AAF279
                                                      • Entry Heap Size , xrefs: 35AAF26D
                                                      • HEAP: , xrefs: 35AAF15D
                                                      • Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 35AAF263
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
                                                      • API String ID: 3446177414-1102453626
                                                      • Opcode ID: 7f30dc4eac8f765cfddacb8eee0087abf54e8d8b7b0c70f83124e2e4dcddc5bc
                                                      • Instruction ID: c92659d70abe5a0099d520d4995a9933a9ee393fff1a8a18dfe371031e09ef5f
                                                      • Opcode Fuzzy Hash: 7f30dc4eac8f765cfddacb8eee0087abf54e8d8b7b0c70f83124e2e4dcddc5bc
                                                      • Instruction Fuzzy Hash: 08413A3EA14215DFCB08CF58D884D59BBF6FF493547258169D818AB211DB31AC46EB90
                                                      Function 35A2DBA0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
                                                      • API String ID: 3446177414-1222099010
                                                      • Opcode ID: e93973ed2efa9fd62b9acd8ac463222c280394583625c73fafbaaaa3ac4a293b
                                                      • Instruction ID: 670b58a5257fbf8e32b45c142b1d9eca9026c5701a281f9770a7c8b4c68a139c
                                                      • Opcode Fuzzy Hash: e93973ed2efa9fd62b9acd8ac463222c280394583625c73fafbaaaa3ac4a293b
                                                      • Instruction Fuzzy Hash: 66313935208784DFE312CB28CC05F4AB7F5FF01754F054495EC6697A92CBB4A882DB52
                                                      Function 35A4B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: __aulldvrm
                                                      • String ID: +$-$0$0
                                                      • API String ID: 1302938615-699404926
                                                      • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                      • Instruction ID: 9e6693dfad1e0542ff9abaacd2492922a16b9b544907931713f042ef7fe7a5e9
                                                      • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                      • Instruction Fuzzy Hash: 1C817EF8A0A24D8EEF04CEE4C891FAEBBF2BF45350F544159DCA1A7391C7749841AB51
                                                      Function 35A09126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID: $$@
                                                      • API String ID: 3446177414-1194432280
                                                      • Opcode ID: 871667547fc5f026192e745de46427b14bd613c4fcdb121a6c259066e6598736
                                                      • Instruction ID: 687a648549e28015f04b7207486c1c50df44b670d29b9efed8773275928562c6
                                                      • Opcode Fuzzy Hash: 871667547fc5f026192e745de46427b14bd613c4fcdb121a6c259066e6598736
                                                      • Instruction Fuzzy Hash: 468148B5E042699BDB21CB54DD44FDEB7B4AF08750F0041EAAD19B7280E7349E85EFA0
                                                      Function 35A34D1D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 35A7362F
                                                      • Querying the active activation context failed with status 0x%08lx, xrefs: 35A7365C
                                                      • LdrpFindDllActivationContext, xrefs: 35A73636, 35A73662
                                                      • minkernel\ntdll\ldrsnap.c, xrefs: 35A73640, 35A7366C
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                      • API String ID: 3446177414-3779518884
                                                      • Opcode ID: 79bddb038d023b021d27396d29fcc48aa6b57f13d7ab03d075967cb32b3a7185
                                                      • Instruction ID: 5087a00cfdb6810fa5e33cbe72042c848de6af2dd81c9416245227a93cf4071b
                                                      • Opcode Fuzzy Hash: 79bddb038d023b021d27396d29fcc48aa6b57f13d7ab03d075967cb32b3a7185
                                                      • Instruction Fuzzy Hash: 4C313876906311ABEB11DB58CC4EF1AB3A4FB017DCF024066DC2567160EBA0EC80B7B4
                                                      Function 35AB20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: %%%u$[$]:%u
                                                      • API String ID: 48624451-2819853543
                                                      • Opcode ID: accdded624980c5d433dc92baf9601e761119676569d2b810009d9084c5847b4
                                                      • Instruction ID: e2a4f907dd3425a3612539cee403ecbb2a1d7acd6dac7437d061156e2151e3cb
                                                      • Opcode Fuzzy Hash: accdded624980c5d433dc92baf9601e761119676569d2b810009d9084c5847b4
                                                      • Instruction Fuzzy Hash: 0A2151B6A00219ABDB10DE69DC40EAE7BFDAF58690F440116ED15E3200EB709902ABE1
                                                      Function 359FF910 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
                                                      • API String ID: 3446177414-3610490719
                                                      • Opcode ID: c2c1f1db403a9e037107f2ebf61e099f66004ac29ee626596a0977704ba95135
                                                      • Instruction ID: fa46c97fb8c4e0f354499447847c2465daaeb5c24e75d153a34b01aab1335722
                                                      • Opcode Fuzzy Hash: c2c1f1db403a9e037107f2ebf61e099f66004ac29ee626596a0977704ba95135
                                                      • Instruction Fuzzy Hash: F6913471304741DFE715CF24C980F2AB7BABF84751F000899ED919B281EB75E841DBA6
                                                      Function 35AD8927 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 187timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID: $File
                                                      • API String ID: 3446177414-2412145507
                                                      • Opcode ID: cdacb16dbb1783517947c1ae63caefca09c381ed5a46ccea0f34bc1586b2e681
                                                      • Instruction ID: 8ec8185eeb991a0ca16f34c35fbc28a31d1f042b73e04842cfbc295fac5cfc9e
                                                      • Opcode Fuzzy Hash: cdacb16dbb1783517947c1ae63caefca09c381ed5a46ccea0f34bc1586b2e681
                                                      • Instruction Fuzzy Hash: 5E61DD72A1421DABDB26DB64DC11FEDB7F8AB08700F4041A9E909E71A1DB709F81DF54
                                                      Function 35A3C720 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      • Failed to reallocate the system dirs string !, xrefs: 35A782D7
                                                      • LdrpInitializePerUserWindowsDirectory, xrefs: 35A782DE
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 35A782E8
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 3446177414-1783798831
                                                      • Opcode ID: 4b3f47bb8a4e924d1bc3e09952bf38484e6c9f37f04efe3ad44d020244038254
                                                      • Instruction ID: 57afc0eac77a8145d0c87094d11d515fab99e6a025203ae93afc83aa2d74d7ce
                                                      • Opcode Fuzzy Hash: 4b3f47bb8a4e924d1bc3e09952bf38484e6c9f37f04efe3ad44d020244038254
                                                      • Instruction Fuzzy Hash: 9241CFB5619300EBD710DB68DD45F4F7BF9BF48650F00492ABD58E7250EB70E902AB91
                                                      Function 35A3BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RTL: Re-Waiting, xrefs: 35A77BAC
                                                      • RTL: Resource at %p, xrefs: 35A77B8E
                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 35A77B7F
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 0-871070163
                                                      • Opcode ID: 11224d7a746ae1edfa706d735fb571d2fa20edce3b308780f1b19545a7bf9527
                                                      • Instruction ID: c471702e99a6c7ff7c262a2c4623967f30e402a0d9b215acce62e713eee0cd3d
                                                      • Opcode Fuzzy Hash: 11224d7a746ae1edfa706d735fb571d2fa20edce3b308780f1b19545a7bf9527
                                                      • Instruction Fuzzy Hash: FF41ED353067068FD714CE24CD41F5AB7E6FF88325F100A2DED6A9B280DB30E805AB91
                                                      Function 35A3B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 35A7728C
                                                      Strings
                                                      • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 35A77294
                                                      • RTL: Re-Waiting, xrefs: 35A772C1
                                                      • RTL: Resource at %p, xrefs: 35A772A3
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                      • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 885266447-605551621
                                                      • Opcode ID: e8229a828916c25de55a1b705af40fc7b7eb1ba38597dc3638835856be2f52c7
                                                      • Instruction ID: 6ea67c0e0a7fe30cb047323efaef6155062b9be4119fc410bd040847c44c86bc
                                                      • Opcode Fuzzy Hash: e8229a828916c25de55a1b705af40fc7b7eb1ba38597dc3638835856be2f52c7
                                                      • Instruction Fuzzy Hash: F741FD36705206ABD711CEA0CC41F56B7E6FF84325F100A29FD65AB240DB20E806ABD4
                                                      Function 35A84755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 35A84888
                                                      • LdrpCheckRedirection, xrefs: 35A8488F
                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 35A84899
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                      • API String ID: 3446177414-3154609507
                                                      • Opcode ID: 6d4f4d96b1c0d590f46b650d1705db0fd6a49983f3ae52c65a44ff49a59dfd41
                                                      • Instruction ID: bf548a447abe47c511268bbe9e371552a0b35be541488c39e12f1d0d7533985d
                                                      • Opcode Fuzzy Hash: 6d4f4d96b1c0d590f46b650d1705db0fd6a49983f3ae52c65a44ff49a59dfd41
                                                      • Instruction Fuzzy Hash: 6041DF76A04B508FDB11CF68D940E16BFE5FF89798F020169EC69A7211EB30E800EB81
                                                      Function 35AB2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: %%%u$]:%u
                                                      • API String ID: 48624451-3050659472
                                                      • Opcode ID: 09d88fc4f6cc87ea13f5403e2a0dcd778ef483a9a2faab2bb5816cb1df755738
                                                      • Instruction ID: f910abb3ae5597bc304699736a2b5a8ef69a41b80843d8995c2cdb50a706b61a
                                                      • Opcode Fuzzy Hash: 09d88fc4f6cc87ea13f5403e2a0dcd778ef483a9a2faab2bb5816cb1df755738
                                                      • Instruction Fuzzy Hash: BA318076A002199FDB10DE29DD40FEE77BCFF44650F804596EC49E3200EB70AA45ABE0
                                                      Function 35A85F10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID: Wow64 Emulation Layer
                                                      • API String ID: 3446177414-921169906
                                                      • Opcode ID: 7a12a07a8bf9a1729eec5e680b532aa92225bdc4abb19ee252e533028998ba3d
                                                      • Instruction ID: d6a76c71f1f027289cb7e5631f435dfeb9b4a42ff565e09e789ba59e3db12cea
                                                      • Opcode Fuzzy Hash: 7a12a07a8bf9a1729eec5e680b532aa92225bdc4abb19ee252e533028998ba3d
                                                      • Instruction Fuzzy Hash: 10212E76A0425DBFAB019BA4CD84CBFBF7DEF852D8B054064FE15A2140E6349F05EB64
                                                      Function 35A2EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 660fcdf5909680f6bd90e048b8abcd6c23bf60e75b9d6311ccd36de3226f2e7a
                                                      • Instruction ID: f01e9f49b5273f9f5d6c47e8eb20e9bb0f0187c6795ef7109127f025665ceb2d
                                                      • Opcode Fuzzy Hash: 660fcdf5909680f6bd90e048b8abcd6c23bf60e75b9d6311ccd36de3226f2e7a
                                                      • Instruction Fuzzy Hash: 16E1F374E04708DFDB15CFA9C982E9DBBF1BF48314F10452AE955A7260DB70A941EF10
                                                      Function 35A7EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID:
                                                      • API String ID: 3446177414-0
                                                      • Opcode ID: 57872fbf420dc730e94f3e214248632bdbbd007856b51c0ddb49706119095460
                                                      • Instruction ID: 9baab9131f3a4080f864a66b66d62a82e7f4383499b7051709514f9298e1523e
                                                      • Opcode Fuzzy Hash: 57872fbf420dc730e94f3e214248632bdbbd007856b51c0ddb49706119095460
                                                      • Instruction Fuzzy Hash: 14710471E002199FDF05CFE4D980A9DBBF5BF48350F14402AEA25BB250E774AA46DFA4
                                                      Function 35ADA4CA Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID:
                                                      • API String ID: 3446177414-0
                                                      • Opcode ID: 1cc0788c116041bf70da0dbd69b3932d2efe2d8168b3cce2cbc967d328f579c2
                                                      • Instruction ID: 46f94d3f9574219d8de5bd9817232bc2f5a2ffea94274824602d84587157ad22
                                                      • Opcode Fuzzy Hash: 1cc0788c116041bf70da0dbd69b3932d2efe2d8168b3cce2cbc967d328f579c2
                                                      • Instruction Fuzzy Hash: 115158797046129FEB08EE1CC8A4E29B7F2BB88390B144169DD16DB710DB75EC41EB80
                                                      Function 35A7F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID:
                                                      • API String ID: 3446177414-0
                                                      • Opcode ID: a42359d55b5ca2018f28a5ac461b633e2837cc0f851431e8875ac2a6d944cdd5
                                                      • Instruction ID: b805f1f4c445827f7ff48df9b231cb189b3be510af927ecd22f3538e3a756f36
                                                      • Opcode Fuzzy Hash: a42359d55b5ca2018f28a5ac461b633e2837cc0f851431e8875ac2a6d944cdd5
                                                      • Instruction Fuzzy Hash: 6D5100B6E042199FDF04CFD9D844ADDBBB1BF48350F14802AE825BB250D734AA42DF64
                                                      Function 35A37B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes$BaseInitThreadThunk
                                                      • String ID:
                                                      • API String ID: 4281723722-0
                                                      • Opcode ID: 3d6e8691f5a3fd08023dc83daf2cf8dc41f9a1ff263c5e4a49b0849a69c98018
                                                      • Instruction ID: 450c07e35eba2a812b91be4cc041e5c66f425910951a4ad0f6b279ba662e97a7
                                                      • Opcode Fuzzy Hash: 3d6e8691f5a3fd08023dc83daf2cf8dc41f9a1ff263c5e4a49b0849a69c98018
                                                      • Instruction Fuzzy Hash: D7312476E106189FCF15DFA8E944E9DBBF1BF48320F10412AE911B7290CB315902EF94
                                                      Function 35A059C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @
                                                      • API String ID: 0-2766056989
                                                      • Opcode ID: 1900a56e6f7ecc26dc0c5de89cf3b2fd1c05de916dfb3f9347640084aad0cf0d
                                                      • Instruction ID: 836f867c4438c9bf33a3e274bb67f47fa1282d4799ea03ab95ae6809ee30835f
                                                      • Opcode Fuzzy Hash: 1900a56e6f7ecc26dc0c5de89cf3b2fd1c05de916dfb3f9347640084aad0cf0d
                                                      • Instruction Fuzzy Hash: C53259B4D14369DFEB21CF64D944FD9BBB1BB09304F0080E9D959A7241DBB49A84EF90
                                                      Function 35A47D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: __aulldvrm
                                                      • String ID: +$-
                                                      • API String ID: 1302938615-2137968064
                                                      • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                      • Instruction ID: 03c18d5fc2b4746657a87742121e3f87e57395c3b5dfe8bfc69896a98921e278
                                                      • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                      • Instruction Fuzzy Hash: C991D6F4E042569EEB14CEE9D881EAEB7B1BF44362F50861AEC65A73C0D7308943E710
                                                      Function 35A34C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0$Flst
                                                      • API String ID: 0-758220159
                                                      • Opcode ID: a8b0bb11e9b68e4bfc2e5a2d67413604e64db19c5d2ac6629470dbedf27f2292
                                                      • Instruction ID: 37f2810de50dbd36bec59148d638132d92fa76989f74cb35e4618345e2751360
                                                      • Opcode Fuzzy Hash: a8b0bb11e9b68e4bfc2e5a2d67413604e64db19c5d2ac6629470dbedf27f2292
                                                      • Instruction Fuzzy Hash: 4251BAB5A013088FEB10CF99C989E59FBF5FF40398F15806AD8599B250EB70D985DB90
                                                      Function 35A004E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      • kLsE, xrefs: 35A00540
                                                      • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 35A0063D
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                      • API String ID: 3446177414-2547482624
                                                      • Opcode ID: 22d140e9cde492ee75d931f0b64702027d83bbd09a4f197156473e2827deab0d
                                                      • Instruction ID: 12a9a6071b9cc08d5c9b5bc66fa002befce565e29cc31751c09aef4719f2b374
                                                      • Opcode Fuzzy Hash: 22d140e9cde492ee75d931f0b64702027d83bbd09a4f197156473e2827deab0d
                                                      • Instruction Fuzzy Hash: B851ACB56247428FD314DF65E540EA7B7E6BF84300F40883EE9AA87240E7B4E545EF92
                                                      Function 359FDF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 359D0000, based on PE: true
                                                      • Associated: 00000004.00000002.2282846569.0000000035AF9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035AFD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_359d0000_Quotation.jbxd
                                                      Similarity
                                                      • API ID: DebugPrintTimes
                                                      • String ID: 0$0
                                                      • API String ID: 3446177414-203156872
                                                      • Opcode ID: 461c29a0dee4f58f7451ba0c36552f0bf0a6f4562fd7ea7495f8bd73d6bc5e94
                                                      • Instruction ID: 719edb85abfa37f05863e68cadfaa12cbcb3c06ecbe24ef84ef37ae0aef096bc
                                                      • Opcode Fuzzy Hash: 461c29a0dee4f58f7451ba0c36552f0bf0a6f4562fd7ea7495f8bd73d6bc5e94
                                                      • Instruction Fuzzy Hash: 65415BB5618705AFD340CF28C584E1ABBE5BF88354F04492EF988DB340D772EA05CB96