Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Quotation____________________________________pdf.exe

Overview

General Information

Sample name:Quotation____________________________________pdf.exe
Analysis ID:1592060
MD5:ac380ebb31729e7fed32dc97d011f7f7
SHA1:2ce4e333861a1b846a0ae5342deebb2de7d5bc4a
SHA256:5d4dc700ab772bfb4ac1fa290c0dfeae62058d31c42b48b5072a2c13b4c419bb
Tags:DarkCloudexeuser-threatcat_ch
Infos:

Detection

DarkCloud
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected DarkCloud
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Quotation____________________________________pdf.exe (PID: 2000 cmdline: "C:\Users\user\Desktop\Quotation____________________________________pdf.exe" MD5: AC380EBB31729E7FED32DC97D011F7F7)
    • powershell.exe (PID: 3804 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qlOtJNH.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 2960 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qlOtJNH" /XML "C:\Users\user\AppData\Local\Temp\tmp85B3.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • qlOtJNH.exe (PID: 7292 cmdline: C:\Users\user\AppData\Roaming\qlOtJNH.exe MD5: AC380EBB31729E7FED32DC97D011F7F7)
    • schtasks.exe (PID: 7444 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qlOtJNH" /XML "C:\Users\user\AppData\Local\Temp\tmp8F48.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • qlOtJNH.exe (PID: 7488 cmdline: "C:\Users\user\AppData\Roaming\qlOtJNH.exe" MD5: AC380EBB31729E7FED32DC97D011F7F7)
      • WmiPrvSE.exe (PID: 7616 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 64ACA4F48771A5BA50CD50F2410632AD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkCloud StealerStealer is written in Visual Basic.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud

Malware Configuration

Threatname: DarkCloud

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot8181099166:AAHWiTz10g_-_BPRNk3yroxe3fl_IXTpU7s/sendMessage?chat_id=6250686237"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1290158620.0000000004CB9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
    00000002.00000002.1290158620.0000000004CB9000.00000004.00000800.00020000.00000000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x478c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    0000000D.00000002.2518251668.0000000000401000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
      00000002.00000002.1290158620.0000000004D22000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
        Process Memory Space: Quotation____________________________________pdf.exe PID: 2000JoeSecurity_DarkCloudYara detected DarkCloudJoe Security
          Click to see the 2 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.Quotation____________________________________pdf.exe.4cb9990.1.raw.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
            2.2.Quotation____________________________________pdf.exe.4fc7ad8.4.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
              2.2.Quotation____________________________________pdf.exe.4cb9990.1.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                  2.2.Quotation____________________________________pdf.exe.4fc7ad8.4.raw.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                    Click to see the 2 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qlOtJNH.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qlOtJNH.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation____________________________________pdf.exe", ParentImage: C:\Users\user\Desktop\Quotation____________________________________pdf.exe, ParentProcessId: 2000, ParentProcessName: Quotation____________________________________pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qlOtJNH.exe", ProcessId: 3804, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qlOtJNH.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qlOtJNH.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation____________________________________pdf.exe", ParentImage: C:\Users\user\Desktop\Quotation____________________________________pdf.exe, ParentProcessId: 2000, ParentProcessName: Quotation____________________________________pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qlOtJNH.exe", ProcessId: 3804, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qlOtJNH" /XML "C:\Users\user\AppData\Local\Temp\tmp8F48.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qlOtJNH" /XML "C:\Users\user\AppData\Local\Temp\tmp8F48.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\qlOtJNH.exe, ParentImage: C:\Users\user\AppData\Roaming\qlOtJNH.exe, ParentProcessId: 7292, ParentProcessName: qlOtJNH.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qlOtJNH" /XML "C:\Users\user\AppData\Local\Temp\tmp8F48.tmp", ProcessId: 7444, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qlOtJNH" /XML "C:\Users\user\AppData\Local\Temp\tmp85B3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qlOtJNH" /XML "C:\Users\user\AppData\Local\Temp\tmp85B3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation____________________________________pdf.exe", ParentImage: C:\Users\user\Desktop\Quotation____________________________________pdf.exe, ParentProcessId: 2000, ParentProcessName: Quotation____________________________________pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qlOtJNH" /XML "C:\Users\user\AppData\Local\Temp\tmp85B3.tmp", ProcessId: 2960, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qlOtJNH.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qlOtJNH.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation____________________________________pdf.exe", ParentImage: C:\Users\user\Desktop\Quotation____________________________________pdf.exe, ParentProcessId: 2000, ParentProcessName: Quotation____________________________________pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qlOtJNH.exe", ProcessId: 3804, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qlOtJNH" /XML "C:\Users\user\AppData\Local\Temp\tmp85B3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qlOtJNH" /XML "C:\Users\user\AppData\Local\Temp\tmp85B3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation____________________________________pdf.exe", ParentImage: C:\Users\user\Desktop\Quotation____________________________________pdf.exe, ParentProcessId: 2000, ParentProcessName: Quotation____________________________________pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qlOtJNH" /XML "C:\Users\user\AppData\Local\Temp\tmp85B3.tmp", ProcessId: 2960, ProcessName: schtasks.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: Quotation____________________________________pdf.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeAvira: detection malicious, Label: HEUR/AGEN.1311126
                    Found malware configuration
                    Source: 2.2.Quotation____________________________________pdf.exe.4cb9990.1.raw.unpackMalware Configuration Extractor: DarkCloud {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot8181099166:AAHWiTz10g_-_BPRNk3yroxe3fl_IXTpU7s/sendMessage?chat_id=6250686237"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeReversingLabs: Detection: 44%
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeVirustotal: Detection: 54%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: Quotation____________________________________pdf.exeVirustotal: Detection: 54%Perma Link
                    Source: Quotation____________________________________pdf.exeReversingLabs: Detection: 44%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: Quotation____________________________________pdf.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: Cookies
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: \Default\Login Data
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: \Login Data
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: //setting[@name='Password']/value
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: Password :
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: Software\Martin Prikryl\WinSCP 2\Sessions
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: SMTP Email Address
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: NNTP Email Address
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: Email
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: HTTPMail User Name
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: HTTPMail Server
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: ^(?!:\/\/)([a-zA-Z0-9-_]+\.)[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: Password
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: ^3[47][0-9]{13}$
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: ^(6541|6556)[0-9]{12}$
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: ^389[0-9]{11}$
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: ^3(?:0[0-5]|[68][0-9])[0-9]{11}$
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: ^63[7-9][0-9]{13}$
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: ^(?:2131|1800|35\\d{3})\\d{11}$
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: ^9[0-9]{15}$
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: ^(6304|6706|6709|6771)[0-9]{12,15}$
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: Visa Card
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: ^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: Mastercard
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: ^(6334|6767)[0-9]{12}|(6334|6767)[0-9]{14}|(6334|6767)[0-9]{15}$
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: ^(4903|4905|4911|4936|6333|6759)[0-9]{12}|(4903|4905|4911|4936|6333|6759)[0-9]{14}|(4903|4905|4911|4936|6333|6759)[0-9]{15}|564182[0-9]{10}|564182[0-9]{12}|564182[0-9]{13}|633110[0-9]{10}|633110[0-9]{12}|633110[0-9]{13}$
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: ^(62[0-9]{14,17})$
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: Visa Master Card
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: \logins.json
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: \signons.sqlite
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: Foxmail.exe
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: mail\
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: \Accounts\Account.rec0
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: \AccCfg\Accounts.tdat
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: EnableSignature
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: Application : FoxMail
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: encryptedUsername
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: logins
                    Source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpackString decryptor: encryptedPassword
                    Source: Quotation____________________________________pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: Quotation____________________________________pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: W.pdb4 source: Quotation____________________________________pdf.exe, 00000002.00000002.1290158620.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp, Quotation____________________________________pdf.exe, 00000002.00000002.1290158620.0000000004D22000.00000004.00000800.00020000.00000000.sdmp, Quotation____________________________________pdf.exe, 0000000D.00000002.2518251668.000000000045A000.00000040.00000400.00020000.00000000.sdmp
                    Source: Quotation____________________________________pdf.exe, 00000002.00000002.1289601046.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, qlOtJNH.exe, 0000000E.00000002.1313200349.0000000002DC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Quotation____________________________________pdf.exe, Quotation____________________________________pdf.exe, 0000000D.00000002.2518251668.0000000000401000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 00000002.00000002.1290158620.0000000004CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: Quotation____________________________________pdf.exe
                    Source: initial sampleStatic PE information: Filename: Quotation____________________________________pdf.exe
                    Writes or reads registry keys via WMI
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_032A42242_2_032A4224
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_032A7D4F2_2_032A7D4F
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD05B02_2_07AD05B0
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD44C82_2_07AD44C8
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD63E02_2_07AD63E0
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD40882_2_07AD4088
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD5B302_2_07AD5B30
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD47032_2_07AD4703
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD47102_2_07AD4710
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD05A02_2_07AD05A0
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD35E82_2_07AD35E8
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD35F82_2_07AD35F8
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD44BB2_2_07AD44BB
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07ADF4982_2_07ADF498
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD23A82_2_07AD23A8
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD23B82_2_07AD23B8
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD63D32_2_07AD63D3
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07ADE0902_2_07ADE090
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD50C02_2_07AD50C0
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD00062_2_07AD0006
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD407B2_2_07AD407B
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD00402_2_07AD0040
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD2F682_2_07AD2F68
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD2F592_2_07AD2F59
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD4EA02_2_07AD4EA0
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD4EB02_2_07AD4EB0
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07ADDC492_2_07ADDC49
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD5B232_2_07AD5B23
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD3A812_2_07AD3A81
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD3A902_2_07AD3A90
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD4A682_2_07AD4A68
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD4A582_2_07AD4A58
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD69B82_2_07AD69B8
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD69C82_2_07AD69C8
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07ADF8C02_2_07ADF8C0
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07ADF8D02_2_07ADF8D0
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD38082_2_07AD3808
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07AD38182_2_07AD3818
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 2_2_07ADD8132_2_07ADD813
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 13_2_0040743413_2_00407434
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeCode function: 13_2_0040749013_2_00407490
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_0141422414_2_01414224
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_01417D4F14_2_01417D4F
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_0601F40014_2_0601F400
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_060180B814_2_060180B8
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_0601FB5814_2_0601FB58
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_0601E88814_2_0601E888
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_060185B214_2_060185B2
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_060112E814_2_060112E8
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_060112F814_2_060112F8
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_0601F3E714_2_0601F3E7
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_0601E8C114_2_0601E8C1
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_078605B014_2_078605B0
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_078644C814_2_078644C8
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_0786408814_2_07864088
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_07865B3014_2_07865B30
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_0786470214_2_07864702
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_0786471014_2_07864710
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_078605A014_2_078605A0
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_078635E814_2_078635E8
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_078635F814_2_078635F8
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_0786F49814_2_0786F498
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_078644B814_2_078644B8
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_0786444614_2_07864446
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_078623A814_2_078623A8
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_078623B814_2_078623B8
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_078663D214_2_078663D2
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_078663E014_2_078663E0
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_0786E09014_2_0786E090
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_0786000714_2_07860007
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_0786004014_2_07860040
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_0786407A14_2_0786407A
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_07862F5914_2_07862F59
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_07862F6814_2_07862F68
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_07864EA014_2_07864EA0
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_07864EB014_2_07864EB0
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_0786DC4914_2_0786DC49
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_07865B2214_2_07865B22
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_07863A8114_2_07863A81
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_07863A9014_2_07863A90
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_07864A5814_2_07864A58
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_07864A6814_2_07864A68
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_078669B814_2_078669B8
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_078669C814_2_078669C8
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_0786F8C014_2_0786F8C0
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_0786F8D014_2_0786F8D0
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_0786380814_2_07863808
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_0786D81214_2_0786D812
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_0786381814_2_07863818
                    Source: Quotation____________________________________pdf.exe, 00000002.00000002.1295762170.0000000007A10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs Quotation____________________________________pdf.exe
                    Source: Quotation____________________________________pdf.exe, 00000002.00000002.1288570530.000000000172E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Quotation____________________________________pdf.exe
                    Source: Quotation____________________________________pdf.exe, 00000002.00000002.1296766051.000000000A8D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Quotation____________________________________pdf.exe
                    Source: Quotation____________________________________pdf.exe, 00000002.00000002.1290158620.0000000004CEF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefowling.exe vs Quotation____________________________________pdf.exe
                    Source: Quotation____________________________________pdf.exe, 00000002.00000002.1290158620.0000000004D22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefowling.exe vs Quotation____________________________________pdf.exe
                    Source: Quotation____________________________________pdf.exe, 00000002.00000002.1290158620.0000000004D22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Quotation____________________________________pdf.exe
                    Source: Quotation____________________________________pdf.exe, 00000002.00000000.1267792803.0000000000F12000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamevaRq.exe< vs Quotation____________________________________pdf.exe
                    Source: Quotation____________________________________pdf.exeBinary or memory string: OriginalFilenamevaRq.exe< vs Quotation____________________________________pdf.exe
                    Source: Quotation____________________________________pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 00000002.00000002.1290158620.0000000004CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: Quotation____________________________________pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: qlOtJNH.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Quotation____________________________________pdf.exe, 00000002.00000002.1290158620.0000000004D22000.00000004.00000800.00020000.00000000.sdmp, Quotation____________________________________pdf.exe, 00000002.00000002.1290158620.0000000004CB9000.00000004.00000800.00020000.00000000.sdmp, Quotation____________________________________pdf.exe, 0000000D.00000002.2518251668.0000000000401000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: ,@PC*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
                    Source: Quotation____________________________________pdf.exeBinary or memory string: C*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
                    Source: qlOtJNH.exeBinary or memory string: *\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
                    Source: Quotation____________________________________pdf.exe, 0000000D.00000002.2518251668.0000000000435000.00000040.00000400.00020000.00000000.sdmp, qlOtJNH.exe, 00000012.00000002.2518175365.0000000000428000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: ;@*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp Wj
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@16/13@0/0
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeFile created: C:\Users\user\AppData\Roaming\qlOtJNH.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2064:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2172:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp85B3.tmpJump to behavior
                    Source: Quotation____________________________________pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Quotation____________________________________pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Quotation____________________________________pdf.exeBinary or memory string: SELECT item1 FROM metadata WHERE id = 'password';
                    Source: LogfirelessHrvQSXEgnfSYYboorishly.13.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: Quotation____________________________________pdf.exeVirustotal: Detection: 54%
                    Source: Quotation____________________________________pdf.exeReversingLabs: Detection: 44%
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeFile read: C:\Users\user\Desktop\Quotation____________________________________pdf.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Quotation____________________________________pdf.exe "C:\Users\user\Desktop\Quotation____________________________________pdf.exe"
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qlOtJNH.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qlOtJNH" /XML "C:\Users\user\AppData\Local\Temp\tmp85B3.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess created: C:\Users\user\Desktop\Quotation____________________________________pdf.exe "C:\Users\user\Desktop\Quotation____________________________________pdf.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\qlOtJNH.exe C:\Users\user\AppData\Roaming\qlOtJNH.exe
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qlOtJNH" /XML "C:\Users\user\AppData\Local\Temp\tmp8F48.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess created: C:\Users\user\AppData\Roaming\qlOtJNH.exe "C:\Users\user\AppData\Roaming\qlOtJNH.exe"
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qlOtJNH.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qlOtJNH" /XML "C:\Users\user\AppData\Local\Temp\tmp85B3.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess created: C:\Users\user\Desktop\Quotation____________________________________pdf.exe "C:\Users\user\Desktop\Quotation____________________________________pdf.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qlOtJNH" /XML "C:\Users\user\AppData\Local\Temp\tmp8F48.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess created: C:\Users\user\AppData\Roaming\qlOtJNH.exe "C:\Users\user\AppData\Roaming\qlOtJNH.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: msvbvm60.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: vb6zz.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: winsqlite3.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: msvbvm60.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: vb6zz.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: winsqlite3.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: esscli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: Quotation____________________________________pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Quotation____________________________________pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: W.pdb4 source: Quotation____________________________________pdf.exe, 00000002.00000002.1290158620.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp, Quotation____________________________________pdf.exe, 00000002.00000002.1290158620.0000000004D22000.00000004.00000800.00020000.00000000.sdmp, Quotation____________________________________pdf.exe, 0000000D.00000002.2518251668.000000000045A000.00000040.00000400.00020000.00000000.sdmp
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_06011B02 push 840534A5h; iretd 14_2_06011B0D
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeCode function: 14_2_0601EBFB push ecx; ret 14_2_0601EBFC
                    Source: Quotation____________________________________pdf.exeStatic PE information: section name: .text entropy: 7.742974670485865
                    Source: qlOtJNH.exe.2.drStatic PE information: section name: .text entropy: 7.742974670485865
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeFile created: C:\Users\user\AppData\Roaming\qlOtJNH.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qlOtJNH" /XML "C:\Users\user\AppData\Local\Temp\tmp85B3.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: Quotation____________________________________pdf.exe PID: 2000, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeMemory allocated: 3260000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeMemory allocated: 34B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeMemory allocated: 32F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeMemory allocated: 8350000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeMemory allocated: 7C20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeMemory allocated: 9350000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeMemory allocated: A350000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeMemory allocated: A980000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeMemory allocated: B980000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeMemory allocated: 1410000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeMemory allocated: 2D90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeMemory allocated: 4D90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeMemory allocated: 79B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeMemory allocated: 89B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeMemory allocated: 8B50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeMemory allocated: 9B50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeMemory allocated: A2B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeMemory allocated: B2B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6894Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2594Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exe TID: 5680Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7304Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exe TID: 7320Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: WebData.13.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                    Source: WebData.13.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                    Source: WebData.13.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                    Source: WebData.13.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                    Source: WebData.13.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                    Source: WebData.13.drBinary or memory string: outlook.office.comVMware20,11696492231s
                    Source: WebData.13.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                    Source: WebData.13.drBinary or memory string: AMC password management pageVMware20,11696492231
                    Source: WebData.13.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                    Source: WebData.13.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                    Source: WebData.13.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                    Source: WebData.13.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                    Source: WebData.13.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                    Source: WebData.13.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                    Source: WebData.13.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                    Source: WebData.13.drBinary or memory string: discord.comVMware20,11696492231f
                    Source: WebData.13.drBinary or memory string: global block list test formVMware20,11696492231
                    Source: WebData.13.drBinary or memory string: dev.azure.comVMware20,11696492231j
                    Source: WebData.13.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                    Source: WebData.13.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                    Source: WebData.13.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                    Source: WebData.13.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                    Source: WebData.13.drBinary or memory string: tasks.office.comVMware20,11696492231o
                    Source: WebData.13.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                    Source: WebData.13.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                    Source: WebData.13.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                    Source: WebData.13.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                    Source: WebData.13.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                    Source: WebData.13.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                    Source: WebData.13.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                    Source: WebData.13.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qlOtJNH.exe"
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qlOtJNH.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qlOtJNH.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qlOtJNH" /XML "C:\Users\user\AppData\Local\Temp\tmp85B3.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeProcess created: C:\Users\user\Desktop\Quotation____________________________________pdf.exe "C:\Users\user\Desktop\Quotation____________________________________pdf.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qlOtJNH" /XML "C:\Users\user\AppData\Local\Temp\tmp8F48.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeProcess created: C:\Users\user\AppData\Roaming\qlOtJNH.exe "C:\Users\user\AppData\Roaming\qlOtJNH.exe"Jump to behavior
                    Source: qlOtJNH.exe, 00000012.00000002.2520856169.0000000000FA1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman`
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeQueries volume information: C:\Users\user\Desktop\Quotation____________________________________pdf.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeQueries volume information: C:\Users\user\AppData\Roaming\qlOtJNH.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation____________________________________pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected DarkCloud
                    Source: Yara matchFile source: 2.2.Quotation____________________________________pdf.exe.4cb9990.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Quotation____________________________________pdf.exe.4fc7ad8.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Quotation____________________________________pdf.exe.4cb9990.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Quotation____________________________________pdf.exe.4fc7ad8.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Quotation____________________________________pdf.exe.4dd2108.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.1290158620.0000000004CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2518251668.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1290158620.0000000004D22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Quotation____________________________________pdf.exe PID: 2000, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Quotation____________________________________pdf.exe PID: 7264, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qlOtJNH.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior

                    Remote Access Functionality

                    barindex
                    Yara detected DarkCloud
                    Source: Yara matchFile source: 2.2.Quotation____________________________________pdf.exe.4cb9990.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Quotation____________________________________pdf.exe.4fc7ad8.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Quotation____________________________________pdf.exe.4cb9990.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Quotation____________________________________pdf.exe.4fc7ad8.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Quotation____________________________________pdf.exe.4ffe408.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Quotation____________________________________pdf.exe.4dd2108.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.1290158620.0000000004CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2518251668.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1290158620.0000000004D22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Quotation____________________________________pdf.exe PID: 2000, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Quotation____________________________________pdf.exe PID: 7264, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		12
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		11
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		LSASS Memory2
                    Process Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		Junk DataExfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		31
                    Virtualization/Sandbox Evasion                    		Security Account Manager31
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                    Obfuscated Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Software Packing                    		Cached Domain Credentials12
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1592060 Sample: Quotation__________________... Startdate: 15/01/2025 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 9 other signatures 2->46 7 Quotation____________________________________pdf.exe 7 2->7         started        11 qlOtJNH.exe 5 2->11         started        process3 file4 32 C:\Users\user\AppData\Roaming\qlOtJNH.exe, PE32 7->32 dropped 34 C:\Users\user\...\qlOtJNH.exe:Zone.Identifier, ASCII 7->34 dropped 36 C:\Users\user\AppData\Local\...\tmp85B3.tmp, XML 7->36 dropped 38 Quotation_________...________pdf.exe.log, ASCII 7->38 dropped 48 Uses schtasks.exe or at.exe to add and modify task schedules 7->48 50 Adds a directory exclusion to Windows Defender 7->50 52 Writes or reads registry keys via WMI 7->52 13 powershell.exe 23 7->13         started        16 schtasks.exe 1 7->16         started        18 Quotation____________________________________pdf.exe 5 7->18         started        54 Antivirus detection for dropped file 11->54 56 Multi AV Scanner detection for dropped file 11->56 58 Machine Learning detection for dropped file 11->58 20 qlOtJNH.exe 4 11->20         started        22 schtasks.exe 1 11->22         started        signatures5 process6 signatures7 60 Loading BitLocker PowerShell Module 13->60 24 conhost.exe 13->24         started        26 conhost.exe 16->26         started        62 Tries to harvest and steal browser information (history, passwords, etc) 20->62 28 WmiPrvSE.exe 20->28         started        30 conhost.exe 22->30         started        process8

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Quotation____________________________________pdf.exe54%VirustotalBrowse
                    Quotation____________________________________pdf.exe45%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    Quotation____________________________________pdf.exe100%AviraHEUR/AGEN.1311126
                    Quotation____________________________________pdf.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\qlOtJNH.exe100%AviraHEUR/AGEN.1311126
                    C:\Users\user\AppData\Roaming\qlOtJNH.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\qlOtJNH.exe45%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    C:\Users\user\AppData\Roaming\qlOtJNH.exe54%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://api.telegram.org/botQuotation____________________________________pdf.exe, Quotation____________________________________pdf.exe, 0000000D.00000002.2518251668.0000000000401000.00000040.00000400.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQuotation____________________________________pdf.exe, 00000002.00000002.1289601046.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, qlOtJNH.exe, 0000000E.00000002.1313200349.0000000002DC8000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high

                        World Map of Contacted IPs

                        No contacted IP infos

                        General Information

                        Joe Sandbox version:42.0.0 Malachite
                        Analysis ID:1592060
                        Start date and time:2025-01-15 18:02:07 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 6m 13s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:25
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:Quotation____________________________________pdf.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@16/13@0/0
                        EGA Information:
                        • Successful, ratio: 50%
                        HCA Information:
                        • Successful, ratio: 97%
                        • Number of executed functions: 251
                        • Number of non-executed functions: 30
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 184.28.90.27, 13.107.246.45, 20.12.23.50
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                        • Execution Graph export aborted for target Quotation____________________________________pdf.exe, PID 7264 because it is empty
                        • Execution Graph export aborted for target qlOtJNH.exe, PID 7488 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        12:03:03API Interceptor1x Sleep call for process: Quotation____________________________________pdf.exe modified
                        12:03:05API Interceptor12x Sleep call for process: powershell.exe modified
                        12:03:06API Interceptor1x Sleep call for process: qlOtJNH.exe modified
                        18:03:05Task SchedulerRun new task: qlOtJNH path: C:\Users\user\AppData\Roaming\qlOtJNH.exe

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation____________________________________pdf.exe.log

                        Download File
                        Process:C:\Users\user\Desktop\Quotation____________________________________pdf.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1216
                        Entropy (8bit):5.34331486778365
                        Encrypted:false
                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                        Malicious:true
                        Reputation:high, very likely benign file
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qlOtJNH.exe.log

                        Download File
                        Process:C:\Users\user\AppData\Roaming\qlOtJNH.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1216
                        Entropy (8bit):5.34331486778365
                        Encrypted:false
                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                        Malicious:false
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):2232
                        Entropy (8bit):5.380747059108785
                        Encrypted:false
                        SSDEEP:48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//8PUyus:lGLHxvIIwLgZ2KRHWLOug8s
                        MD5:CAAF9E85F4215DFF27856092092AD361
                        SHA1:F9CDD4D9D1C22BAE6BAAC86BFD85A82AA22D9CA9
                        SHA-256:85B3FC09907CF6D617498E0051E9B0C07FB195ADB8478F46082ED71FB8722C04
                        SHA-512:DFCA3A002C5C7522DF748DA2632E531AC24D669DFDEE96FF7E9E39B755415672AC608FB80C1CCC9EC059D1EC0E0B43D85BC7DE2FD8218D7CB2CEE26D0C287427
                        Malicious:false
                        Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2neaqg3y.rqr.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mfuj3qit.beh.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w4ylfoxl.jok.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnmlsegf.02g.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\tmp85B3.tmp

                        Download File
                        Process:C:\Users\user\Desktop\Quotation____________________________________pdf.exe
                        File Type:XML 1.0 document, ASCII text
                        Category:dropped
                        Size (bytes):1601
                        Entropy (8bit):5.1230821092117225
                        Encrypted:false
                        SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtIC0+xvn:cgeHgYrFdOFzOzN33ODOiDdKrsuT2yv
                        MD5:B4464E21850754E373D9F36643578971
                        SHA1:C48B83EACEB6A130DD37C5342F513FE1FE89F647
                        SHA-256:D775C45EA9B084E3E60A145E3C3407754CA167F8D158AE8E0F38091E3990600D
                        SHA-512:C97BABFB87760F981D5C65C5105F9AE3A87284B21B588305DA71EEC5CDFD3E5D1766218CCCCDE369FF4CE0FEE9241CCB85929C88FDCCD2C04920C4771B4D45A5
                        Malicious:true
                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                        C:\Users\user\AppData\Local\Temp\tmp8F48.tmp

                        Download File
                        Process:C:\Users\user\AppData\Roaming\qlOtJNH.exe
                        File Type:XML 1.0 document, ASCII text
                        Category:dropped
                        Size (bytes):1601
                        Entropy (8bit):5.1230821092117225
                        Encrypted:false
                        SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtIC0+xvn:cgeHgYrFdOFzOzN33ODOiDdKrsuT2yv
                        MD5:B4464E21850754E373D9F36643578971
                        SHA1:C48B83EACEB6A130DD37C5342F513FE1FE89F647
                        SHA-256:D775C45EA9B084E3E60A145E3C3407754CA167F8D158AE8E0F38091E3990600D
                        SHA-512:C97BABFB87760F981D5C65C5105F9AE3A87284B21B588305DA71EEC5CDFD3E5D1766218CCCCDE369FF4CE0FEE9241CCB85929C88FDCCD2C04920C4771B4D45A5
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\LogfirelessHrvQSXEgnfSYYboorishly

                        Download File
                        Process:C:\Users\user\Desktop\Quotation____________________________________pdf.exe
                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                        Category:dropped
                        Size (bytes):40960
                        Entropy (8bit):0.8553638852307782
                        Encrypted:false
                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                        MD5:28222628A3465C5F0D4B28F70F97F482
                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                        Malicious:false
                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\WebData

                        Download File
                        Process:C:\Users\user\Desktop\Quotation____________________________________pdf.exe
                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                        Category:dropped
                        Size (bytes):196608
                        Entropy (8bit):1.1215420383712111
                        Encrypted:false
                        SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                        MD5:9A809AD8B1FDDA60760BB6253358A1DB
                        SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                        SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                        SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                        Malicious:false
                        Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\qlOtJNH.exe

                        Download File
                        Process:C:\Users\user\Desktop\Quotation____________________________________pdf.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):971776
                        Entropy (8bit):7.737431077039331
                        Encrypted:false
                        SSDEEP:24576:J8JN+UVsa/olVNkYHpt4rvOncPR1OcvHDyunxr7iPM8Wk3:a3+Ufk7g7Oncpgc7yNHWi
                        MD5:AC380EBB31729E7FED32DC97D011F7F7
                        SHA1:2CE4E333861A1B846A0AE5342DEEBB2DE7D5BC4A
                        SHA-256:5D4DC700AB772BFB4AC1FA290C0DFEAE62058D31C42B48B5072A2C13B4C419BB
                        SHA-512:954EDD0BA1EC9615CA832CAE612E18CB4015842A7DC2FF5D6B83CB0BEB0CDF327D87DBE945C9A45B1BAE31F07F224345E5E66335DDB1C82E5FDA80FEFBDC597B
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 45%
                        • Antivirus: Virustotal, Detection: 54%, Browse
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-.g..............0.................. ........@.. ....................... ............@.................................P...O.......l............................................................................ ............... ..H............text........ ...................... ..`.rsrc...l...........................@..@.reloc..............................@..B........................H........a...N...............+...........................................0..P............(....(..........s ...%s....o!....%s....o!....%s....o!....%s....o!.........*.0..\........~....r...po"....s#.....~....o$....+..o%.......o.......o....-....,..o......~....r;..po"....*......#..@......".(&....*....0..E........('.....((....s=...().....(*...rw..po+....s....(...........o,.......*............8.......0...........~....r...p.o-...o.....r...p.o-...r...p(/...s'......o)......o.....8.....

                        C:\Users\user\AppData\Roaming\qlOtJNH.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\Quotation____________________________________pdf.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):7.737431077039331
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        • Win32 Executable (generic) a (10002005/4) 49.78%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        • DOS Executable Generic (2002/1) 0.01%
                        File name:Quotation____________________________________pdf.exe
                        File size:971'776 bytes
                        MD5:ac380ebb31729e7fed32dc97d011f7f7
                        SHA1:2ce4e333861a1b846a0ae5342deebb2de7d5bc4a
                        SHA256:5d4dc700ab772bfb4ac1fa290c0dfeae62058d31c42b48b5072a2c13b4c419bb
                        SHA512:954edd0ba1ec9615ca832cae612e18cb4015842a7dc2ff5d6b83cb0beb0cdf327d87dbe945c9a45b1bae31f07f224345e5e66335ddb1c82e5fda80fefbdc597b
                        SSDEEP:24576:J8JN+UVsa/olVNkYHpt4rvOncPR1OcvHDyunxr7iPM8Wk3:a3+Ufk7g7Oncpgc7yNHWi
                        TLSH:D725E1C03B397311CEACBA30853ADDB9A2642E78B00479E2AEDD2B5775DD1039A1DF45
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-.g..............0.................. ........@.. ....................... ............@................................

                        File Icon

                        Icon Hash:0066b49631f8dc38

                        Static PE Info

                        General

                        Entrypoint:0x4edba2
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x67872DAF [Wed Jan 15 03:38:23 2025 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        lodsd
                        fiadd word ptr [eax]
                        add bh, ch
                        mov esi, CAFE0000h
                        add byte ptr [eax], al
                        mov esi, 000000BAh
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xedb500x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xee0000x126c.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xf00000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000xebbb80xebc00c3beb078dd4dd87ea01291bdaa1b0c51False0.8922374154957582data7.742974670485865IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0xee0000x126c0x140010ca0bbb31ffc1146defbbf40b8b6ceeFalse0.708203125data6.392238867528293IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0xf00000xc0x2001932dc673400b6dfb9f39c63bdcb02bcFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0xee1000xbdfPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9348469891411648
                        RT_GROUP_ICON0xeecf00x14data1.05
                        RT_VERSION0xeed140x358data0.4287383177570093
                        RT_MANIFEST0xef07c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        No network behavior found

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:2
                        Start time:12:03:02
                        Start date:15/01/2025
                        Path:C:\Users\user\Desktop\Quotation____________________________________pdf.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\Quotation____________________________________pdf.exe"
                        Imagebase:0xf10000
                        File size:971'776 bytes
                        MD5 hash:AC380EBB31729E7FED32DC97D011F7F7
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000002.00000002.1290158620.0000000004CB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000002.00000002.1290158620.0000000004CB9000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000002.00000002.1290158620.0000000004D22000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:9
                        Start time:12:03:04
                        Start date:15/01/2025
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qlOtJNH.exe"
                        Imagebase:0x4a0000
                        File size:433'152 bytes
                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:10
                        Start time:12:03:04
                        Start date:15/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff75da10000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:11
                        Start time:12:03:04
                        Start date:15/01/2025
                        Path:C:\Windows\SysWOW64\schtasks.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qlOtJNH" /XML "C:\Users\user\AppData\Local\Temp\tmp85B3.tmp"
                        Imagebase:0xb0000
                        File size:187'904 bytes
                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:12
                        Start time:12:03:04
                        Start date:15/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff75da10000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:13
                        Start time:12:03:04
                        Start date:15/01/2025
                        Path:C:\Users\user\Desktop\Quotation____________________________________pdf.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\Quotation____________________________________pdf.exe"
                        Imagebase:0x9c0000
                        File size:971'776 bytes
                        MD5 hash:AC380EBB31729E7FED32DC97D011F7F7
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 0000000D.00000002.2518251668.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:false

                        General

                        Target ID:14
                        Start time:12:03:05
                        Start date:15/01/2025
                        Path:C:\Users\user\AppData\Roaming\qlOtJNH.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Roaming\qlOtJNH.exe
                        Imagebase:0x9b0000
                        File size:971'776 bytes
                        MD5 hash:AC380EBB31729E7FED32DC97D011F7F7
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 100%, Avira
                        • Detection: 100%, Joe Sandbox ML
                        • Detection: 45%, ReversingLabs
                        • Detection: 54%, Virustotal, Browse
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:16
                        Start time:12:03:07
                        Start date:15/01/2025
                        Path:C:\Windows\SysWOW64\schtasks.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qlOtJNH" /XML "C:\Users\user\AppData\Local\Temp\tmp8F48.tmp"
                        Imagebase:0xb0000
                        File size:187'904 bytes
                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:17
                        Start time:12:03:07
                        Start date:15/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff75da10000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:18
                        Start time:12:03:07
                        Start date:15/01/2025
                        Path:C:\Users\user\AppData\Roaming\qlOtJNH.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Roaming\qlOtJNH.exe"
                        Imagebase:0x8d0000
                        File size:971'776 bytes
                        MD5 hash:AC380EBB31729E7FED32DC97D011F7F7
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:false

                        General

                        Target ID:20
                        Start time:12:03:10
                        Start date:15/01/2025
                        Path:C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                        Imagebase:0x760000
                        File size:418'304 bytes
                        MD5 hash:64ACA4F48771A5BA50CD50F2410632AD
                        Has elevated privileges:true
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:false

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:8.3%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:4.5%
                          Total number of Nodes:66
                          Total number of Limit Nodes:4
                          execution_graph 24595 32a4668 24596 32a4684 24595->24596 24597 32a469f 24596->24597 24601 32a4800 24596->24601 24606 32a4224 24597->24606 24599 32a46be 24602 32a4825 24601->24602 24610 32a4910 24602->24610 24614 32a4901 24602->24614 24607 32a422f 24606->24607 24622 32a7bbc 24607->24622 24609 32a7e7a 24609->24599 24612 32a4937 24610->24612 24611 32a4a14 24611->24611 24612->24611 24618 32a4524 24612->24618 24615 32a4910 24614->24615 24616 32a4524 CreateActCtxA 24615->24616 24617 32a4a14 24615->24617 24616->24617 24619 32a5da0 CreateActCtxA 24618->24619 24621 32a5e63 24619->24621 24623 32a7bc7 24622->24623 24625 32a894d 24623->24625 24626 32a7cbc 24623->24626 24625->24609 24627 32a7cc7 24626->24627 24630 32a7cec 24627->24630 24629 32a8a22 24629->24625 24631 32a7cf7 24630->24631 24634 32a7d1c 24631->24634 24633 32a8b25 24633->24629 24635 32a7d27 24634->24635 24640 32a97c0 24635->24640 24637 32a9dd1 24637->24633 24638 32a9ba8 24638->24637 24645 32ae130 24638->24645 24641 32a97cb 24640->24641 24642 32ab022 24641->24642 24649 32ab072 24641->24649 24653 32ab080 24641->24653 24642->24638 24646 32ae151 24645->24646 24647 32ae175 24646->24647 24657 32ae6e8 24646->24657 24647->24637 24650 32ab080 24649->24650 24651 32ab0ce KiUserCallbackDispatcher 24650->24651 24652 32ab0f8 24650->24652 24651->24652 24652->24642 24654 32ab0c3 24653->24654 24655 32ab0ce KiUserCallbackDispatcher 24654->24655 24656 32ab0f8 24654->24656 24655->24656 24656->24642 24658 32ae6f5 24657->24658 24660 32ae72f 24658->24660 24661 32ae510 24658->24661 24660->24647 24662 32ae51b 24661->24662 24663 32af040 24662->24663 24665 32ae63c 24662->24665 24666 32ae647 24665->24666 24667 32a7d1c 2 API calls 24666->24667 24668 32af0af 24667->24668 24668->24663 24669 32ae800 24670 32ae846 24669->24670 24673 32ae9e0 24670->24673 24676 32ae5d8 24673->24676 24677 32aea48 DuplicateHandle 24676->24677 24678 32ae933 24677->24678 24679 32ac760 24680 32ac7a8 GetModuleHandleW 24679->24680 24681 32ac7a2 24679->24681 24682 32ac7d5 24680->24682 24681->24680

                          Executed Functions

                          Function 032A7D4F Relevance: 3.1, Strings: 2, Instructions: 618COMMON
                          Download Yara Rule

                          Control-flow Graph

                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1289318524.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_32a0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: Ppq$d
                          • API String ID: 0-2834635473
                          • Opcode ID: f513585b3150f31fdf5b40697480bb394ce493b50a7c3e3ac8d51c06d386132a
                          • Instruction ID: 501451487a874a7736f7e6d1cbb518e09ecb421097008bb44b064e03935527b2
                          • Opcode Fuzzy Hash: f513585b3150f31fdf5b40697480bb394ce493b50a7c3e3ac8d51c06d386132a
                          • Instruction Fuzzy Hash: 4A62D275A10229CFDB25DF68C894BD9BBB2FF49300F0081E9D549AB254DB70AE95CF81
                          Function 032A4224 Relevance: 3.1, Strings: 2, Instructions: 579COMMON
                          Download Yara Rule

                          Control-flow Graph

                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1289318524.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_32a0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: Ppq$d
                          • API String ID: 0-2834635473
                          • Opcode ID: a8af860ea8b7ae825f6c03d5009819cfde8bed2c8dda6a272a8b5dfd2247df9e
                          • Instruction ID: 89ac037ccf68822fa43bec46994258add775d4b82d27a551c21510e29672e065
                          • Opcode Fuzzy Hash: a8af860ea8b7ae825f6c03d5009819cfde8bed2c8dda6a272a8b5dfd2247df9e
                          • Instruction Fuzzy Hash: 5252C174A10229CFDB25DF68C884BD9BBB2FF49300F0085E9E549A7254DB70AE95CF80
                          Function 07AD63E0 Relevance: 1.5, Strings: 1, Instructions: 270COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 619 7ad63e0-7ad6408 620 7ad640f-7ad6454 619->620 621 7ad640a 619->621 622 7ad6455 620->622 621->620 623 7ad645c-7ad6478 622->623 624 7ad647a 623->624 625 7ad6481-7ad6482 623->625 624->622 624->625 626 7ad64ec-7ad6501 624->626 627 7ad6629-7ad664f 624->627 628 7ad64cb-7ad64e7 624->628 629 7ad674a-7ad6778 624->629 630 7ad66e5-7ad66f8 624->630 631 7ad6487-7ad6490 624->631 632 7ad6506-7ad653c 624->632 633 7ad6541-7ad6558 624->633 634 7ad64a2-7ad64b5 624->634 635 7ad677d-7ad6786 624->635 636 7ad655d-7ad656d 624->636 637 7ad66fd-7ad6713 624->637 638 7ad659d-7ad65b0 624->638 639 7ad65dc-7ad65f4 624->639 640 7ad65f9-7ad6624 624->640 641 7ad6718-7ad6745 call 7ad60e8 624->641 642 7ad66bb-7ad66e0 624->642 643 7ad6654-7ad6667 624->643 644 7ad64b7-7ad64c9 624->644 645 7ad6693-7ad66b6 call 7ad5e48 624->645 646 7ad6492-7ad64a0 624->646 625->635 626->623 627->623 628->623 629->623 630->623 631->623 632->623 633->623 634->623 661 7ad6577-7ad6598 636->661 637->623 648 7ad65c3-7ad65ca 638->648 649 7ad65b2-7ad65c1 638->649 639->623 640->623 641->623 642->623 650 7ad6669-7ad6678 643->650 651 7ad667a-7ad6681 643->651 644->623 645->623 646->623 653 7ad65d1-7ad65d7 648->653 649->653 660 7ad6688-7ad668e 650->660 651->660 653->623 660->623 661->623
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: ?w=>
                          • API String ID: 0-1933253675
                          • Opcode ID: bb36af3c0941f0d862b8c33cd36319696b9b34b53e97c75997def403bfff75fa
                          • Instruction ID: 9678726b8b8ebff681ab6a86da5bc0124f6dc7c8f455dbd7f1bbf09636cf7889
                          • Opcode Fuzzy Hash: bb36af3c0941f0d862b8c33cd36319696b9b34b53e97c75997def403bfff75fa
                          • Instruction Fuzzy Hash: 7EB12AB0D15219DFDB18CFA6DA8469EFBB2FF89340F10D42AD426AB254DB349902CF54
                          Function 07AD63D3 Relevance: 1.5, Strings: 1, Instructions: 267COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 664 7ad63d3-7ad6408 665 7ad640f-7ad6454 664->665 666 7ad640a 664->666 667 7ad6455 665->667 666->665 668 7ad645c-7ad6478 667->668 669 7ad647a 668->669 670 7ad6481-7ad6482 668->670 669->667 669->670 671 7ad64ec-7ad6501 669->671 672 7ad6629-7ad664f 669->672 673 7ad64cb-7ad64e7 669->673 674 7ad674a-7ad6778 669->674 675 7ad66e5-7ad66f8 669->675 676 7ad6487-7ad6490 669->676 677 7ad6506-7ad653c 669->677 678 7ad6541-7ad6558 669->678 679 7ad64a2-7ad64b5 669->679 680 7ad677d-7ad6786 669->680 681 7ad655d-7ad656d 669->681 682 7ad66fd-7ad6713 669->682 683 7ad659d-7ad65b0 669->683 684 7ad65dc-7ad65f4 669->684 685 7ad65f9-7ad6624 669->685 686 7ad6718-7ad6745 call 7ad60e8 669->686 687 7ad66bb-7ad66e0 669->687 688 7ad6654-7ad6667 669->688 689 7ad64b7-7ad64c9 669->689 690 7ad6693-7ad66b6 call 7ad5e48 669->690 691 7ad6492-7ad64a0 669->691 670->680 671->668 672->668 673->668 674->668 675->668 676->668 677->668 678->668 679->668 706 7ad6577-7ad6598 681->706 682->668 693 7ad65c3-7ad65ca 683->693 694 7ad65b2-7ad65c1 683->694 684->668 685->668 686->668 687->668 695 7ad6669-7ad6678 688->695 696 7ad667a-7ad6681 688->696 689->668 690->668 691->668 698 7ad65d1-7ad65d7 693->698 694->698 705 7ad6688-7ad668e 695->705 696->705 698->668 705->668 706->668
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: ?w=>
                          • API String ID: 0-1933253675
                          • Opcode ID: cac41913ae13cb199af0d98986ef0d5554e359fc23ce0e1df7d2ebf1c303c10b
                          • Instruction ID: 4e0f21ca87af2edd42f1b816be46d0f5326573aa4f5d45fd73d070313de7f295
                          • Opcode Fuzzy Hash: cac41913ae13cb199af0d98986ef0d5554e359fc23ce0e1df7d2ebf1c303c10b
                          • Instruction Fuzzy Hash: 45B119B1D15219DFDB18CFA6DA8069EFBB2FF89340F10D52AD426AB254DB349902CF50
                          Function 07AD407B Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 709 7ad407b-7ad40ad 710 7ad40af 709->710 711 7ad40b4-7ad4112 709->711 710->711 716 7ad411a 711->716 717 7ad4121-7ad413d 716->717 718 7ad413f 717->718 719 7ad4146-7ad4147 717->719 718->716 718->719 720 7ad43ad-7ad43df 718->720 721 7ad414c-7ad415f 718->721 722 7ad43e4-7ad43f7 718->722 723 7ad4327-7ad4371 718->723 724 7ad4266-7ad4322 718->724 725 7ad4161-7ad41ab 718->725 726 7ad43fc-7ad4403 718->726 727 7ad41d8-7ad41eb 718->727 728 7ad4395-7ad43a8 718->728 729 7ad4376-7ad4390 call 7ad3c84 718->729 730 7ad41b0-7ad41b7 718->730 731 7ad41f0-7ad4261 718->731 719->726 720->717 721->717 722->717 723->717 724->717 725->717 727->717 728->717 729->717 752 7ad41ba call 7ad44c8 730->752 753 7ad41ba call 7ad44bb 730->753 731->717 738 7ad41c0-7ad41d3 738->717 752->738 753->738
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: 5{
                          • API String ID: 0-2291050889
                          • Opcode ID: c8412c33ee04b86b6a702992f236e51592ce174a5fb6c34bb1c54881de930f03
                          • Instruction ID: 048c5bb8785556769001ee79097b4935c3c5dd663d03a3f6991fce68c3724f55
                          • Opcode Fuzzy Hash: c8412c33ee04b86b6a702992f236e51592ce174a5fb6c34bb1c54881de930f03
                          • Instruction Fuzzy Hash: DCB15CB4E01209DFCB04DFE9D5855AEBBB2FF89300F208569D816AB354DB389946CF61
                          Function 07AD4088 Relevance: 1.5, Strings: 1, Instructions: 246COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 754 7ad4088-7ad40ad 755 7ad40af 754->755 756 7ad40b4-7ad4112 754->756 755->756 761 7ad411a 756->761 762 7ad4121-7ad413d 761->762 763 7ad413f 762->763 764 7ad4146-7ad4147 762->764 763->761 763->764 765 7ad43ad-7ad43df 763->765 766 7ad414c-7ad415f 763->766 767 7ad43e4-7ad43f7 763->767 768 7ad4327-7ad4371 763->768 769 7ad4266-7ad4322 763->769 770 7ad4161-7ad41ab 763->770 771 7ad43fc-7ad4403 763->771 772 7ad41d8-7ad41eb 763->772 773 7ad4395-7ad43a8 763->773 774 7ad4376-7ad4390 call 7ad3c84 763->774 775 7ad41b0-7ad41b7 763->775 776 7ad41f0-7ad4261 763->776 764->771 765->762 766->762 767->762 768->762 769->762 770->762 772->762 773->762 774->762 797 7ad41ba call 7ad44c8 775->797 798 7ad41ba call 7ad44bb 775->798 776->762 783 7ad41c0-7ad41d3 783->762 797->783 798->783
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: 5{
                          • API String ID: 0-2291050889
                          • Opcode ID: e7e153c652e8dca2c37bd2770c6aacd8c6ecaae0b69edda59a3d784348c9a96f
                          • Instruction ID: 89aa3e65693360bf0f17870280606729533b900d3400b2b735fed99ca31d8877
                          • Opcode Fuzzy Hash: e7e153c652e8dca2c37bd2770c6aacd8c6ecaae0b69edda59a3d784348c9a96f
                          • Instruction Fuzzy Hash: 97A14AB4E01209DFCB04DFE9D5855AEBBB2FF89300F208569D816AB354DB389946CF61
                          Function 07AD5B30 Relevance: 1.5, Strings: 1, Instructions: 208COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 799 7ad5b30-7ad5b55 800 7ad5b5c-7ad5b8d 799->800 801 7ad5b57 799->801 802 7ad5b8e 800->802 801->800 803 7ad5b95-7ad5bb1 802->803 804 7ad5bba-7ad5bbb 803->804 805 7ad5bb3 803->805 813 7ad5bc0-7ad5be5 804->813 817 7ad5ddf-7ad5de8 804->817 805->802 806 7ad5dac-7ad5dc3 805->806 807 7ad5d29-7ad5d50 805->807 808 7ad5dc8-7ad5dda 805->808 809 7ad5c48-7ad5c5e 805->809 810 7ad5cea-7ad5cfd 805->810 811 7ad5be7-7ad5bfa 805->811 812 7ad5d81-7ad5d99 805->812 805->813 814 7ad5c63-7ad5c76 805->814 815 7ad5ca2-7ad5ca8 call 7ad5f23 805->815 816 7ad5bfc-7ad5c12 805->816 805->817 818 7ad5d9e-7ad5da7 805->818 819 7ad5d55-7ad5d7c 805->819 820 7ad5c14-7ad5c43 805->820 821 7ad5cd3-7ad5ce5 805->821 806->803 807->803 808->803 809->803 824 7ad5cff-7ad5d0e 810->824 825 7ad5d10-7ad5d17 810->825 811->803 812->803 813->803 822 7ad5c89-7ad5c90 814->822 823 7ad5c78-7ad5c87 814->823 828 7ad5cae-7ad5cce 815->828 816->803 818->803 819->803 820->803 821->803 826 7ad5c97-7ad5c9d 822->826 823->826 827 7ad5d1e-7ad5d24 824->827 825->827 826->803 827->803 828->803
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: j4$y
                          • API String ID: 0-2391584009
                          • Opcode ID: 907edd8842968e48002e72bc13fa9670368a9ee4a5636be520a114950e2c4e4c
                          • Instruction ID: 4a89503d46ee958d938176829035da75e86a823aefccd30df6e1921044c14dca
                          • Opcode Fuzzy Hash: 907edd8842968e48002e72bc13fa9670368a9ee4a5636be520a114950e2c4e4c
                          • Instruction Fuzzy Hash: 1B810BB1D15209DFCB08CFE6D58099EFBB2FF89310F10942AE416AB264E7349952CF54
                          Function 07AD5B23 Relevance: 1.5, Strings: 1, Instructions: 207COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: j4$y
                          • API String ID: 0-2391584009
                          • Opcode ID: b04426aa104e318526bb5395b700a528f8c920403af860c49cdec4edbc8ef346
                          • Instruction ID: ce4619834b24f9d2d179a0c366af55e851b4e0f8899d332b1975f8cf451f7d94
                          • Opcode Fuzzy Hash: b04426aa104e318526bb5395b700a528f8c920403af860c49cdec4edbc8ef346
                          • Instruction Fuzzy Hash: 6D81FBB1D15209EFDB08CFA5D5809DEFBB2FF89310F10942AE416AB264EB349956CF50
                          Function 07AD44BB Relevance: .2, Instructions: 156COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a9457c24908c8482a84468619b2944a5fdbd1b170f0e8d400fecbed60079376c
                          • Instruction ID: 4eb09b58335401ab9d39b2be6faf2ee8b8477fb37555f33240ee0b686a4d2ce3
                          • Opcode Fuzzy Hash: a9457c24908c8482a84468619b2944a5fdbd1b170f0e8d400fecbed60079376c
                          • Instruction Fuzzy Hash: 05512CB0E152199FCB04CFA5D9454AEFBB2FF8D200F14992AD816E7264DB748A01CF64
                          Function 07AD44C8 Relevance: .2, Instructions: 152COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a7b0763e4ff5251fa6c92b42aa6377f4d6b1685c8046aef6923067d08d92428d
                          • Instruction ID: 08e849e351c29b7f09f910a6e814192031ae77a60ac059f4a6b2945e1f08f4b3
                          • Opcode Fuzzy Hash: a7b0763e4ff5251fa6c92b42aa6377f4d6b1685c8046aef6923067d08d92428d
                          • Instruction Fuzzy Hash: F7511BB0E152099FCB08CFA5D9454AEFBF2FF8D201F10992AE926E7254DB749901CF64
                          Function 07AD05B0 Relevance: .1, Instructions: 76COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4998aac4e2001df1d56b96eb599dfb060a24560c46a238fbf02e0af1626f3670
                          • Instruction ID: e25bf7e3c91c415f79976a45d2b927bb49667aa34573ef99c7c04f1feb880784
                          • Opcode Fuzzy Hash: 4998aac4e2001df1d56b96eb599dfb060a24560c46a238fbf02e0af1626f3670
                          • Instruction Fuzzy Hash: 503108B1E012189BDB58CFAAC9446DEBBB3EFC9311F14C1A9D409A7354DB755A82CF40
                          Function 07AD05A0 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 25794eca146f92460780ab2b1e8a51d6bb7abdf4f5b965c5f56152971f3bcb8a
                          • Instruction ID: 15ea8646852a58a140724369fdf3f4fad96e07727601bd4def420739287e48e3
                          • Opcode Fuzzy Hash: 25794eca146f92460780ab2b1e8a51d6bb7abdf4f5b965c5f56152971f3bcb8a
                          • Instruction Fuzzy Hash: 8E210EB1E016588BDB18CFABD8406DEBFF7AFC8310F14C17AD409A6258DA745945CF51
                          Function 032A5D78 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 557 32a5d78-32a5d8f 559 32a5d91-32a5e61 CreateActCtxA 557->559 561 32a5e6a-32a5ec4 559->561 562 32a5e63-32a5e69 559->562 569 32a5ed3-32a5ed7 561->569 570 32a5ec6-32a5ec9 561->570 562->561 571 32a5ee8 569->571 572 32a5ed9-32a5ee5 569->572 570->569 573 32a5ee9 571->573 572->571 573->573
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 032A5E51
                          Memory Dump Source
                          • Source File: 00000002.00000002.1289318524.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_32a0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: 0881541527d152fb3e77c6e24ba24950395d1ea8512d9ee11c1ece3e66e73478
                          • Instruction ID: a1e70bdb862886b10bb9714894ceb2c163b063a12bb959c6ec58226148613e2f
                          • Opcode Fuzzy Hash: 0881541527d152fb3e77c6e24ba24950395d1ea8512d9ee11c1ece3e66e73478
                          • Instruction Fuzzy Hash: 584102B1C11B19CFDB25CFA9C9447CEBBF1AF49300F24806AD448AB251DB75594ACF90
                          Function 032A4524 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 575 32a4524-32a5e61 CreateActCtxA 578 32a5e6a-32a5ec4 575->578 579 32a5e63-32a5e69 575->579 586 32a5ed3-32a5ed7 578->586 587 32a5ec6-32a5ec9 578->587 579->578 588 32a5ee8 586->588 589 32a5ed9-32a5ee5 586->589 587->586 590 32a5ee9 588->590 589->588 590->590
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 032A5E51
                          Memory Dump Source
                          • Source File: 00000002.00000002.1289318524.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_32a0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: fcff29c32fbb16eb9cd72496b74ddf3b2142f34f7ef86e3f67f2412b65084cfb
                          • Instruction ID: b5a9916a1ef7fa3a2c87381538792b91f737409c18fe0fc6c6ac38681c7c735b
                          • Opcode Fuzzy Hash: fcff29c32fbb16eb9cd72496b74ddf3b2142f34f7ef86e3f67f2412b65084cfb
                          • Instruction Fuzzy Hash: 2541D2B1C10B1DCBDB24DFA9C94478EBBF5BF49314F24806AD408AB251DB756946CF90
                          Function 032AE5D8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 592 32ae5d8-32aeadc DuplicateHandle 594 32aeade-32aeae4 592->594 595 32aeae5-32aeb02 592->595 594->595
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,032AEA0E,?,?,?,?,?), ref: 032AEACF
                          Memory Dump Source
                          • Source File: 00000002.00000002.1289318524.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_32a0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: f2d23ee082f649edd2b87f38effa088e395bb8243249be8b6570965746c1e30a
                          • Instruction ID: 58ede54721ff95e3ce75aff52554343d1b7c4d00db1571eb2417998073f40643
                          • Opcode Fuzzy Hash: f2d23ee082f649edd2b87f38effa088e395bb8243249be8b6570965746c1e30a
                          • Instruction Fuzzy Hash: 7721F2B5D007489FDB10CF9AD884ADEBBF8FB48320F14802AE918A3210D374A951CFA0
                          Function 032AB072 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 598 32ab072-32ab0cc 601 32ab11a-32ab133 598->601 602 32ab0ce-32ab0f6 KiUserCallbackDispatcher 598->602 603 32ab0f8-32ab0fe 602->603 604 32ab0ff-32ab113 602->604 603->604 604->601
                          APIs
                          • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 032AB0E5
                          Memory Dump Source
                          • Source File: 00000002.00000002.1289318524.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_32a0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID: CallbackDispatcherUser
                          • String ID:
                          • API String ID: 2492992576-0
                          • Opcode ID: f37eb647fd4aa412900521da3676495d387d9a04d350722a80118345d412c823
                          • Instruction ID: 0d34394786dc31f1a5d8925be7d22a343abff840c7361af59b803da1162812c7
                          • Opcode Fuzzy Hash: f37eb647fd4aa412900521da3676495d387d9a04d350722a80118345d412c823
                          • Instruction Fuzzy Hash: 73110371804789CFEB11DF5AC4453EEBFF8EB05320F14409AD49AA3282C33A9545CFA5
                          Function 032AB080 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 606 32ab080-32ab0cc 608 32ab11a-32ab133 606->608 609 32ab0ce-32ab0f6 KiUserCallbackDispatcher 606->609 610 32ab0f8-32ab0fe 609->610 611 32ab0ff-32ab113 609->611 610->611 611->608
                          APIs
                          • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 032AB0E5
                          Memory Dump Source
                          • Source File: 00000002.00000002.1289318524.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_32a0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID: CallbackDispatcherUser
                          • String ID:
                          • API String ID: 2492992576-0
                          • Opcode ID: 83301eabf140172cdbc0ae0d6f6821c734ac7583fe124e6d3a781b42f79453f4
                          • Instruction ID: 59e0e86c8b46640f57cf3531ff6999436b67db79d950ecc9b97f9907942f4b8b
                          • Opcode Fuzzy Hash: 83301eabf140172cdbc0ae0d6f6821c734ac7583fe124e6d3a781b42f79453f4
                          • Instruction Fuzzy Hash: F311C1B5804789CFEB11DF5AC4453EEBFF8EB05320F14409AD59AA3282C33A5685CF65
                          Function 032AC760 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 613 32ac760-32ac7a0 614 32ac7a8-32ac7d3 GetModuleHandleW 613->614 615 32ac7a2-32ac7a5 613->615 616 32ac7dc-32ac7f0 614->616 617 32ac7d5-32ac7db 614->617 615->614 617->616
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 032AC7C6
                          Memory Dump Source
                          • Source File: 00000002.00000002.1289318524.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_32a0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: d2749f03871df270a70838a1655f686501e176b4202a3a487d8d1d261b97dcd2
                          • Instruction ID: 4a770c4451076872f51aa6c45e3f1ee90f9544afb5664ef75b6264a90008c971
                          • Opcode Fuzzy Hash: d2749f03871df270a70838a1655f686501e176b4202a3a487d8d1d261b97dcd2
                          • Instruction Fuzzy Hash: 771113B5C007498FDB20DF9AC844BDEFBF8EB88320F14842AD419A7610C375A545CFA1
                          Function 07AD980C Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: Teq
                          • API String ID: 0-1098410595
                          • Opcode ID: 95acae9acf2213a78a64e33d1efcdca1a20ce65e9659ed6c9c24c80d647ee8ff
                          • Instruction ID: 8c5c233d361f23eb8e6c86134b2ca8e676f727bb94407d95db96a588db2a2692
                          • Opcode Fuzzy Hash: 95acae9acf2213a78a64e33d1efcdca1a20ce65e9659ed6c9c24c80d647ee8ff
                          • Instruction Fuzzy Hash: 63412EB4D09348DFDB04CFE5D8442AEBBB6FF8A301F14912AD41AAB265D734AD06CB50
                          Function 07AD9841 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: Teq
                          • API String ID: 0-1098410595
                          • Opcode ID: d9fcc268726c25f74160c04414f0144823e2058a0846b0c93275450782dc17e0
                          • Instruction ID: 52d8a231fe9c97263b6eae8abc6b2dbfdcf23acfb3a17467f084bc10187f1c00
                          • Opcode Fuzzy Hash: d9fcc268726c25f74160c04414f0144823e2058a0846b0c93275450782dc17e0
                          • Instruction Fuzzy Hash: 9B412BB0D19208DBDB04DFA5D8446EEBBFAFF8A300F10912AD41AAB254DB345D06CB50
                          Function 07ADD1C8 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: [K$
                          • API String ID: 0-2748047997
                          • Opcode ID: 3169b1229bc8a2a95a92f540d1763311cf773d172b37200a3638a3c316bdea1d
                          • Instruction ID: 6fd19ffeaadb39364ada10092ba75774c0725834514c4f3a50410ecd4200fb24
                          • Opcode Fuzzy Hash: 3169b1229bc8a2a95a92f540d1763311cf773d172b37200a3638a3c316bdea1d
                          • Instruction Fuzzy Hash: 863150B4A45218EFEB10DF64D945BADBBB6FB88300F108299D42A9B358DB345D06CF91
                          Function 07AD1AA1 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: ?H,a
                          • API String ID: 0-4093759987
                          • Opcode ID: 04e0b84feb177f065d89b537fe97d5a63bcc8dbffd962d70e8d830b92800b12a
                          • Instruction ID: fc7086797675f3497e9c10ab2cbb52a8320fc03ee4142c953af90e513744d97e
                          • Opcode Fuzzy Hash: 04e0b84feb177f065d89b537fe97d5a63bcc8dbffd962d70e8d830b92800b12a
                          • Instruction Fuzzy Hash: 4C212874E05209EFDB04DFA9C945A9EFBF6FF88200F15C5A6D419A7264E6349E41CB40
                          Function 07AD4970 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: G'/.
                          • API String ID: 0-3562003039
                          • Opcode ID: dbede06f3bf56763a3e25f56c3d50246fa911663c5d8fc8dd76ab55911182df8
                          • Instruction ID: 07ce126d83e36fe86481c048e063c7a3c04589453cad64dddb70d454bd19545c
                          • Opcode Fuzzy Hash: dbede06f3bf56763a3e25f56c3d50246fa911663c5d8fc8dd76ab55911182df8
                          • Instruction Fuzzy Hash: 73110AB0A15289DFCB04CF65D9445ADFBB3EB8A201F2041AADC27E7250E6304F418750
                          Function 07AD68EF Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: u|P
                          • API String ID: 0-1764873574
                          • Opcode ID: 69dc15f05b9ad6812f7bbe7ee8d5e356979e333f11875075869bb73c1b19d4d1
                          • Instruction ID: 5dbe6a6811e40aa1f4a3098b0cd33e3eecda82402a2ca669be9011d0de13e391
                          • Opcode Fuzzy Hash: 69dc15f05b9ad6812f7bbe7ee8d5e356979e333f11875075869bb73c1b19d4d1
                          • Instruction Fuzzy Hash: 031146B4E05249EFCF04CFA9C5416AEBFF2EF89200F24C0AAD90AA7314E6344E41CB51
                          Function 07AD6900 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: u|P
                          • API String ID: 0-1764873574
                          • Opcode ID: 5c44a145731aae05c6ed4763d341ce832ac414cd73976756f4985ca618e551e4
                          • Instruction ID: 333d2bf8d4444ad986c5acf35695474389c8f562600e0b14970c757536d14355
                          • Opcode Fuzzy Hash: 5c44a145731aae05c6ed4763d341ce832ac414cd73976756f4985ca618e551e4
                          • Instruction Fuzzy Hash: 7C113AB4E15209EFCB04CFA9C5416AEFBF6EB89300F20C4AAD51AA3304D6345F41CB45
                          Function 07AD48C0 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: G'/.
                          • API String ID: 0-3562003039
                          • Opcode ID: 742b9556e2e1d01a481fb6f38289f2783f3c7818375edbe22a08ceaf83e62d06
                          • Instruction ID: c8d96cd10d97fd3132ac9aa9aff78763b9b559ea84be7c9b793abaa329c91c07
                          • Opcode Fuzzy Hash: 742b9556e2e1d01a481fb6f38289f2783f3c7818375edbe22a08ceaf83e62d06
                          • Instruction Fuzzy Hash: B901D2B0E15288EBCB08CFA5D94465DBFB3EB89201F2494B5C816A3254E6348E41CB00
                          Function 07AD98CB Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: Teq
                          • API String ID: 0-1098410595
                          • Opcode ID: 8ddaa5028ef2fbe26155abb602055791ae2ed34532925a762d79beb685190ff7
                          • Instruction ID: 70ee67e7133301e553e900c05d3cbb9bbc06e8a2350589d4d114e22bee0ffeba
                          • Opcode Fuzzy Hash: 8ddaa5028ef2fbe26155abb602055791ae2ed34532925a762d79beb685190ff7
                          • Instruction Fuzzy Hash: 34117F75E00209CFDB05DFE8C8849DDFBB2FB88310F20816AE918AB355C731A945CB50
                          Function 07AD48D0 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: G'/.
                          • API String ID: 0-3562003039
                          • Opcode ID: 0d7244e029992cf5f33197b7132efd6ddda851407c5825b89e2ab3abafb3b641
                          • Instruction ID: 3b17d1856e115e7eb1d37b9b7889ef08176cc4416d959e06c8eefbfe701efc2b
                          • Opcode Fuzzy Hash: 0d7244e029992cf5f33197b7132efd6ddda851407c5825b89e2ab3abafb3b641
                          • Instruction Fuzzy Hash: 4301F7B0E15248DFC708CFA5D94055DFAB7EB8A201F20D4B5C82BA3254E6308F41CB00
                          Function 07AD5F23 Relevance: 1.3, Strings: 1, Instructions: 18COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: k
                          • API String ID: 0-140662621
                          • Opcode ID: 431eac79db1096b42950de181aa5f6b81efe761a1209fda061d5719b9f764236
                          • Instruction ID: 3d98aa18505af8f3f4794fb33a09143531554c539699658257028e732ff60b3e
                          • Opcode Fuzzy Hash: 431eac79db1096b42950de181aa5f6b81efe761a1209fda061d5719b9f764236
                          • Instruction Fuzzy Hash: BEE08CB0905348CFCB06DBA0C44169CBB70AB56211B0041EAC41AA7241CA398A52C712
                          Function 07AD9A70 Relevance: .3, Instructions: 275COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0dc858dc822f2979dc188b5767b41fdb92a6db2edb270574b1b84803a74531e7
                          • Instruction ID: ebf02a696f0d5a50b1f1fd88906e001d748090f63f1eb0c528dbc00ffc7d8424
                          • Opcode Fuzzy Hash: 0dc858dc822f2979dc188b5767b41fdb92a6db2edb270574b1b84803a74531e7
                          • Instruction Fuzzy Hash: 9BB14DB4E1521ADFDB14DFA4D850ADEBBB6FF89300F109615D42AAB355DB30AC46CB80
                          Function 07ADB1FD Relevance: .1, Instructions: 115COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8c9a8bc036f0ce35b7e60f2fbb0981e68f1678beaf6abd3a9d7d648a738f241c
                          • Instruction ID: f5dcfada018aaf7ec7df06e26bda2bab638617fbece82c79a18f5b1b4e21bc75
                          • Opcode Fuzzy Hash: 8c9a8bc036f0ce35b7e60f2fbb0981e68f1678beaf6abd3a9d7d648a738f241c
                          • Instruction Fuzzy Hash: B2415BF4D19248DFCB04CF99D4855ADBBBAFF8A300F118155D426A7611D7349D41CB60
                          Function 07ADA0C1 Relevance: .1, Instructions: 93COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cf6e66920038e2ee058623d9187c94459d0fc1043a3d564ebb9ce3e6ea51a393
                          • Instruction ID: 24dd1581809e39e65941f24f5a020cae526bbeb85bb0c6266e07507853f03d6d
                          • Opcode Fuzzy Hash: cf6e66920038e2ee058623d9187c94459d0fc1043a3d564ebb9ce3e6ea51a393
                          • Instruction Fuzzy Hash: A231AFB4D19209EFDB08CB96D8405FEFBBABF8A301F04D125E42AA7251D7344D42CB84
                          Function 07AD5F58 Relevance: .1, Instructions: 93COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 70e898a78fe82ef553fd9328aeacb5276039509a8b77e565c70ba21ed0d9b74c
                          • Instruction ID: 35758048519b2b760ab2bd151c2cf9bcff20acf0a9779157d1f38c4e96f65eff
                          • Opcode Fuzzy Hash: 70e898a78fe82ef553fd9328aeacb5276039509a8b77e565c70ba21ed0d9b74c
                          • Instruction Fuzzy Hash: DA3167B69002099FCF14DFA9D844A9EBFF9EB48320F10842AE819E7210D735A955CFA0
                          Function 07AD7158 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0c23596cba3b13403e7b5552e8e7104f9052cdf812ed5824fc37447c293e504b
                          • Instruction ID: 5345e41b72d0105e6c2df4dd9ebf2f4b479a836f7f5419c71aa059ebd4ce0131
                          • Opcode Fuzzy Hash: 0c23596cba3b13403e7b5552e8e7104f9052cdf812ed5824fc37447c293e504b
                          • Instruction Fuzzy Hash: 3F316CB0E14209DFDB08CFA9D5416AEBBF2FF89310F2095AAD426A7250E7349E41CF50
                          Function 07AD5228 Relevance: .1, Instructions: 90COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2f081dc0326b2c8d85fdb380ff160c243a97ee170871e94929dfc73b4202a5d9
                          • Instruction ID: 813627aef74dcd39b49836b7f1d9f4023ab113f9abf7fe5a5f1fe0e4bcaf780d
                          • Opcode Fuzzy Hash: 2f081dc0326b2c8d85fdb380ff160c243a97ee170871e94929dfc73b4202a5d9
                          • Instruction Fuzzy Hash: 533113B4E112199FCB08CFA9D4955AEBBF2FF88310F10842AE826A7344DB745D52CF50
                          Function 07AD1E58 Relevance: .1, Instructions: 89COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 066efa674c17e6ae3008c96eba0ca3fe07498314ae85712e74b1bb00c64ad433
                          • Instruction ID: 6b802242eccf14acf742bed1bf663271f286abe033701b15c13a2f1ad39cff6b
                          • Opcode Fuzzy Hash: 066efa674c17e6ae3008c96eba0ca3fe07498314ae85712e74b1bb00c64ad433
                          • Instruction Fuzzy Hash: 5B3128B0E1420ADFCB04CFA9C5805AEFBF2FF89200F14C96AD426A7244D7749A41CF94
                          Function 07AD1E68 Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ce5b66dc9cb1a265212a1ece9d3019973ca82d40da5e77654210be6663dc6ce2
                          • Instruction ID: c64c534f8d0aef10062cae5d55025e3e41572ae7da5317fdd0a58f3c8f19bbb4
                          • Opcode Fuzzy Hash: ce5b66dc9cb1a265212a1ece9d3019973ca82d40da5e77654210be6663dc6ce2
                          • Instruction Fuzzy Hash: 053127B0E1020AEFCB44CFA9C5805AEFBB2FF89200F15C96AD426A7214D7749A41CF94
                          Function 07AD7148 Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ffcafdd435e8fa2b8bb45a4cbc597dcf7289d48fca8890322a04caa38e8732da
                          • Instruction ID: c16b9612b4f8d73854a7e0c4d78c8af8c8086d34c35d4f27b33732b01e23baa0
                          • Opcode Fuzzy Hash: ffcafdd435e8fa2b8bb45a4cbc597dcf7289d48fca8890322a04caa38e8732da
                          • Instruction Fuzzy Hash: 48316BB0E14209DFDB48CFA9D5816AEBBF2FF89310F1094AAD426A7250E7348E41CF10
                          Function 07AD5218 Relevance: .1, Instructions: 86COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8bebaa0a2b6f45a8fa3db5a2c0c1f42d1cc7034fa3febe8df60ab5e9ab5ee51f
                          • Instruction ID: 2d402232e322ba49becbeada6794fde7e4c1133cb1380338115f0f8c6720e9b4
                          • Opcode Fuzzy Hash: 8bebaa0a2b6f45a8fa3db5a2c0c1f42d1cc7034fa3febe8df60ab5e9ab5ee51f
                          • Instruction Fuzzy Hash: 183114B4E152099FCB08CFA9D4956AEBBF2BF88310F00842AE822E7354E7745945CF50
                          Function 07ADFCF8 Relevance: .1, Instructions: 81COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a9760113321f70bf9466d3032230d87ccae77938f3e8e9f646c6a6f87eba9127
                          • Instruction ID: 90d9d5d733b9b1c3e473ffe8956c3be0628348f7d2e6ef799e54827efb1999c7
                          • Opcode Fuzzy Hash: a9760113321f70bf9466d3032230d87ccae77938f3e8e9f646c6a6f87eba9127
                          • Instruction Fuzzy Hash: 703118B49012099FCB05DFA8D454AEEBBF5EF89314F00816AE466AB360DB349D45CFA1
                          Function 07AD5168 Relevance: .1, Instructions: 78COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6c04915590117e5f73e2b25f85d708b799ed7b034016273fb8d534f3b35ea96d
                          • Instruction ID: 148047d8c2e0d8f926274e4716566ec3fc015c1ddb447e1df862d5f2c304b616
                          • Opcode Fuzzy Hash: 6c04915590117e5f73e2b25f85d708b799ed7b034016273fb8d534f3b35ea96d
                          • Instruction Fuzzy Hash: D9311EB4E0520ADFCB44DFE9DA416AEBBF2EB88300F2085AAD515E3354E7349F518B51
                          Function 0170D3D8 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1288475118.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_170d000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8820c1bbba80f70a1486e0d5e394c87517a6a33e4bbe008b622c23f60062ea06
                          • Instruction ID: b1af7dc8c87368e64186426265b5b48378e850e86427519086e785637e6bc96c
                          • Opcode Fuzzy Hash: 8820c1bbba80f70a1486e0d5e394c87517a6a33e4bbe008b622c23f60062ea06
                          • Instruction Fuzzy Hash: 2421F4B1504304DFDB26DF94D9C0B56FBA5FB84324F20C1A9ED090B296C336E456CAA2
                          Function 0170D4C4 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1288475118.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_170d000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 27735d1ea32b8d9db46f93282f430855e4fa35ddf94319378a0350bcc3b033fa
                          • Instruction ID: ce6471246e3b24ad9ffef7479f0406f8c347fb20d11ffb00702b7af02391e56e
                          • Opcode Fuzzy Hash: 27735d1ea32b8d9db46f93282f430855e4fa35ddf94319378a0350bcc3b033fa
                          • Instruction Fuzzy Hash: 0C21B071504340DFDB26DF94D984B26FFA5EB88328F2485A9ED090A296C336D456CAA2
                          Function 07ADD110 Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cdfb976efd141dccd4a1d592b668910d45415b05623928f28654f1774df1f0d9
                          • Instruction ID: 64a64885a6a13a346f12c603217df063153ffcf3f2cf9349a75e416a0fd0b141
                          • Opcode Fuzzy Hash: cdfb976efd141dccd4a1d592b668910d45415b05623928f28654f1774df1f0d9
                          • Instruction Fuzzy Hash: 8E314CB4A05219EFDB10DFA8D889A9CBBB5FB89300F10869AE41BE7344D7345D46CF60
                          Function 0171D1D4 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1288545102.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_171d000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3ca853bda5a8b19f939477e01a7e3dae2f0c9da46cf5ec78030dfa8c28b3923f
                          • Instruction ID: 552a0af1174518e4371f58bdbb42dad4aa63da9e949c82cc46954b26931211a4
                          • Opcode Fuzzy Hash: 3ca853bda5a8b19f939477e01a7e3dae2f0c9da46cf5ec78030dfa8c28b3923f
                          • Instruction Fuzzy Hash: A0210771608300DFDB25DF98D9C8B55FBA5FB84324F20C6ADD8494B25AC336D446CE61
                          Function 0171D01C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1288545102.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_171d000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 248f2d289d31f324702062e1b0208707977bb2915f0143764d15c097f8dac37c
                          • Instruction ID: 9538c309fdae2d04d451749e204238f43825390b24b8ca4f01be2a2515dea818
                          • Opcode Fuzzy Hash: 248f2d289d31f324702062e1b0208707977bb2915f0143764d15c097f8dac37c
                          • Instruction Fuzzy Hash: E521F275604304DFDB25DF58D9C8B16FB65EB88314F20C5ADD84A4B28AC33AD847CE62
                          Function 07ADA124 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c09c2fef09ae4708f5ddfa97534c9feb93f6fe7a09c84cc30d1b79540da687fb
                          • Instruction ID: ef18048fbebbd9cf205c46362eae8bb0d9b05e8a0c2d10949932537df5184458
                          • Opcode Fuzzy Hash: c09c2fef09ae4708f5ddfa97534c9feb93f6fe7a09c84cc30d1b79540da687fb
                          • Instruction Fuzzy Hash: 6921B7B4E19209DFDB04CFAAD4846EEBBF6BB8E311F14D029E42AA3251D7345D41CE54
                          Function 07ADFD08 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8ac7e7fcf528dd089757057480bff29ff3521a6d9f986389e81a7ef13b0ef9d6
                          • Instruction ID: 11e6ae69149fa206d7c52232c54aa1abad7051cb7edc33259aa4786f5f1ecc4c
                          • Opcode Fuzzy Hash: 8ac7e7fcf528dd089757057480bff29ff3521a6d9f986389e81a7ef13b0ef9d6
                          • Instruction Fuzzy Hash: E731C5B4A112099FCB04DFA9D494ADEBBB1AF8D314F10812AE426A7350DB34AD41CFA1
                          Function 07ADA260 Relevance: .1, Instructions: 68COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7456928afbfb8fb50c15fc9c27fefdc09af5bcd4b20f8851d808f675af478435
                          • Instruction ID: ecc8123b7ec281690c494da1bdcfce20e4e364c428b026ce8bca6fd892f1a579
                          • Opcode Fuzzy Hash: 7456928afbfb8fb50c15fc9c27fefdc09af5bcd4b20f8851d808f675af478435
                          • Instruction Fuzzy Hash: 1A21FAB4D08209DFCB40CFA9C181AAEBBF5AB49300F209195D81AA7722D771AE40CF91
                          Function 07AD19A8 Relevance: .1, Instructions: 65COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a65c7f8951302c78c3c3e3909a61ea2c653305e68b04b4a378288c383d2f0c80
                          • Instruction ID: 981b103530a62a9a4a634186548dbb34cb7de80b4a4307f3677ca936b5aed3fe
                          • Opcode Fuzzy Hash: a65c7f8951302c78c3c3e3909a61ea2c653305e68b04b4a378288c383d2f0c80
                          • Instruction Fuzzy Hash: DE212AB0E0420AEFDB44CFA9C5416AEFBF2BF89300F10C5AAD415A7260E7749A41CB91
                          Function 07AD19B8 Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 34fac4e7248b0e56e0af0f69e213055921654fe0a937ca6fdbae902aa6ed0959
                          • Instruction ID: 863d5d1afe8a19f89c6de5d7429675e9763e013f33ae4c407f64a10be7b605d5
                          • Opcode Fuzzy Hash: 34fac4e7248b0e56e0af0f69e213055921654fe0a937ca6fdbae902aa6ed0959
                          • Instruction Fuzzy Hash: 88213EB0D0421ADFCB44CFA9C5416AEFBF2BF89300F11D566D415A7260D7749E41CB91
                          Function 07ADA7E1 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 83500418d390ac398d46ebf73c29462d0dd9a5058afc97dec553e3fa9c03ecf6
                          • Instruction ID: ffcacc81c221201dcfce37d311e1bedb69e7a904a43fb93d9a743cfdb21ddf88
                          • Opcode Fuzzy Hash: 83500418d390ac398d46ebf73c29462d0dd9a5058afc97dec553e3fa9c03ecf6
                          • Instruction Fuzzy Hash: D82115B1D046489BEB19CFAAD8543DEFEB6AFC9300F04C16AD409A6264DB7409468FA0
                          Function 07ADE528 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 09955fbec283b468643ee2f1546f9462aea33e75f7a856e7629b0e2651b6e9c4
                          • Instruction ID: 5271ac08a83097df2be7b12d2cdc6e294b7461a595e4a2cac1d6cb0e21fd18e2
                          • Opcode Fuzzy Hash: 09955fbec283b468643ee2f1546f9462aea33e75f7a856e7629b0e2651b6e9c4
                          • Instruction Fuzzy Hash: 88115EB0F046059FDB28AB7998147BF76A6BBC46A0F548129D8278B380FA70DD1187D1
                          Function 07ADA319 Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9ae838c6fa5bdefaa1aca1597c7ea0c1d5e7f1c74dc42a4c7250050a443f16be
                          • Instruction ID: d2c4f5f99067392b188e0a907fb1cf189f0d265a4897d0e5c3b53fd214f8f41f
                          • Opcode Fuzzy Hash: 9ae838c6fa5bdefaa1aca1597c7ea0c1d5e7f1c74dc42a4c7250050a443f16be
                          • Instruction Fuzzy Hash: C1115EB8D09248EFC708CFA9C5419AEBFF5FB4A340F14C595D42997211C7709E45CB91
                          Function 07ADA270 Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b368890662f81d6941c061bde7c5a148e344be99544e6a90c4d56466f00f3f91
                          • Instruction ID: 9c8b5b69a11f07279eadc08aa0927da51df39eee661adaaf6787372643feff80
                          • Opcode Fuzzy Hash: b368890662f81d6941c061bde7c5a148e344be99544e6a90c4d56466f00f3f91
                          • Instruction Fuzzy Hash: 6521D8B4E08209DFCB40CF9AC181AAEBBF5BB49300F609155D81AB7721E7719E41CF91
                          Function 07ADD08F Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 25a2afaed82f2b6e199822b45bbbb08cfbe941ec442b17b9c1243bbde4dfb72d
                          • Instruction ID: f26ce186d593e8cebdaf8e709e840df95252af73d37e0e3eb543bef057aa992c
                          • Opcode Fuzzy Hash: 25a2afaed82f2b6e199822b45bbbb08cfbe941ec442b17b9c1243bbde4dfb72d
                          • Instruction Fuzzy Hash: 362196B4A05244EFDB00DF64E5559ACBFFAFB89301B04429AE45B9B311D7349C06CF90
                          Function 07ADD2CC Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 81c8abc59687277d0051eb902fa6af949817004b0fbb6aedf2b53a597b075081
                          • Instruction ID: 18eaf376c352a8486d636cf9d3cdbbaccfda7adc767952c91a9dc45615c945bd
                          • Opcode Fuzzy Hash: 81c8abc59687277d0051eb902fa6af949817004b0fbb6aedf2b53a597b075081
                          • Instruction Fuzzy Hash: 162142B5A05218EFDB10CF24D945BADBBB6FB84200F1082DAD85EA7345DB385D46CF50
                          Function 0170D4BF Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1288475118.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_170d000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                          • Instruction ID: 919f02d2809735b734a71f69e250fac61f70963df4acf7df5d7ff57ce88d3571
                          • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                          • Instruction Fuzzy Hash: 99119D76504380CFCB16CF94D5C4B16FFA2FB88324F2486A9DC490B696C336D45ACBA1
                          Function 0170D3D3 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1288475118.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_170d000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                          • Instruction ID: dd6c3f1a5458536dc487e243f803cdb3bfb76b4b450ba771bc1fb003a86bef82
                          • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                          • Instruction Fuzzy Hash: 0C11CD76504340CFCB16CF84D5C0B56FFA2FB84324F2482A9EC090A296C33AE456CBA1
                          Function 07AD70B0 Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bb02820514b0b5fdd80e0694e4c07d53f6cc5b36956718f04aaa6c83bbccca3a
                          • Instruction ID: a2b208ff826d27e847cb4d71641b0b93f161fecc1404e4189b45013132f18d74
                          • Opcode Fuzzy Hash: bb02820514b0b5fdd80e0694e4c07d53f6cc5b36956718f04aaa6c83bbccca3a
                          • Instruction Fuzzy Hash: 6E1186B4D15249EFCB08CFB8D94129DBFB2EB86310F1482DAD425A77A1D7354E45CB41
                          Function 0171D017 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1288545102.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_171d000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                          • Instruction ID: 8b568643a30340944b182139ce0e8610143f9ac774f7f42286655e5a76060761
                          • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                          • Instruction Fuzzy Hash: FE11BE75504280CFCB16CF58D5C4B15FB62FB44314F24C6A9D8494B65AC33AD44ACF62
                          Function 0171D1CF Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1288545102.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_171d000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                          • Instruction ID: 2a8574a0a3be3808d1fc3f0413b97b65d4e965d0219d9396fbd2605f5c4b9f69
                          • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                          • Instruction Fuzzy Hash: 6211BB75508280DFCB16CF58C5C4B55FBA2FB84324F24C6ADD8494B69AC33AD40ACF61
                          Function 07ADB680 Relevance: .1, Instructions: 51COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a3087cd8258a83d13a342448b748ea89b1668e4dd333e6f1469a8cf9c377c0a5
                          • Instruction ID: 33ea6e1ba3094a6124cab1b425a5a9200c2c21fc83f08b661b6df17d726602ad
                          • Opcode Fuzzy Hash: a3087cd8258a83d13a342448b748ea89b1668e4dd333e6f1469a8cf9c377c0a5
                          • Instruction Fuzzy Hash: 6D0184F491D248EFCB04CB95C9415F8BFB8EF9B210F169295D0265B112C7309E46DB62
                          Function 07AD6FA9 Relevance: .1, Instructions: 51COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5e92f24ba9ec9688f15594e3292b55a2e00e963d880252c4d7a22a2c4b274bfe
                          • Instruction ID: ea302718159c5924e05e16f4434109f0d2361fb8ae3c549b7ad5e6a10995dfe1
                          • Opcode Fuzzy Hash: 5e92f24ba9ec9688f15594e3292b55a2e00e963d880252c4d7a22a2c4b274bfe
                          • Instruction Fuzzy Hash: DB116AB5E05609EFCB08CFA9D54469EBFF2AF89300F2485AAD816F7344E7309A41CB51
                          Function 07ADA7F0 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7a7d2962249ab0ea01217f571822e8fed002a4f8ea597f2a5508bcf8e10e5e0d
                          • Instruction ID: 4c5769b7ddf8dde63b23018163e461d17c2122234713f95bd74813d126d665b1
                          • Opcode Fuzzy Hash: 7a7d2962249ab0ea01217f571822e8fed002a4f8ea597f2a5508bcf8e10e5e0d
                          • Instruction Fuzzy Hash: 2E11D2B1D006189BEB18CF9BC8557DEFAF6AFC8300F14C16AD409662A4DB7409468FA4
                          Function 07AD6FB8 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ed6b185f19abe27b4fd9f4f9b3e2e2db3c1589ba6165c10c964cf4358e2dd864
                          • Instruction ID: 7ae566c3992fce7e5c7372d13bc1564a21ae51cd5180a8a7f0dde717e9ebc79f
                          • Opcode Fuzzy Hash: ed6b185f19abe27b4fd9f4f9b3e2e2db3c1589ba6165c10c964cf4358e2dd864
                          • Instruction Fuzzy Hash: 111148B5E15609EFCB48CFA9D5406AEBBF2AB89300F2085AAD416E3344E7309E41CB51
                          Function 07AD6EE8 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0bab1e022b782c5c8a60ffa2f63c83fa31b24878d35513edf52b9a7f89f7cb33
                          • Instruction ID: b3bd6ce7a6d5cea45a237553344cbece1a24ec5af7fd794afc83ba4bcde20ca4
                          • Opcode Fuzzy Hash: 0bab1e022b782c5c8a60ffa2f63c83fa31b24878d35513edf52b9a7f89f7cb33
                          • Instruction Fuzzy Hash: 371158B0E04609DFCB04CFA9D54069DBFB2FF99350F2485AAD42AAB650D6349A01CB00
                          Function 07AD6EF8 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 898db4507ca3e0e2a22812f73ddcd6380d3d0534da6b85e7a1a8ecb874541898
                          • Instruction ID: 6ad44b75d3075ac121b821e3eb17a8ee215e29d6992ca1f10706167721d7357d
                          • Opcode Fuzzy Hash: 898db4507ca3e0e2a22812f73ddcd6380d3d0534da6b85e7a1a8ecb874541898
                          • Instruction Fuzzy Hash: C51118B1E15609EFCB44CFA9D5405AEBBF6FB99340F24D4AAD42AE7214E6309E01CB50
                          Function 07ADD065 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 30204aa36ee6ee472176c101713305f14820ce693f19f9f043f1b570caa4c9f2
                          • Instruction ID: 99b50dd7bee5bcb9bd5d89ef32541c7a132162d918610c8c0bad8128d892b44c
                          • Opcode Fuzzy Hash: 30204aa36ee6ee472176c101713305f14820ce693f19f9f043f1b570caa4c9f2
                          • Instruction Fuzzy Hash: 95119AB5A08204DFCB00DFA8D5856AC7FF8FB8A200F10929BC02B97251D7384D06CF52
                          Function 07ADA902 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 116277257646c13699134cdc4a3e48dcf29075cf4150c0f6f0527d7975bd82c5
                          • Instruction ID: 328c1933c1ee6cb4add33390f1bf0a4d3fb69d814185a023f9cf682fcb39f9e1
                          • Opcode Fuzzy Hash: 116277257646c13699134cdc4a3e48dcf29075cf4150c0f6f0527d7975bd82c5
                          • Instruction Fuzzy Hash: 0C1136B4D09218CFCB21DFA4C5486ECB7B6BB0A302F108699D42BA7351C7759E82CF50
                          Function 07ADD010 Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f2b47b928d05dc259f5ab3aa0ceed8e402d7688584caeb95c51aa1a64c0c24a2
                          • Instruction ID: c97777cb1385649e63526a08fd19c37c63cc4bb33cb018404fae5ec7bb656500
                          • Opcode Fuzzy Hash: f2b47b928d05dc259f5ab3aa0ceed8e402d7688584caeb95c51aa1a64c0c24a2
                          • Instruction Fuzzy Hash: 4311C4B0B04218DBDB10DB64D8457AD7BB9FBC9300F008966C02B97248C7785D46CF91
                          Function 07ADAA8B Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 576c436df8c57ab7ed575ffbd5501b6398bf04ab7851925968d763263115b176
                          • Instruction ID: e7920c3948c7a7b6780e4fb338258dfa919a3a8375186ade9c8f0d12e87d3612
                          • Opcode Fuzzy Hash: 576c436df8c57ab7ed575ffbd5501b6398bf04ab7851925968d763263115b176
                          • Instruction Fuzzy Hash: AF11F5B4915218CFCB14DFA4C584ADCBBB6BB4E311F249199D41AB7201C734AD81CF60
                          Function 07ADB6F9 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c0566fc639a088c856f7a92861919e54f3af6ff782cc0dc772d72c8cc22af059
                          • Instruction ID: 73518e4ab5e1699357cd533f4c8e0637938c50154f7ff811a3cf896df7583fcd
                          • Opcode Fuzzy Hash: c0566fc639a088c856f7a92861919e54f3af6ff782cc0dc772d72c8cc22af059
                          • Instruction Fuzzy Hash: 750171B4E09248EFC700DFA8C645AADBFF5AF4A300F15C1D5E5199B362D6309E00DB50
                          Function 07AD5178 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 31c2aebddd7f0e478c77e410fa5b2ffbe8cfa952ddd7e533ec8e7f3aa47299d7
                          • Instruction ID: 8b1ff9b9b0fe92e5e17b2bee344494f3670efa9f039fc9c4af3107f3365cfb89
                          • Opcode Fuzzy Hash: 31c2aebddd7f0e478c77e410fa5b2ffbe8cfa952ddd7e533ec8e7f3aa47299d7
                          • Instruction Fuzzy Hash: E01161B4E0520ADFCB48DFE9D5416AEFBF2EB88300F10806AD415E3304E7304E518B91
                          Function 07ADD143 Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 13a8db0beb081d78e09e0fab5952a40693375ff4fa4324847363a5a32e404967
                          • Instruction ID: da202b3c6b7d2e45acead8ce26ad0abda32383215de9bd59f2a48ea8d82d29ab
                          • Opcode Fuzzy Hash: 13a8db0beb081d78e09e0fab5952a40693375ff4fa4324847363a5a32e404967
                          • Instruction Fuzzy Hash: A411A0B0A05214DFDB14DF68D88A7A8BBF2FB45200F0042DBD41AAB350CB349D46CF50
                          Function 07ADD000 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c61c644a9a7b2e383a86530efd13acac4b05deb02ab34e8715f8cc3cee1cf5b5
                          • Instruction ID: e15031dbc1c07d0d101750bbdc151b8f9f42bbe8c4f237a479d610aeef4a0159
                          • Opcode Fuzzy Hash: c61c644a9a7b2e383a86530efd13acac4b05deb02ab34e8715f8cc3cee1cf5b5
                          • Instruction Fuzzy Hash: D901F4F0E08208AFDB10DB64D8417ED7FBEBBCA200F018666C02797295DA784D47CB62
                          Function 07AD5AB0 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 10e4224779633d03fcdd6f2e36136fe7e2ec48e4af37a1f41b6c911763897ea4
                          • Instruction ID: 982c148c3ffbde794d2e1261958c8bb5063e6713362625e78c46b5fd391630eb
                          • Opcode Fuzzy Hash: 10e4224779633d03fcdd6f2e36136fe7e2ec48e4af37a1f41b6c911763897ea4
                          • Instruction Fuzzy Hash: 4C0178B4E182499FCB14CFB8D4042AEFFF1EF4A300F0041AAD829E3381EA310A01CB51
                          Function 07AD907F Relevance: .0, Instructions: 40COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bd073eaf0b042d633494996b9039751a4e17c1c431493791007a78193eaba989
                          • Instruction ID: 78d58f90838a25b706f1ee37368e19dd9c24135783fbac60750c9878eb418a9a
                          • Opcode Fuzzy Hash: bd073eaf0b042d633494996b9039751a4e17c1c431493791007a78193eaba989
                          • Instruction Fuzzy Hash: F2F081B0A0A389CFDB11CBA4D9905EEBBB9EB8A314F0455E9C11A97115C670BE45CB13
                          Function 07ADB690 Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 58243e9a340c491a404d0b919d223da86c7392b3ec68b61cb8771619729fec81
                          • Instruction ID: c17e2131d7536fbad0364f5b5d2a040d1b08f43183a656f98733828d096a395e
                          • Opcode Fuzzy Hash: 58243e9a340c491a404d0b919d223da86c7392b3ec68b61cb8771619729fec81
                          • Instruction Fuzzy Hash: BDF04FF091C208EBDB04CF95C5449BCBBB8EF9A301F1692A5D42A5B211D7309E45EB66
                          Function 07AD70C0 Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c074dd1a5addf69292c57bb8a3158dbf462c38ded279091f19e337b64a2b0254
                          • Instruction ID: 2ae413b7df93577652678a9e62360edf519367bbbd85d63833f2fbed27b03de2
                          • Opcode Fuzzy Hash: c074dd1a5addf69292c57bb8a3158dbf462c38ded279091f19e337b64a2b0254
                          • Instruction Fuzzy Hash: 8501C874E15209EFC748CFA9D94525DFBF6EB86300F14D5AAD415A3754EB308E418B44
                          Function 07ADA8A8 Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fcf252dd1922c72a9b5cad5f0b5ff5d4f0c3d17ecff4f2adaca9f7a4d429625f
                          • Instruction ID: 6de458dd20c7d237481b5087fd134c90aba862b41d637c585c9995a98f1b4016
                          • Opcode Fuzzy Hash: fcf252dd1922c72a9b5cad5f0b5ff5d4f0c3d17ecff4f2adaca9f7a4d429625f
                          • Instruction Fuzzy Hash: C501E574A05219CFDB64CF54C990BE8BBF5AB4D311F1091E9E819A7341D635AE80CF50
                          Function 07ADD15D Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6bb2cce91228f529bed94f85d9729e0859791f7b4e918f90b823d987a7db57b0
                          • Instruction ID: 3130b44dc6eec5250de66e0c0c0e714407b80168a05e81e146b7a2197c7147e6
                          • Opcode Fuzzy Hash: 6bb2cce91228f529bed94f85d9729e0859791f7b4e918f90b823d987a7db57b0
                          • Instruction Fuzzy Hash: 691144B4A05215EFEB10DF54DC55B98B7B6FB88201F1082DAD41EA7748DB345D46CFA0
                          Function 07AD72DC Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8e4da9d1ba481f56a759f888401874ae90fc4bcf1126bd4d828cdc41e885713e
                          • Instruction ID: f411fab440b91e85bba59cef3039e08004499eacc169e65e759cb4c51b0b1803
                          • Opcode Fuzzy Hash: 8e4da9d1ba481f56a759f888401874ae90fc4bcf1126bd4d828cdc41e885713e
                          • Instruction Fuzzy Hash: 08F08CB5C04284AFC744DFA89459698BFF4EB46210F0880EEE869DB761F6389905CB01
                          Function 07ADD22C Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3abec0d198bd1084676aafdafec9c26a851dcdd248f2f1944c3fa4f15d8607f5
                          • Instruction ID: afa0a4ecd26cdbd5c490ccfc4beee2bc3b9963435e22f3d6ec8caf5b1b2ef4ee
                          • Opcode Fuzzy Hash: 3abec0d198bd1084676aafdafec9c26a851dcdd248f2f1944c3fa4f15d8607f5
                          • Instruction Fuzzy Hash: ED01E8B4A48259AFDB00DBA8D5456AC7BBAFB88300F105729D42A9B74CDA745D06CF81
                          Function 07ADA113 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9c2814bc3c26eeb0d0b3554e5edf9eadf77abe634b561a4f71f091e998940e8a
                          • Instruction ID: c96c4fd31500e5507f8f0539ce5ef318e70cd18ab4010dfb700d85fab6ed486e
                          • Opcode Fuzzy Hash: 9c2814bc3c26eeb0d0b3554e5edf9eadf77abe634b561a4f71f091e998940e8a
                          • Instruction Fuzzy Hash: 94F0D4B4A29159EBCF00CB95E8958FEB73AFB8F202F00D115E43BA2261DB345D46DE54
                          Function 07ADAD35 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1a24626438a26d86faf226222cde1bda46ff807f1f2a5132eebc46e17d3940d4
                          • Instruction ID: d244be4e6c2c9798695cd2566ff717936fa75562f9226d7a1eb72478c409e358
                          • Opcode Fuzzy Hash: 1a24626438a26d86faf226222cde1bda46ff807f1f2a5132eebc46e17d3940d4
                          • Instruction Fuzzy Hash: C901F6B4915218CFCB24DBA5C584BDCB7B6BB4A301F10C599D42BA7211C7349D81CF50
                          Function 07AD1D41 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4ccfeb40ce4742d3aff7ca9e4167827c9dc8a69b8a6e8e66e97cfb87255b3ebe
                          • Instruction ID: d54e3eb0dfce312d9a4f93f059493cf68a37bb3fc9b0637832df591de3316b78
                          • Opcode Fuzzy Hash: 4ccfeb40ce4742d3aff7ca9e4167827c9dc8a69b8a6e8e66e97cfb87255b3ebe
                          • Instruction Fuzzy Hash: 6AF067B0E1431A9FEB04DFA8D405AAEBFF0BB09210F2189AAD025E7341D7708A41CF90
                          Function 07ADE4B8 Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7cbc2a7c208e62dac54fbffb076c653127bb89523376506d8c1d1900adac6859
                          • Instruction ID: 1d3c90a986c9806305d503356f1b4851f1e8b5bab7e67412ed974cc3f81478ba
                          • Opcode Fuzzy Hash: 7cbc2a7c208e62dac54fbffb076c653127bb89523376506d8c1d1900adac6859
                          • Instruction Fuzzy Hash: A8F090B4908248BFCB01EFA8E81469DBFF5EF88310F11C1AAD85492355C6344955DF56
                          Function 07AD5AC0 Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3cae562b458457fc355381d12a8e47b72798d4e6caed42d1833cf4fc7f20d8c1
                          • Instruction ID: 732773e551fa15a9f6b9c4f2a24ee64afec3c5a90a5e22c92f5e7c98197ed226
                          • Opcode Fuzzy Hash: 3cae562b458457fc355381d12a8e47b72798d4e6caed42d1833cf4fc7f20d8c1
                          • Instruction Fuzzy Hash: D0F0F4B4E1420D9FCB44DFA9C5056AEBBF5FF48300F1080AAD819A3380EB704A01CB91
                          Function 07ADD0B8 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f573909c1ba6af875cd99a3b2fa55278d5e1a8d17bb3b0e60bcfcc7458ab3b29
                          • Instruction ID: 60c4839ac29004c70ec3aeb6950fe8b482f23012008b05375e52c9e958aed951
                          • Opcode Fuzzy Hash: f573909c1ba6af875cd99a3b2fa55278d5e1a8d17bb3b0e60bcfcc7458ab3b29
                          • Instruction Fuzzy Hash: F6F01DB4A14308EFDB10DFA8E5999ACBBF6FB89301F10429AE45A9B351D7349C02CF54
                          Function 07AD1D50 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 34cbc61a4e7d47a5ed81a50b786845ef45843f8b754d6d8169bd888703f4f64d
                          • Instruction ID: 8c2116a216356fd1d2b044c52f500209479cb3f193f0ec64462c0edf0d2630d2
                          • Opcode Fuzzy Hash: 34cbc61a4e7d47a5ed81a50b786845ef45843f8b754d6d8169bd888703f4f64d
                          • Instruction Fuzzy Hash: A3F0DAB0D0430E9FDB44DFA9D855AAEBFF4BB48210F1149A9D519E7301D77199418B90
                          Function 07AD5F56 Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2c04f796eec496b20215072c814d222ddbd25d8d07fff5c723fd253247e80512
                          • Instruction ID: a6d3aa403c088a84611877e112f31c1dd9d0b5690d6ed3f753a958d47ed59ef0
                          • Opcode Fuzzy Hash: 2c04f796eec496b20215072c814d222ddbd25d8d07fff5c723fd253247e80512
                          • Instruction Fuzzy Hash: 3CF06572600009AF9F48DF94DD4599EBBBAEF48210B14847AE409D7364E730DD509B54
                          Function 07ADEEA0 Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 453915a9ebb634ecd6c1e94a7ac44f49c04f9133f50d2f660238dea10f35ee21
                          • Instruction ID: 09f20d4ba386a428a41883ab1c34124fa304b069dd3653de0ae958ae3a784120
                          • Opcode Fuzzy Hash: 453915a9ebb634ecd6c1e94a7ac44f49c04f9133f50d2f660238dea10f35ee21
                          • Instruction Fuzzy Hash: 78E06DB080A348BFCB119B64A8196DD7FB8AB45241F5242AAE841A6691DA340D45C7A6
                          Function 07AD8E20 Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ad92216be9f22c73d5742039b729db4d0352fc1cbd2058a7c441f7dfd3550c51
                          • Instruction ID: 116b84630153173a38bcec9c3dca6e57244c090ea1fb9a74e98a70a33962bbfe
                          • Opcode Fuzzy Hash: ad92216be9f22c73d5742039b729db4d0352fc1cbd2058a7c441f7dfd3550c51
                          • Instruction Fuzzy Hash: 97F017B09053499FCB06DFB8C8006ADBFB5FF0A300F1485AAD9A4A7351E7754A52DF50
                          Function 07ADAC69 Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 37cea3f00dc04d2230c40d63b0d6283c3f81ce2dda9b2e3cf46343d3d71e49b6
                          • Instruction ID: 50655234be5281d975427f15060854e074f182876e98b123bb1cfdc64f70708e
                          • Opcode Fuzzy Hash: 37cea3f00dc04d2230c40d63b0d6283c3f81ce2dda9b2e3cf46343d3d71e49b6
                          • Instruction Fuzzy Hash: D0F09A74A092448FC705CBA4C4906D8BBF6AB4F305F2490A9C40AAB212C236AD80CF00
                          Function 07AD7298 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a1133ed6afeebcacd0a96641df39f1563a8f8433eb98e16066efdfbf130730fa
                          • Instruction ID: c259fe0a49802f4184914a6572a9c43de917a88887930f5fef875423d9bec56d
                          • Opcode Fuzzy Hash: a1133ed6afeebcacd0a96641df39f1563a8f8433eb98e16066efdfbf130730fa
                          • Instruction Fuzzy Hash: C0F0C975D54248AFCB44DFB8E448A9CBBF4EB4A324F0084EED818A7751E6789945CF41
                          Function 07ADE4C8 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3fb8eae57276f28f6c7d07359e5ceadeabb0db9622f3d4c25cb9f775722b69d0
                          • Instruction ID: 80271428c34378eb19a7f480dba88fbcb8e50e489039b26f2c90200c7d42e224
                          • Opcode Fuzzy Hash: 3fb8eae57276f28f6c7d07359e5ceadeabb0db9622f3d4c25cb9f775722b69d0
                          • Instruction Fuzzy Hash: 8CF015B4D0420CFFCB40EFA8D44869DBBF5EB88311F10C1A9E814A6354D6345E51DB95
                          Function 07AD1CE8 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c9ee39cc9731dd491973bdeffa8f0c13fd9a634f6ac1237002183b8bfc1999e1
                          • Instruction ID: e4147c4bf8c0c517dbd58c4d0bf9e41f247b566b5a1f3fefbfa6103989e95bff
                          • Opcode Fuzzy Hash: c9ee39cc9731dd491973bdeffa8f0c13fd9a634f6ac1237002183b8bfc1999e1
                          • Instruction Fuzzy Hash: 9CE032B0C44209AFDB40EFA8C40469ABFF1FB09210F2288AAC025EB324E77489018F50
                          Function 07ADD464 Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e9ad511298c8f2cebb78e608c0a3102dcfab6a78f48940e707fa1b296150d075
                          • Instruction ID: 76f6d9619184d23c8db18a31ebddec2b7ba9fc66aae5add3f052526e38768bd1
                          • Opcode Fuzzy Hash: e9ad511298c8f2cebb78e608c0a3102dcfab6a78f48940e707fa1b296150d075
                          • Instruction Fuzzy Hash: 2FF039F8A04242CFE700CF68E299A6EBFF5FB49301B058199D45A97311C738AC41CF95
                          Function 07AD1278 Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 55985ca948cc69803e33a39213446c47d70ca05142570a19ec08442b3685e7f3
                          • Instruction ID: 9f65c74e117af845277bfdcba6533cd1242497aba526d5a366a2b5b77e19b93f
                          • Opcode Fuzzy Hash: 55985ca948cc69803e33a39213446c47d70ca05142570a19ec08442b3685e7f3
                          • Instruction Fuzzy Hash: 5CE0923A500314EFCB109F64E8858C47330FF49372B1042E5E92A9B2A2CB368E82CF51
                          Function 07AD8E30 Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9ae3ed30e7095a0102d723de9e9188d402111c6be3e488a6ec5a6ad9adbe472f
                          • Instruction ID: b64d09a65e5bd7db40d7608ff5630366297e410f976dfad42459e21ec7ff3f1b
                          • Opcode Fuzzy Hash: 9ae3ed30e7095a0102d723de9e9188d402111c6be3e488a6ec5a6ad9adbe472f
                          • Instruction Fuzzy Hash: FAE0EDB0D01319EFCB44DFA8C5016ADBBB5FB48300F5085AAD824A3340D7759A51DF84
                          Function 07AD8E73 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 74fb884de9e3935343c07ae7d1f210656f57e9fd2a15149c35ae43a2041ffe88
                          • Instruction ID: c2b9f4dc720ce98ec3b1f8efe22a23b46d6de8fe0687282cf850abf7d0f86d68
                          • Opcode Fuzzy Hash: 74fb884de9e3935343c07ae7d1f210656f57e9fd2a15149c35ae43a2041ffe88
                          • Instruction Fuzzy Hash: 92D05B7100A3C4AFD31267647C161E87F7C9B47102B050352D54681063CA6C4957C7B7
                          Function 07ADAB97 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4642869f69baebca48638aed4dee11f9fdc352e7fc103ec260c3a3366501c145
                          • Instruction ID: 7b1a2d0b0c832acfcdd8371b43bcb908dd49311299843b27c4ff88650118e240
                          • Opcode Fuzzy Hash: 4642869f69baebca48638aed4dee11f9fdc352e7fc103ec260c3a3366501c145
                          • Instruction Fuzzy Hash: B1F015B080A254DFCB21DF64C95879C7BB1AB0A201F1185AAD82E6B252C7744D86CF21
                          Function 07AD72A8 Relevance: .0, Instructions: 19COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5651b045944a80e493d667690a0c13b7aeb11f19322df47bfb488ef3effb62e6
                          • Instruction ID: bf97b80549d7782da3ba05b2620136d39c79c4a7821fcbe996d5e5a72648c8a2
                          • Opcode Fuzzy Hash: 5651b045944a80e493d667690a0c13b7aeb11f19322df47bfb488ef3effb62e6
                          • Instruction Fuzzy Hash: 96E09A74D10208AFC784DFA9D445A5CBBF4EB49610F0080EAD819D7750E6749944CF41
                          Function 07AD7068 Relevance: .0, Instructions: 19COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 86d6d6a3f91aa2ae6d285877cafa4e0516eb5f17f3a9a65a7ff6662dbf260d43
                          • Instruction ID: 9be4b10e5d922f42726abc68963ede44622066adf1960d194e4122a273af7388
                          • Opcode Fuzzy Hash: 86d6d6a3f91aa2ae6d285877cafa4e0516eb5f17f3a9a65a7ff6662dbf260d43
                          • Instruction Fuzzy Hash: 99E04F71D44286AFCB19CFBCD48139CBFB0EB02364F1445DAC8299B295D7791992CB41
                          Function 07AD1260 Relevance: .0, Instructions: 18COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 28b586ca1965eda7622eb72f8d2493b5e5dbeff690227831d3e92491324ba033
                          • Instruction ID: a9c5b7d32dba95ac9be0cf78bcf7817333a796f837be0d4936ab075463d7ca5b
                          • Opcode Fuzzy Hash: 28b586ca1965eda7622eb72f8d2493b5e5dbeff690227831d3e92491324ba033
                          • Instruction Fuzzy Hash: 61E0C73A600204EFC705DF28E9408C87B72FF86326B8101AAE1068B220DB36DE91CF00
                          Function 07AD1CF8 Relevance: .0, Instructions: 18COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 125f86b96251c6eb4e5b6ad954fbaa66543d024eefd9e599dcaeec8483a6e2a3
                          • Instruction ID: b052fa8d737372e937cf179e12942d0ee46f30ec14549e2973ded4e486688567
                          • Opcode Fuzzy Hash: 125f86b96251c6eb4e5b6ad954fbaa66543d024eefd9e599dcaeec8483a6e2a3
                          • Instruction Fuzzy Hash: 77E0B6B0D4520DEFD780EFB9C915B5EBBF4BF08600F1189A9D029E7215E7B49A058F91
                          Function 07AD901A Relevance: .0, Instructions: 17COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 63b65e456a8938be3406e7eb0af20e0e81f203ecb9a3e2969de2a06afcbe6ad1
                          • Instruction ID: 7a7f4a7cfda7df15c42fd04c63f2176aead4e8cd4bea9761c516bb4d5d140177
                          • Opcode Fuzzy Hash: 63b65e456a8938be3406e7eb0af20e0e81f203ecb9a3e2969de2a06afcbe6ad1
                          • Instruction Fuzzy Hash: 28D01735A4A269CFEB12CB10E9407ECBBB5EB86311F0052E6D01997225C7342F4ACF52
                          Function 07AD7078 Relevance: .0, Instructions: 17COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 069efa579f0d5ece1992911ab4f33bbc60badc2727adc4a9f20a9e3f61836af5
                          • Instruction ID: b024ad5f4caeeab233628e84a8f1cb47a83a0938fdfd988ed6f3986c206d7929
                          • Opcode Fuzzy Hash: 069efa579f0d5ece1992911ab4f33bbc60badc2727adc4a9f20a9e3f61836af5
                          • Instruction Fuzzy Hash: 35E0E2B0D00209AFCB58EFB9D4456ACBBF4EB44200F0080AA8818A3280EA745E84CF82
                          Function 07ADEEB0 Relevance: .0, Instructions: 17COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0fde212d8b3a7887e707259571cdac4f192fd21dabd2def6d2b929509a32004d
                          • Instruction ID: 7809f20449152481f42ade223dbef855223c12f60d22bdb2f6aa8eb452094223
                          • Opcode Fuzzy Hash: 0fde212d8b3a7887e707259571cdac4f192fd21dabd2def6d2b929509a32004d
                          • Instruction Fuzzy Hash: 57E0C2B090420CFFCB00EFA8E41925CBBB8FB48302F5141B8D80567384CB300D41C786
                          Function 07AD4980 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 60750aa5891953d7bc48db798e704c398c9d91787f3e0bf9a70ee5dae6dc4baa
                          • Instruction ID: 26ca5a04de448a142961f08bf023440f4fe8b8c6b01ad307d64e8a13dab33b80
                          • Opcode Fuzzy Hash: 60750aa5891953d7bc48db798e704c398c9d91787f3e0bf9a70ee5dae6dc4baa
                          • Instruction Fuzzy Hash: 1ED0A9B081224CEFC704EBB89906B6DBBB9AB04200F2000A98918A3290EA700E40CB81
                          Function 07AD1DF0 Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 37b074dd029fdf97409ca95cd37865b594537a98a9db10dd99ab26677472800f
                          • Instruction ID: 0801939cd948fe786a78c74f3828ea6bff7674d71d83aa89f46382211003d1a8
                          • Opcode Fuzzy Hash: 37b074dd029fdf97409ca95cd37865b594537a98a9db10dd99ab26677472800f
                          • Instruction Fuzzy Hash: FED0123224010DDF4B40EF94E844C5277DCBB58700B00CC22E504C7120F622F924E791
                          Function 07AD8E80 Relevance: .0, Instructions: 10COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d5c596a0628cf5f59e5829bdc0816cab05902f656cb49fa97d2f50d35fafd420
                          • Instruction ID: 4c154506020d73e8b627fb81656dea59c939b7bc3bb17cf2f688af603ca99a59
                          • Opcode Fuzzy Hash: d5c596a0628cf5f59e5829bdc0816cab05902f656cb49fa97d2f50d35fafd420
                          • Instruction Fuzzy Hash: 76C08CB0001248BBE2217798B81E3287AB8A749203F800320D20E40060CBBC4882CAA9
                          Function 07ADADC1 Relevance: .0, Instructions: 8COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 32d1c55aedd93480f669e6d764690d37c5a67c7670e85ab20e75a3418ffedd8d
                          • Instruction ID: b8bc7188ba04ce046e5b14f1f5b885f409d317cf8960499dc3e81b06ac4375b2
                          • Opcode Fuzzy Hash: 32d1c55aedd93480f669e6d764690d37c5a67c7670e85ab20e75a3418ffedd8d
                          • Instruction Fuzzy Hash: 31C012384082858FCB014F50D8506A57F315F4F200F0081C1D44912161C6301D91DB60

                          Non-executed Functions

                          Function 07AD23B8 Relevance: 5.2, Strings: 4, Instructions: 174COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: %O@8$%O@8$tQ=)$tQ=)
                          • API String ID: 0-749352435
                          • Opcode ID: 2230b5dbbe05bd05e502a6ccfee1213d0a5bde78a94e564b2b949f763ccf026c
                          • Instruction ID: b50a78901c47e0f5031145aae12fdabde3dfa1d2d29baef271bf8c2218ed0034
                          • Opcode Fuzzy Hash: 2230b5dbbe05bd05e502a6ccfee1213d0a5bde78a94e564b2b949f763ccf026c
                          • Instruction Fuzzy Hash: 0471D1B4E11219DFCB48CF99D584A9EFBF1FF89310F14856AE825AB260D734AA41CF50
                          Function 07AD2F68 Relevance: 5.2, Strings: 4, Instructions: 162COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: 18'$18'$aY$aY
                          • API String ID: 0-3687307736
                          • Opcode ID: 16d8a1b9933e0faec4f3c65b6922c14cbbedffbf1c037c6358854b84fc6493c6
                          • Instruction ID: 08aff00058d8712c4abcc4604d9253e2f8def00bf87ef0f2ebe1ed8d10ae2a81
                          • Opcode Fuzzy Hash: 16d8a1b9933e0faec4f3c65b6922c14cbbedffbf1c037c6358854b84fc6493c6
                          • Instruction Fuzzy Hash: CF71E4B5D1120ADFCB04CF99C5849AEFBB1BF49210F148519D42AAB344D734A982CF95
                          Function 07AD23A8 Relevance: 3.9, Strings: 3, Instructions: 173COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: %O@8$tQ=)$tQ=)
                          • API String ID: 0-2920369752
                          • Opcode ID: fd205ac2bbcc17ae4ea47615a3bee53b1de277a5caf400cea8b40fa0cbb79d71
                          • Instruction ID: 712bc86206001e333d659e75711286a6dcd60105cfddd113b3b92adf9716ee17
                          • Opcode Fuzzy Hash: fd205ac2bbcc17ae4ea47615a3bee53b1de277a5caf400cea8b40fa0cbb79d71
                          • Instruction Fuzzy Hash: 1071D4B5E11209DFCB44CFA9D584A9EFBF1FF89310F14856AE825AB260D734AA41CF50
                          Function 07AD3A81 Relevance: 3.9, Strings: 3, Instructions: 116COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: ,uRR$6yu[$6yu[
                          • API String ID: 0-86511755
                          • Opcode ID: 665da0fb5b9342e7079ec4fccf3a57097c5186b2537f54bfdc1f3150ffd30b70
                          • Instruction ID: 061216ad65f14df42bcd64b7ab4f6247f445c6e6b604c20a88c5fb7718c803fd
                          • Opcode Fuzzy Hash: 665da0fb5b9342e7079ec4fccf3a57097c5186b2537f54bfdc1f3150ffd30b70
                          • Instruction Fuzzy Hash: 7D41F5B1E0520ADFCF04CFAAD5815AEFBF2FB89300F20D46AC415A7254E7349E428B95
                          Function 07AD3A90 Relevance: 3.9, Strings: 3, Instructions: 114COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: ,uRR$6yu[$6yu[
                          • API String ID: 0-86511755
                          • Opcode ID: 9fe9ad5deadb11f4524252f62e17238cacf5a80675e514362417a1d7ba5426db
                          • Instruction ID: f06e66d6f7dedc27ec4b39170d05ea06b9a9496183891d8c593f544a703bd480
                          • Opcode Fuzzy Hash: 9fe9ad5deadb11f4524252f62e17238cacf5a80675e514362417a1d7ba5426db
                          • Instruction Fuzzy Hash: 0341E5B1E1520ADBCF04CFAAD5815AEFBF2FB89300F24D46AC415B7254E7349E428B95
                          Function 07AD69C8 Relevance: 2.8, Strings: 2, Instructions: 295COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: 9u"K$Zjsq
                          • API String ID: 0-1261923490
                          • Opcode ID: 6843bf22c4d16954845d5a0905eada1df05733895e5fe12471b218bb7a67e182
                          • Instruction ID: 456f52d67bb20f8f1aa2b463dcaad7d17186a22c3469eb73375b8f2ce3ea4ea1
                          • Opcode Fuzzy Hash: 6843bf22c4d16954845d5a0905eada1df05733895e5fe12471b218bb7a67e182
                          • Instruction Fuzzy Hash: 4EC1E7B0E15219DFCB18CFAAD58059EFBF2BF89340F24D52AD426AB264D7309942CF54
                          Function 07AD69B8 Relevance: 2.8, Strings: 2, Instructions: 291COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: 9u"K$Zjsq
                          • API String ID: 0-1261923490
                          • Opcode ID: 24c66312aad1ff847d3c1df9674f5e07ef112affb109777917f3bbce18153fa4
                          • Instruction ID: 350a80154a1ec17547f1f886ee8e85690037b41202a4c99bd52b1165e140442e
                          • Opcode Fuzzy Hash: 24c66312aad1ff847d3c1df9674f5e07ef112affb109777917f3bbce18153fa4
                          • Instruction Fuzzy Hash: 6FC1F5B0E14219DFCB18CFAAD58059EFBF2BF89340F24D52AD426AB264D7349942CF54
                          Function 07AD4A58 Relevance: 2.7, Strings: 2, Instructions: 193COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: \~$$or
                          • API String ID: 0-2796768027
                          • Opcode ID: 9dbcbcb942c2ee872151fa3ff792bcb195e9b35f02fed34d6e08ccbc49c47ce1
                          • Instruction ID: f6c77edd3f577f18b9bc2bffa6ad35c23a065dabc3674d84d09979f7ce15d60c
                          • Opcode Fuzzy Hash: 9dbcbcb942c2ee872151fa3ff792bcb195e9b35f02fed34d6e08ccbc49c47ce1
                          • Instruction Fuzzy Hash: 5E8149B4E1420ADFCB04CFA5D5455AEFBF2EF89350F10802AD826A7364E7349E428F94
                          Function 07AD4A68 Relevance: 2.7, Strings: 2, Instructions: 165COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: \~$$or
                          • API String ID: 0-2796768027
                          • Opcode ID: f4bbccc95aa31ff343d35fc60f462f7ba41ec6397dd586adb922785e9aaae793
                          • Instruction ID: 56eb86fc80ee9984ab87ca30ed7ba5d9aad5afe2ee980c223a29c21244279c21
                          • Opcode Fuzzy Hash: f4bbccc95aa31ff343d35fc60f462f7ba41ec6397dd586adb922785e9aaae793
                          • Instruction Fuzzy Hash: 2B6149B4E14219DBCB04CFA6D5855AEFBF2EF89340F10902AD826B7364E7345A428F94
                          Function 07AD2F59 Relevance: 2.7, Strings: 2, Instructions: 157COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: 18'$aY
                          • API String ID: 0-535677718
                          • Opcode ID: d05dbb11abb1f68f8680f668061fdd5f24a0b8f062eceb585e9e388e8679c4dc
                          • Instruction ID: 077cf3868ed760cefed0ecc06c60884a15bb4c642a8956c8d6df72a3ddacb18d
                          • Opcode Fuzzy Hash: d05dbb11abb1f68f8680f668061fdd5f24a0b8f062eceb585e9e388e8679c4dc
                          • Instruction Fuzzy Hash: 326116B5E1120ADFCB04CFA9C5849EEFBB2FF49210F148516D42AA7314D334A992CF95
                          Function 07AD4703 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: i#)6$p
                          • API String ID: 0-1147749353
                          • Opcode ID: ac7e6483b20f151908c76c88a2ab17503d4171b129078f37c65857399e9d6fb4
                          • Instruction ID: b679600a36ee7e116d34ccab0d560a95d24e96ffd721ffd3a7e6d5b8f5e3face
                          • Opcode Fuzzy Hash: ac7e6483b20f151908c76c88a2ab17503d4171b129078f37c65857399e9d6fb4
                          • Instruction Fuzzy Hash: EA412EB0D1524ADFCB04CFA6C5816AEFBF1EF8A200F24946AC515FB254D3349B458F95
                          Function 07AD0006 Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: ]]o
                          • API String ID: 0-2636374853
                          • Opcode ID: b99c5f27e28f6e8d3b96537520ec2850295d557f6fd7aa89cee4716338fcbe92
                          • Instruction ID: 279a00b681e8ec2a259e6e15d706dda0dd9acc613dde19e29dcae07d3f575f2d
                          • Opcode Fuzzy Hash: b99c5f27e28f6e8d3b96537520ec2850295d557f6fd7aa89cee4716338fcbe92
                          • Instruction Fuzzy Hash: 8F7127B5E1520ADFCB04CFA9D4809EEFBB2FF89310F148166E415A7255D3349A81CF91
                          Function 07AD0040 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: ]]o
                          • API String ID: 0-2636374853
                          • Opcode ID: 591bcd063db4634f0919c05221d699645d5ad51cd47d0a8c9669b8fa358c883c
                          • Instruction ID: 26f8c38d8910fbec8748c6eb1f154e7a44f724616f3c9b00d0c2f9f7f6c86820
                          • Opcode Fuzzy Hash: 591bcd063db4634f0919c05221d699645d5ad51cd47d0a8c9669b8fa358c883c
                          • Instruction Fuzzy Hash: 4471F5B4E1520ADFCB04DFA9D5809EFFBB2FB89310F14856AD526A7214D3349A81CF94
                          Function 07AD4710 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: i#)6
                          • API String ID: 0-3600651614
                          • Opcode ID: 0f9914accf8b6530f2eb7014cbef83ba56d90915a3b485a5d8868158045f9450
                          • Instruction ID: 5117c7b3a82dadaa3eecef3ce125b031ddff84cef2583f75e7fe95526f671cb8
                          • Opcode Fuzzy Hash: 0f9914accf8b6530f2eb7014cbef83ba56d90915a3b485a5d8868158045f9450
                          • Instruction Fuzzy Hash: 69410CB0D1520ADBCB08CFA6C5416AEFBF5EF8A300F10942AC526BB254D3349A418F95
                          Function 07ADDC49 Relevance: .4, Instructions: 375COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dfb82722d2eae73d15c5116b5700add5af049b8532c1a8f1a4a630197e12a836
                          • Instruction ID: d9394093b3a6c6d10c3481c0a05c8b12b3966077b86f8b900137bf476431260b
                          • Opcode Fuzzy Hash: dfb82722d2eae73d15c5116b5700add5af049b8532c1a8f1a4a630197e12a836
                          • Instruction Fuzzy Hash: EBF1FBB4E002598FDB14CFA9C580AADFBB2FF89304F24816AD865AB355D735AD41CF90
                          Function 07ADD813 Relevance: .3, Instructions: 321COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7b9b238d461003648f15f7230078a4d7f6570d85b98de4712bc6a1f5bf33c5be
                          • Instruction ID: d4887f7ad4a528ccb97c04274b88da42dd69c582a158014eee3513098efe9f52
                          • Opcode Fuzzy Hash: 7b9b238d461003648f15f7230078a4d7f6570d85b98de4712bc6a1f5bf33c5be
                          • Instruction Fuzzy Hash: 2FE1F9B4E002598FDB14CFA9C580AAEBBF2FF89304F24816AD455AB355D731AD41CFA0
                          Function 07ADF498 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c8e262c6bf8f71a59faf09fa900527ca2277a7f2911b243d9e5dad69ac6a62d4
                          • Instruction ID: d4e36c3337c968990d7f0021a7544c6b53e2779bdb7a0b8207e6c5eb566fc462
                          • Opcode Fuzzy Hash: c8e262c6bf8f71a59faf09fa900527ca2277a7f2911b243d9e5dad69ac6a62d4
                          • Instruction Fuzzy Hash: 15E1DAB4E002598FDB14DFA9C5809AEBBF2FF89305F248169D825AB355D730AD41CFA1
                          Function 07ADE090 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5b265a0456234b3fbbf4ca854daf2e4ddeab5ead95dc458fddc755edadac2663
                          • Instruction ID: 2a93ab05c5999112079761ae3539e9050371e509f076c839b97809ca1608c786
                          • Opcode Fuzzy Hash: 5b265a0456234b3fbbf4ca854daf2e4ddeab5ead95dc458fddc755edadac2663
                          • Instruction Fuzzy Hash: 78E1E9B4E042598FDB14CFA9C580AAEBBF2FF89304F248169D815AB355D735AD41CFA0
                          Function 07ADF8D0 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eac9aac2e8026024f4e909a9f2561c69abb086150494d0c49a2de84a5c8f441e
                          • Instruction ID: 15cddf8ac900881736300f35f3cf6e0b38e76402b8c46c6ce794521575a4f682
                          • Opcode Fuzzy Hash: eac9aac2e8026024f4e909a9f2561c69abb086150494d0c49a2de84a5c8f441e
                          • Instruction Fuzzy Hash: 3FE1C9B4E002598FDB14DFA9C580AAEBBF2FF89304F248169D825AB355D735AD41CF60
                          Function 07AD3808 Relevance: .2, Instructions: 170COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3773f83c414e16ce875bb4f502defc833bfc61ed5ba5727fdc6b45bb5f97e317
                          • Instruction ID: f32baf1c2afe55b117b7e6ab87be85a45d744f711db1408262478d4999945118
                          • Opcode Fuzzy Hash: 3773f83c414e16ce875bb4f502defc833bfc61ed5ba5727fdc6b45bb5f97e317
                          • Instruction Fuzzy Hash: 836115B4E15209DFCF04CFA9C5805EEFBF2FF8A250F24946AD416B7264D7309A418B65
                          Function 07AD3818 Relevance: .2, Instructions: 167COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0f2365fbf125fe36178c7233af5551e05885475759d6b13fa79805b8128d3051
                          • Instruction ID: cd02e04bc236d665225254c8d9a08df31fb4a9bc347ee76117499424ddf3b672
                          • Opcode Fuzzy Hash: 0f2365fbf125fe36178c7233af5551e05885475759d6b13fa79805b8128d3051
                          • Instruction Fuzzy Hash: E471D3B4E15209DFCF04CFA9C5809EEFBF2FF89250F24942AD416B7264D7349A418B65
                          Function 07AD50C0 Relevance: .2, Instructions: 155COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3c61d3937bdef6274329ea7f94d537c252c41fbb287834af87cddf7eb8035a0d
                          • Instruction ID: 69aa0af3f895300c3f6cadd46dab8e60a3cc45e9bd62e2caa3561181c3cba4fd
                          • Opcode Fuzzy Hash: 3c61d3937bdef6274329ea7f94d537c252c41fbb287834af87cddf7eb8035a0d
                          • Instruction Fuzzy Hash: 045139B5E15259DFCF04CFA6D5401EEFBF1FB8E200F14956AD826B7224D3389A018B65
                          Function 07AD4EA0 Relevance: .1, Instructions: 147COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4e51903e483ab170aecc2015ae81684c3e9930782744079ed77f93816ec25a04
                          • Instruction ID: 27edc9cebbd52bc59566ffc0ef258be7b723bc60c1f3a10cdd8b4855c8023782
                          • Opcode Fuzzy Hash: 4e51903e483ab170aecc2015ae81684c3e9930782744079ed77f93816ec25a04
                          • Instruction Fuzzy Hash: A25129B5D1525ADFCB04CFA6D4402EEFBF1FB8E601F14952AD826B7224D3384A068F55
                          Function 07ADF8C0 Relevance: .1, Instructions: 136COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8cc348d22a2e6ee25a97660725d323adea105f0c324efb790a10c9ebed4d76dc
                          • Instruction ID: fa4210fea1ee95725df07763f1eeaf9df0a0a050ef35ad6a3834a43032e99ba8
                          • Opcode Fuzzy Hash: 8cc348d22a2e6ee25a97660725d323adea105f0c324efb790a10c9ebed4d76dc
                          • Instruction Fuzzy Hash: D051F8B0E042598FDB14CFA9C5805AEBBF6FF89304F2481AAD429AB355D7349D41CFA1
                          Function 07AD4EB0 Relevance: .1, Instructions: 135COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ed63df126a07bea417e3b50945f9b19dce69f0cde1dedbbea04341d760d4f60b
                          • Instruction ID: 590383ec4585b96dc44d7c61fd2310399e3f4ddd8059e27d3de5d7f0a5af27bd
                          • Opcode Fuzzy Hash: ed63df126a07bea417e3b50945f9b19dce69f0cde1dedbbea04341d760d4f60b
                          • Instruction Fuzzy Hash: DB5108B5D15219DFCF04CFA6D4406EEFBF1EB8D600F14942AC826B6224D3789A058F65
                          Function 07AD35E8 Relevance: .1, Instructions: 107COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7e0559d6a283b4a1de72d2ab022341422a19b1e02a92862e1c767b157663d770
                          • Instruction ID: 128ee60ae28ab7bd89e641f755476812b015ffe80edfa9df0d425b69077e9d45
                          • Opcode Fuzzy Hash: 7e0559d6a283b4a1de72d2ab022341422a19b1e02a92862e1c767b157663d770
                          • Instruction Fuzzy Hash: 1041EAB0D1560ADBDF44CFAAC9416AEFBF2BB89300F14C46AC426A7354D7349A418F96
                          Function 07AD35F8 Relevance: .1, Instructions: 107COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1295981419.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ad0000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 20e66ca697b2293bb29e911f32b450c71d29d2f3c67295f7bd4faf5b528bfe6a
                          • Instruction ID: 4f248d996f01bc26cf7c21019b2d7790c000a5cf7a9b9b5d2233883ce0b1fa63
                          • Opcode Fuzzy Hash: 20e66ca697b2293bb29e911f32b450c71d29d2f3c67295f7bd4faf5b528bfe6a
                          • Instruction Fuzzy Hash: 9841C8B0D1560ADBCB44CFAAC5816AEFBF2BB89300F14D46AC426B7354D7349A41CF96

                          Executed Functions

                          Function 00414AA0 Relevance: 114.0, Strings: 87, Instructions: 5254COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2518251668.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Offset: 00414000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_414000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: 00023028533D021711551C0D1401$02213D1C350D19257104253F316F19231A2F$043612142B0216382C29255F4F2D163A091E3A09$0527241E54123C0330$091E023874263D013E0F35$0A31220A57020716240707493C2A24$0D1C311B47103F2935$0E7D0D067430107C38487E6E2A1F5F1E6325716A217F3A17661B037A2E764A52290C780A490461780D4C5008365839336F172521714D621C5F6F$0F092A393C21220E602134120B011F$102E211274393B3715$141C043145390A203D4719331A0F$143B$213F161F241B021E6F051C1E032310$221218123D3A032C$222D3E23$223B310F232117$230F063108$241911274C021D092F00681B300B1313193E$25253A241F243E0942020F221516010A200B393C260B172E3D3F23005C381F27373E272616283E1F05583A13$26000035$262B2216513D1D143C387016201C3B281B25$2636054759201713232411$2728251C1B2508111C193B5E461720041E29060E$3001181A7229163E320A30$312B2E3241112521007800091B1F$316A5C707C26633755674715114238227C1C4A6152571132652C416B38306B000D46207E42772D34234E2B0757165B577742112D441E4D0A2757362A5714323542$3224234B58193429247701030616$341A07724702051F28$3A271738$3A342918393B3E1D17291425127C150329353F1F213A0E3F$3C0339140611252307$3E0B3B27513608041F1D3F$<PC$<PC$<PC$<PC$<PC$<PC$<PC$<PC$<PC$<PC$<PC$<PC$<PC$<PC$<PC$BjWEwlGphFlHZToavjMLr$FrskaJUqHhMmVwMSCBRXsYX$GqjZfibJEsPzgXEVVPKMbUpuNJixcKKrixwsHGxcCrq$HdUWAgWvzZeYbknkjqvHEsX$Hs@$IfFFwMgZxqHa$JGQPaelyEOgWRwjVRUNLYbUX$JfbgXdkKpdhrjnunFRBIxsRpaxEpBHk$LYKyZNHRzNsQuNyoIkOPlCXcyUKLaVdxwYdfMBvqFM$LoTrJjYUQECho$NxfobaDVDrXNhvzdIWiKZwqxqPxGyOtDMW$ObksxxLGLVW$QatcJeuGwLazPVbUzthpqSVCkLfUDMjG$TEFbxBawLEFKeonyHlXnYtgaofucFXI$TR@$TR@$TR@$TZSVhTuXsHjGDLkXvEttFXRyfmJfloMKulRTEOhnKK$ULjeNtGOfBXPlOEdnpokjNA$UNLdxshqrcuRlydjrQlyyzgjslmmhluBr$WRLTIxIJzxyfOessyOeXHOdybXIFlaQr$WkUJvQWkhcodXDktiNsTgT$WpEowqemvixMpIYEcSmsisrxPSapdYgK$cDlEJsftgEYwou$dfXUprFieuvU$fikBOizkrOVyluFbdBvlKsZsWVLpbejp$hEHeKgELLGFuNDaKvbqJVFNpDpWlNcWKe$lr@$mvorABDdUWVAoMIbJUCMUJjaKDQCjhiso$nvyUtysraUAcMwSoyYkFAnCpIpjqWKGqjuqZkJTEVlt$pJuiLxlpIQQVZCOWBwJvCdgyxucdQlpxu$pjBMWFPMLfRnyXjLYsCbay$poBcQFzLkzNoN$qBevZwQbdRbuiixhbzVJYkqaFSfKKqLjBiyokpKYyVWp$uCcuBTlHRghbCLvnPpUyBgDjFJWtlqCgG$vPUVgYJQQbxSWuCrBMxZCaWavKaBWtFgk$vyLYJRzsLDoBZLfuBSHeRYouoHGOyAX$wufvFqxpuUTPWDxIMhVQVXMUrTBfmTKoTL$~$u@
                          • API String ID: 0-1094292881
                          • Opcode ID: d1067dd5db0f23b7aa494a81b3bd42a2049ef05c1a11495dba23e4d30f6825c0
                          • Instruction ID: 380590ea497c05c1fcf98791c0fdef58a4cc697d54b6f84ef107fe80151c5d57
                          • Opcode Fuzzy Hash: d1067dd5db0f23b7aa494a81b3bd42a2049ef05c1a11495dba23e4d30f6825c0
                          • Instruction Fuzzy Hash: 2AC3F5719002299FDB65DF54DD88BDEB7B4BB48300F1082EAE50AA72A0DB745BC5CF94
                          Function 0040C190 Relevance: 83.0, Strings: 63, Instructions: 4278COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2518251668.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_401000_Quotation____________________________________pdf.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 0A19220512362E1A093C21$101A01322F274723231F2F$15000213103B102706360537$173B1C3E0D0F3E08$19012B000D02250C0922$1A363300290F1C36476E57$1B010F39030B013A$1B0A201A3E2E07$2103311538042304$2623233E192E0B37646254$2C11212B012B0B2C0C1D20574866253F0A012E3507$2D283733310324$2E250F282C231B031F221713301F5214302D0D$2F253A3023$3133011607462C091A340E06$350B2C040D1C2500392D063904$6B4B233536302A021F2A100635240C5C610C142923182B261D44317C39033B1301$786D070F17181F3C060F251F362F1157443C172112230A0333652945150D1A2704$8PC$8PC$===============DARKCLOUD===============$@PC$@PC$@PC$@PC$@PC$@PC$DPC$DPC$DPC$DPC$DPC$DPC$DPC$DPC$DPC$DPC$DPC$DPC$FvBPMnAySDXtJJePiraFwIJ$HLVnUFIggBkNEskpEMmceqAyvJIHqfbGlZXCLcuxrmWR$LmaQGhHjXerNwrFkPxexeIxJIDhFbiCkk$MOEVrGnqSgTwbthMZlHxBIukyyhFyfFuS$NordVPN$Profiles$RJbYehlVdfVufERRveleHNDoNFGHqfJRNfhpYPlau$UiLVUPodfpuXZnYiSyeNB$V$XXnaMbhuIcSjYvdOJjxPii$XmFrsuhOftRgaaiKPwOxboU$ZrajNMVwwCnxtYqrPQYlVDHIzopCCrRah$\Profiles$\User Data$\User Data\Default\Login Data$bXeOqWKtsDbcDyTXPnqusaYfBcCDbjzRcUkutYgALp$bikGawXZshPRULaMTbypyxKuoeXvfnQZ$llfBfYcFwAZl$nvyUtysraUAcMwSoyYkFAnCpIpjqWKGqjuqZkJTEVlt$qWBtjclvRaTe$rDdPPBDClxqPhTIiaFYgLQvJKxclSObWfdedZWuMwvB$rVOOCEoUuHwH$uBhYlCNsMpXFMrUScqwbrno$ufMNwPwEsfwX
                          • API String ID: 0-3034832492
                          • Opcode ID: b6aef429b4fc3efd5ba24369da85eda4a07fe1e73b34f2058e055cbdb352ac49
                          • Instruction ID: 4c6291a2307f677ff25427b53675b48566a117e37e2ca07ece0678c8b01307cf
                          • Opcode Fuzzy Hash: b6aef429b4fc3efd5ba24369da85eda4a07fe1e73b34f2058e055cbdb352ac49
                          • Instruction Fuzzy Hash: 04A30574901218DFDB24DF64DD88BDAB7B5FB48300F1081EAE50AB72A0DB745A89CF59
                          Function 00414A8D Relevance: 60.6, Strings: 47, Instructions: 1887COMMON
                          Download Yara Rule
                          Strings
                          • 3001181A7229163E320A30, xrefs: 004152EF
                          • 02213D1C350D19257104253F316F19231A2F, xrefs: 004159D3
                          • 241911274C021D092F00681B300B1313193E, xrefs: 00414FFB
                          • pJuiLxlpIQQVZCOWBwJvCdgyxucdQlpxu, xrefs: 004159FE
                          • poBcQFzLkzNoN, xrefs: 00415DB6
                          • BjWEwlGphFlHZToavjMLr, xrefs: 00415026
                          • 3224234B58193429247701030616, xrefs: 00414E03
                          • qBevZwQbdRbuiixhbzVJYkqaFSfKKqLjBiyokpKYyVWp, xrefs: 0041570A
                          • WRLTIxIJzxyfOessyOeXHOdybXIFlaQr, xrefs: 00416249
                          • 0527241E54123C0330, xrefs: 004158D7
                          • 091E023874263D013E0F35, xrefs: 00414C0B
                          • ULjeNtGOfBXPlOEdnpokjNA, xrefs: 00415902
                          • hEHeKgELLGFuNDaKvbqJVFNpDpWlNcWKe, xrefs: 0041560E
                          • uCcuBTlHRghbCLvnPpUyBgDjFJWtlqCgG, xrefs: 00415BF6
                          • 312B2E3241112521007800091B1F, xrefs: 004153EB
                          • 316A5C707C26633755674715114238227C1C4A6152571132652C416B38306B000D46207E42772D34234E2B0757165B577742112D441E4D0A2757362A5714323542, xrefs: 00415D8B
                          • LYKyZNHRzNsQuNyoIkOPlCXcyUKLaVdxwYdfMBvqFM, xrefs: 00415E7D, 00415F9D
                          • 262B2216513D1D143C387016201C3B281B25, xrefs: 00414B0F
                          • JfbgXdkKpdhrjnunFRBIxsRpaxEpBHk, xrefs: 00415512
                          • ObksxxLGLVW, xrefs: 00414E2E
                          • wufvFqxpuUTPWDxIMhVQVXMUrTBfmTKoTL, xrefs: 00414B3A
                          • 2636054759201713232411, xrefs: 00414D07
                          • 0D1C311B47103F2935, xrefs: 004155E3
                          • IfFFwMgZxqHa, xrefs: 004162CE
                          • 230F063108, xrefs: 004154E7
                          • vPUVgYJQQbxSWuCrBMxZCaWavKaBWtFgk, xrefs: 00415CF2
                          • nvyUtysraUAcMwSoyYkFAnCpIpjqWKGqjuqZkJTEVlt, xrefs: 00414D32
                          • 3A342918393B3E1D17291425127C150329353F1F213A0E3F, xrefs: 004162A3
                          • 0F092A393C21220E602134120B011F, xrefs: 00415E52, 00415F72
                          • 25253A241F243E0942020F221516010A200B393C260B172E3D3F23005C381F27373E272616283E1F05583A13, xrefs: 0041621E
                          • 341A07724702051F28, xrefs: 004157DB
                          • 141C043145390A203D4719331A0F, xrefs: 00414EFF
                          • vyLYJRzsLDoBZLfuBSHeRYouoHGOyAX, xrefs: 0041531A
                          • fikBOizkrOVyluFbdBvlKsZsWVLpbejp, xrefs: 00415AFA
                          • 102E211274393B3715, xrefs: 00415BCB
                          • UNLdxshqrcuRlydjrQlyyzgjslmmhluBr, xrefs: 00415122
                          • 00023028533D021711551C0D1401, xrefs: 004150F7
                          • 0E7D0D067430107C38487E6E2A1F5F1E6325716A217F3A17661B037A2E764A52290C780A490461780D4C5008365839336F172521714D621C5F6F, xrefs: 00415CC7
                          • 0A31220A57020716240707493C2A24, xrefs: 004156DF
                          • TZSVhTuXsHjGDLkXvEttFXRyfmJfloMKulRTEOhnKK, xrefs: 00414C36
                          • JGQPaelyEOgWRwjVRUNLYbUX, xrefs: 00414F2A
                          • NxfobaDVDrXNhvzdIWiKZwqxqPxGyOtDMW, xrefs: 00415416
                          • 213F161F241B021E6F051C1E032310, xrefs: 00415ACF
                          • HdUWAgWvzZeYbknkjqvHEsX, xrefs: 00415806
                          • WpEowqemvixMpIYEcSmsisrxPSapdYgK, xrefs: 0041521E
                          • u, xrefs: 00419F03
                          • 3E0B3B27513608041F1D3F, xrefs: 004151F3
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2518251668.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Offset: 00414000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_414000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: 00023028533D021711551C0D1401$02213D1C350D19257104253F316F19231A2F$0527241E54123C0330$091E023874263D013E0F35$0A31220A57020716240707493C2A24$0D1C311B47103F2935$0E7D0D067430107C38487E6E2A1F5F1E6325716A217F3A17661B037A2E764A52290C780A490461780D4C5008365839336F172521714D621C5F6F$0F092A393C21220E602134120B011F$102E211274393B3715$141C043145390A203D4719331A0F$213F161F241B021E6F051C1E032310$230F063108$241911274C021D092F00681B300B1313193E$25253A241F243E0942020F221516010A200B393C260B172E3D3F23005C381F27373E272616283E1F05583A13$262B2216513D1D143C387016201C3B281B25$2636054759201713232411$3001181A7229163E320A30$312B2E3241112521007800091B1F$316A5C707C26633755674715114238227C1C4A6152571132652C416B38306B000D46207E42772D34234E2B0757165B577742112D441E4D0A2757362A5714323542$3224234B58193429247701030616$341A07724702051F28$3A342918393B3E1D17291425127C150329353F1F213A0E3F$3E0B3B27513608041F1D3F$BjWEwlGphFlHZToavjMLr$HdUWAgWvzZeYbknkjqvHEsX$IfFFwMgZxqHa$JGQPaelyEOgWRwjVRUNLYbUX$JfbgXdkKpdhrjnunFRBIxsRpaxEpBHk$LYKyZNHRzNsQuNyoIkOPlCXcyUKLaVdxwYdfMBvqFM$NxfobaDVDrXNhvzdIWiKZwqxqPxGyOtDMW$ObksxxLGLVW$TZSVhTuXsHjGDLkXvEttFXRyfmJfloMKulRTEOhnKK$ULjeNtGOfBXPlOEdnpokjNA$UNLdxshqrcuRlydjrQlyyzgjslmmhluBr$WRLTIxIJzxyfOessyOeXHOdybXIFlaQr$WpEowqemvixMpIYEcSmsisrxPSapdYgK$fikBOizkrOVyluFbdBvlKsZsWVLpbejp$hEHeKgELLGFuNDaKvbqJVFNpDpWlNcWKe$nvyUtysraUAcMwSoyYkFAnCpIpjqWKGqjuqZkJTEVlt$pJuiLxlpIQQVZCOWBwJvCdgyxucdQlpxu$poBcQFzLkzNoN$qBevZwQbdRbuiixhbzVJYkqaFSfKKqLjBiyokpKYyVWp$u$uCcuBTlHRghbCLvnPpUyBgDjFJWtlqCgG$vPUVgYJQQbxSWuCrBMxZCaWavKaBWtFgk$vyLYJRzsLDoBZLfuBSHeRYouoHGOyAX$wufvFqxpuUTPWDxIMhVQVXMUrTBfmTKoTL
                          • API String ID: 0-2409639
                          • Opcode ID: a42236385255042e0de987e6fa61fc7ca384e02fc1f67cc6caf5cd6f974156d7
                          • Instruction ID: 286e2e067005df3aa92197473465e29471feca7d76ff4f52e6248cab4f704016
                          • Opcode Fuzzy Hash: a42236385255042e0de987e6fa61fc7ca384e02fc1f67cc6caf5cd6f974156d7
                          • Instruction Fuzzy Hash: B523D6719002299BDB64DF54DD88BDEB7B4FB48304F1082EAE50AA72A0DB745EC5CF94
                          Function 00420CB0 Relevance: 50.7, Strings: 39, Instructions: 1932COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2518251668.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Offset: 00414000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_414000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: 041105140923011035390D$0A0B2D0016$111402320A39031A6825212975$18340B2A0430052D321B2633203E103B29$1A3116332C0D0131351D16210E25$1A363300290F1C36476E57$1D22140E0F2A2525021D330620171C$221218123D3A032C$223E100B1107264B1E2A022319$230F063108$25073B0F20203D362D0E022A270711165710081737$2623233E192E0B37646254$2C142D2F3B1A242E1E0D2C3B26173F3C3F74380B176A$322526053A0408391E20006574580E180F03322200$3229250F14$33262A200A3E0279121B2B$350728390B3E273A$362828090A19171B610A1216$@$C:\\$DHQyCkTlNqsCPKjyVLmmhFWszOdlozVUWO$FrskaJUqHhMmVwMSCBRXsYX$FvBPMnAySDXtJJePiraFwIJ$JfbgXdkKpdhrjnunFRBIxsRpaxEpBHk$JfsGKjYBfTtlxGWlGTpiZxIbTElJeRfv$LXLulcOvLesRrUeyeTNUUBaRhVGVuMFRqrYvRjvoKw$MOEVrGnqSgTwbthMZlHxBIukyyhFyfFuS$OMUaQeLmnFWDJExPQXrqTds$OjiKjelyoOyfqcMqYxJfeZ$PyFXlcFZjlmaERieeydlvCanRNfYYUuo$WkUJvQWkhcodXDktiNsTgT$ZpUNLToJZmQmXExJRKZJnt$gKdqsfJowfjAMKtoGKGdZDsa$huIRMkWnWwcNjClUXfrwURODDUGklrlMT$jgjDlJXsPouyqpOnFVWgek$lUDbTCdoVfxdWkWESuSBfFGEkHHlroQ$lvHQnHrTJMitEfkaLVqmvN$uumsyxwReMBgO$zsUViSgiMwOnENxHwwNSKliMWbpNSLsHmFPruHpdIJa
                          • API String ID: 0-1155344790
                          • Opcode ID: cd576c7b09153c93a6d19fdfecb1c509b4d3822929ea111cf4e03777e99cce99
                          • Instruction ID: eb97378c5c0c9b9009f06849911464de98b51fc2c2d0a5df56e2ee172029d36d
                          • Opcode Fuzzy Hash: cd576c7b09153c93a6d19fdfecb1c509b4d3822929ea111cf4e03777e99cce99
                          • Instruction Fuzzy Hash: FE13D871900229DFDB24DF60DD88BDEB779BB49304F1081EAE10AB62A0DB745B89CF55
                          Function 0040CB6E Relevance: 45.9, Strings: 35, Instructions: 2106COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2518251668.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_401000_Quotation____________________________________pdf.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 1$101A01322F274723231F2F$1A363300290F1C36476E57$2623233E192E0B37646254$2C11212B012B0B2C0C1D20574866253F0A012E3507$2E250F282C231B031F221713301F5214302D0D$3133011607462C091A340E06$6B4B233536302A021F2A100635240C5C610C142923182B261D44317C39033B1301$786D070F17181F3C060F251F362F1157443C172112230A0333652945150D1A2704$8PC$8PC$===============DARKCLOUD===============$@PC$@PC$@PC$DPC$DPC$DPC$DPC$DPC$DPC$DPC$FvBPMnAySDXtJJePiraFwIJ$HLVnUFIggBkNEskpEMmceqAyvJIHqfbGlZXCLcuxrmWR$LmaQGhHjXerNwrFkPxexeIxJIDhFbiCkk$MOEVrGnqSgTwbthMZlHxBIukyyhFyfFuS$NordVPN$Profiles$XmFrsuhOftRgaaiKPwOxboU$ZrajNMVwwCnxtYqrPQYlVDHIzopCCrRah$\Profiles$\User Data$\User Data\Default\Login Data$qWBtjclvRaTe$rDdPPBDClxqPhTIiaFYgLQvJKxclSObWfdedZWuMwvB
                          • API String ID: 0-3276640714
                          • Opcode ID: fd1d99d80968c88fdc2111c5b1e5d414301af904bbb3ac736380da0d1154f84c
                          • Instruction ID: 01c94b21628933d855b58d324acc9176e6ec7a526afabcc74f7a18c393505429
                          • Opcode Fuzzy Hash: fd1d99d80968c88fdc2111c5b1e5d414301af904bbb3ac736380da0d1154f84c
                          • Instruction Fuzzy Hash: 37330870A00228DFDB24DF54DD84BDAB7B5FB49300F1081EAE54AB72A0DB745A89CF59
                          Function 0040CCD2 Relevance: 45.8, Strings: 35, Instructions: 2046COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2518251668.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_401000_Quotation____________________________________pdf.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 1$101A01322F274723231F2F$1A363300290F1C36476E57$2623233E192E0B37646254$2C11212B012B0B2C0C1D20574866253F0A012E3507$2E250F282C231B031F221713301F5214302D0D$3133011607462C091A340E06$6B4B233536302A021F2A100635240C5C610C142923182B261D44317C39033B1301$786D070F17181F3C060F251F362F1157443C172112230A0333652945150D1A2704$8PC$8PC$===============DARKCLOUD===============$@PC$@PC$@PC$DPC$DPC$DPC$DPC$DPC$DPC$DPC$FvBPMnAySDXtJJePiraFwIJ$HLVnUFIggBkNEskpEMmceqAyvJIHqfbGlZXCLcuxrmWR$LmaQGhHjXerNwrFkPxexeIxJIDhFbiCkk$MOEVrGnqSgTwbthMZlHxBIukyyhFyfFuS$NordVPN$Profiles$XmFrsuhOftRgaaiKPwOxboU$ZrajNMVwwCnxtYqrPQYlVDHIzopCCrRah$\Profiles$\User Data$\User Data\Default\Login Data$qWBtjclvRaTe$rDdPPBDClxqPhTIiaFYgLQvJKxclSObWfdedZWuMwvB
                          • API String ID: 0-3276640714
                          • Opcode ID: 0b2498df6de470572f74b61697f0a5ec0c40fb4467673b08842bfd730fc7f112
                          • Instruction ID: fedd5f46bc2f692d6987a96b5715e224f451e55213f84dfbd8ccf3497fdcdf91
                          • Opcode Fuzzy Hash: 0b2498df6de470572f74b61697f0a5ec0c40fb4467673b08842bfd730fc7f112
                          • Instruction Fuzzy Hash: 32230871A00228DFDB24DF54DD84BDAB7B5FB48300F1081EAE54AB72A0DB745A89CF59
                          Function 0041BA50 Relevance: 39.9, Strings: 30, Instructions: 2374COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2518251668.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Offset: 00414000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_414000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: 1A363300290F1C36476E57$2005293B1A200A3E0A0E2C6E5868$205066$2623233E192E0B37646254$2C6954$<PC$<PC$<PC$<PC$<PC$<PC$<PC$<PC$<PC$<PC$FvBPMnAySDXtJJePiraFwIJ$MOEVrGnqSgTwbthMZlHxBIukyyhFyfFuS$PO@$QauYWsCkJcaBNbHeWcfvaRZqTMcfXDLZ$RZXdhtgGvYrvbnnvXVrsQDVpjgECbjSGCOaIflqXI$SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards$SELECT origin_url, username_value, password_value FROM logins$SELECT origin_url, username_value, password_value, length(password_value) FROM logins$TR@$TR@$TR@$b$d$kVaWIBxTijhiIYqlQCGEpSJFVnfOnHJc$}@
                          • API String ID: 0-558303816
                          • Opcode ID: a99c52d8849416ff1a09b1605481471ad162a0b08fd338f988ed1a74c5ec44ec
                          • Instruction ID: 39244a8a8d5f095a4530c6a55624ca16c829490d30299f839a68b7303a65abd6
                          • Opcode Fuzzy Hash: a99c52d8849416ff1a09b1605481471ad162a0b08fd338f988ed1a74c5ec44ec
                          • Instruction Fuzzy Hash: 6433F5B5900218DFDB15DF90DD98BDEB7B9BB48304F0081EAE10AB72A0DB745A89CF55
                          Function 00403BCE Relevance: 26.8, Strings: 21, Instructions: 548COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2518251668.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_401000_Quotation____________________________________pdf.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 0A19220512362E1A093C21$15000213103B102706360537$173B1C3E0D0F3E08$19012B000D02250C0922$1B010F39030B013A$1B0A201A3E2E07$2103311538042304$2D283733310324$2F253A3023$350B2C040D1C2500392D063904$G$RJbYehlVdfVufERRveleHNDoNFGHqfJRNfhpYPlau$UiLVUPodfpuXZnYiSyeNB$XXnaMbhuIcSjYvdOJjxPii$bXeOqWKtsDbcDyTXPnqusaYfBcCDbjzRcUkutYgALp$bikGawXZshPRULaMTbypyxKuoeXvfnQZ$llfBfYcFwAZl$nvyUtysraUAcMwSoyYkFAnCpIpjqWKGqjuqZkJTEVlt$rVOOCEoUuHwH$uBhYlCNsMpXFMrUScqwbrno$ufMNwPwEsfwX
                          • API String ID: 0-2986749102
                          • Opcode ID: 65b9b71af9c394ec6e572f87091d29ae3db9bbfc25a52bcbfd2b5b588e87a558
                          • Instruction ID: f5834a67f0fe1c5952e8dd30278ce10160e1baeb004a15e3ac9408882b5b385d
                          • Opcode Fuzzy Hash: 65b9b71af9c394ec6e572f87091d29ae3db9bbfc25a52bcbfd2b5b588e87a558
                          • Instruction Fuzzy Hash: 5332C872900109EBCB04EFE1DA94EDEB779FF48304F14856AE106B71A4EB746A49CF64
                          Function 0040F391 Relevance: 25.0, Strings: 19, Instructions: 1224COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2518251668.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_401000_Quotation____________________________________pdf.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 101A01322F274723231F2F$2E250F282C231B031F221713301F5214302D0D$@PC$@PC$@PC$DPC$DPC$DPC$DPC$DPC$DPC$DPC$HLVnUFIggBkNEskpEMmceqAyvJIHqfbGlZXCLcuxrmWR$Profiles$S$ZrajNMVwwCnxtYqrPQYlVDHIzopCCrRah$\Profiles$\User Data$\User Data\Default\Login Data
                          • API String ID: 0-2399440272
                          • Opcode ID: 9b9053d58d6e2910fdaadc6dad44900e8b9313060ad6b5e89e3ccef718a820d3
                          • Instruction ID: 039960ee7a72c385ab77df2cb8cc8abfa884eb1ed13c030048ea5ee524dc69bf
                          • Opcode Fuzzy Hash: 9b9053d58d6e2910fdaadc6dad44900e8b9313060ad6b5e89e3ccef718a820d3
                          • Instruction Fuzzy Hash: 43D20670A01219DFEB24CF54DD84BAAB7B1FB49300F1081EAE509B72A0DB755AC9CF59
                          Function 0040F4F5 Relevance: 24.9, Strings: 19, Instructions: 1164COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2518251668.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_401000_Quotation____________________________________pdf.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 101A01322F274723231F2F$2E250F282C231B031F221713301F5214302D0D$@PC$@PC$@PC$DPC$DPC$DPC$DPC$DPC$DPC$DPC$HLVnUFIggBkNEskpEMmceqAyvJIHqfbGlZXCLcuxrmWR$Profiles$S$ZrajNMVwwCnxtYqrPQYlVDHIzopCCrRah$\Profiles$\User Data$\User Data\Default\Login Data
                          • API String ID: 0-2399440272
                          • Opcode ID: 2e70a4e185e3138d9dc76a62b6558abe2a970eb0578827d3ffa893a70715d1e7
                          • Instruction ID: 611a446a80babfaa0d6459085e5311e6bde5e91ce7a12fca9536fa44020029fc
                          • Opcode Fuzzy Hash: 2e70a4e185e3138d9dc76a62b6558abe2a970eb0578827d3ffa893a70715d1e7
                          • Instruction Fuzzy Hash: 03C20670A01218DFEB24CF54DD84BAAB7B5FB49300F1081EAE509B72A0DB755AC9CF59
                          Function 004123D0 Relevance: 13.3, Strings: 10, Instructions: 770COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2518251668.0000000000412000.00000040.00000400.00020000.00000000.sdmp, Offset: 00412000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_412000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: 051D0A3A210E3B063F37164C784314041E312103$1A363300290F1C36476E57$2623233E192E0B37646254$3E2401221605160F767949$8PC$8PC$FvBPMnAySDXtJJePiraFwIJ$LnVnVyfycVCim$MOEVrGnqSgTwbthMZlHxBIukyyhFyfFuS$cDmzVHmZrVXxlB
                          • API String ID: 0-1908135189
                          • Opcode ID: f1cda1cddb0285d6bed973e22b4f28ae5d45fa5c7896ff0b1d5bc07d5be4c52e
                          • Instruction ID: 664339401ea5e45de0bb6aa6b06405d9d9dd43942a7d729fbe2f80723e7aa016
                          • Opcode Fuzzy Hash: f1cda1cddb0285d6bed973e22b4f28ae5d45fa5c7896ff0b1d5bc07d5be4c52e
                          • Instruction Fuzzy Hash: 5D72F375900218DFDB14DFA0DE98BDEB7B5FB48300F1081AAE50AB72A0DB745A85CF59
                          Function 004204B6 Relevance: 12.0, Strings: 9, Instructions: 778COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2518251668.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Offset: 00414000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_414000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: 223E100B1107264B1E2A022319$33262A200A3E0279121B2B$332F36043D260358383E1F25$3637200E3A381F2B59211E1B0C2430$C:\\$huIRMkWnWwcNjClUXfrwURODDUGklrlMT$pjDIiTWqXwRowePUucAhJw$poCYcTHpvRMpK$uumsyxwReMBgO
                          • API String ID: 0-3667555594
                          • Opcode ID: 85a79fe3511be17934504b6eb405319dd5927dfd0381c7286ddd3a4bb2a515f8
                          • Instruction ID: 41a112a1fd310ddf88bacb83baf29c06f97dfa926cf5b71720c014c9625b91b4
                          • Opcode Fuzzy Hash: 85a79fe3511be17934504b6eb405319dd5927dfd0381c7286ddd3a4bb2a515f8
                          • Instruction Fuzzy Hash: F6720971A00219DFDB14DFA0DD88BEEB7B5FB48300F1081A9E50AB72A5DB745A89CF54
                          Function 004203F0 Relevance: 5.5, Strings: 4, Instructions: 536COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2518251668.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Offset: 00414000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_414000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: 332F36043D260358383E1F25$3637200E3A381F2B59211E1B0C2430$pjDIiTWqXwRowePUucAhJw$poCYcTHpvRMpK
                          • API String ID: 0-917630058
                          • Opcode ID: 28eb8258941d0823a473ae99455f5c3b98b57057135701e008bbc29513977018
                          • Instruction ID: 5ccbef703b645656f31902b13694e4024e9c61ec8718b796dcefba26c948f352
                          • Opcode Fuzzy Hash: 28eb8258941d0823a473ae99455f5c3b98b57057135701e008bbc29513977018
                          • Instruction Fuzzy Hash: 60321A75900218DFDB14DF94DD88BDEBBB4FB48300F1081AAE50ABB2A5DB745A89CF54
                          Function 004123C7 Relevance: .3, Instructions: 262COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2518251668.0000000000412000.00000040.00000400.00020000.00000000.sdmp, Offset: 00412000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_412000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a67801c81352c85e768910e899501a38aab451d5dd7221fcde2c7d536dae21dd
                          • Instruction ID: 503ddd3a31f0cd4b796a25ab29e3e4d9f757b90f7c178299d4bbb240f3cd4442
                          • Opcode Fuzzy Hash: a67801c81352c85e768910e899501a38aab451d5dd7221fcde2c7d536dae21dd
                          • Instruction Fuzzy Hash: CED10774900219DFDB28CF54DA94BEAB7B5FB48300F1081EAE50AA72A0D7B45AC5CF59
                          Function 0041245C Relevance: .2, Instructions: 231COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2518251668.0000000000412000.00000040.00000400.00020000.00000000.sdmp, Offset: 00412000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_412000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 76b416c85377595f6680780d3b822fdbac1c5e9eacb1683d976d8b2b3fe0440f
                          • Instruction ID: 985e98bdb1d04dee4576318c2291808d41bc6b40d0425848a7fa63a8d58185dc
                          • Opcode Fuzzy Hash: 76b416c85377595f6680780d3b822fdbac1c5e9eacb1683d976d8b2b3fe0440f
                          • Instruction Fuzzy Hash: 94C10974900229DFDB68CF14DA94BEAB7B5FB48300F1081EAE50AA72A0D7745EC5CF59
                          Function 00403120 Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2518251668.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_401000_Quotation____________________________________pdf.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 91101ceb5214dec1f83d1714018dceaf0fcdae950d21bb076e1403ae397a20eb
                          • Instruction ID: 6e3992615c9816ae20ae08d1780d7e458b8a55a13ba43a819fb60abb5133df36
                          • Opcode Fuzzy Hash: 91101ceb5214dec1f83d1714018dceaf0fcdae950d21bb076e1403ae397a20eb
                          • Instruction Fuzzy Hash: EA01952051E7C29FD3138B34882A691BFB0AF53615B1A41EBC4D5EF4F3D2A8485AC722
                          Function 004042E8 Relevance: .0, Instructions: 8COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2518251668.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_401000_Quotation____________________________________pdf.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 53c0c69187034f3fb52c11468cb2be0f02c8176886640cf8966667ff227a1d0e
                          • Instruction ID: 5d2e7e421c074f9b40ea6f3ddd7db47996003ff6b7d0f6f1427ba51db648ca91
                          • Opcode Fuzzy Hash: 53c0c69187034f3fb52c11468cb2be0f02c8176886640cf8966667ff227a1d0e
                          • Instruction Fuzzy Hash: EBB01250384001BAD60096945C014252280F6C03C07304C77F900F21D4C6B8DC00853D

                          Non-executed Functions

                          Function 00412000 Relevance: 5.2, Strings: 4, Instructions: 180COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2518251668.0000000000412000.00000040.00000400.00020000.00000000.sdmp, Offset: 00412000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_412000_Quotation____________________________________pdf.jbxd
                          Similarity
                          • API ID:
                          • String ID: 8PC$<PC$DC-Creds$r
                          • API String ID: 0-1750108367
                          • Opcode ID: c914463a1268cc34b7600b84edc60b999f062cb610c1c61173200888d6998c46
                          • Instruction ID: a46a0fefde1b363a683994e778eaf066c79ea53a04f1a0c2633ec9029b49729a
                          • Opcode Fuzzy Hash: c914463a1268cc34b7600b84edc60b999f062cb610c1c61173200888d6998c46
                          • Instruction Fuzzy Hash: 3581187190011AEFDB14DBA0DE59BED7778FB48705F4081AAF20AB60A0DB741B89CF64

                          Execution Graph

                          Execution Coverage:10.4%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:88
                          Total number of Limit Nodes:7
                          execution_graph 34960 141e800 34961 141e846 34960->34961 34964 141e9e0 34961->34964 34967 141e5d8 34964->34967 34968 141ea48 DuplicateHandle 34967->34968 34969 141e933 34968->34969 34998 141c760 34999 141c7a2 34998->34999 35000 141c7a8 GetModuleHandleW 34998->35000 34999->35000 35001 141c7d5 35000->35001 34970 60184c8 34971 6018502 34970->34971 34972 6018593 34971->34972 34973 601857e 34971->34973 34974 60180b8 3 API calls 34972->34974 34978 60180b8 34973->34978 34976 60185a2 34974->34976 34980 60180c3 34978->34980 34979 6018589 34980->34979 34983 6018f77 34980->34983 34989 6018f88 34980->34989 34995 6018104 34983->34995 34986 6018faf 34986->34979 34987 6018fc7 CreateIconFromResourceEx 34988 6019056 34987->34988 34988->34979 34990 6018fa2 34989->34990 34991 6018104 CreateIconFromResourceEx 34989->34991 34992 6018faf 34990->34992 34993 6018fc7 CreateIconFromResourceEx 34990->34993 34991->34990 34992->34979 34994 6019056 34993->34994 34994->34979 34996 6018fd8 CreateIconFromResourceEx 34995->34996 34997 6018fa2 34996->34997 34997->34986 34997->34987 35002 1414668 35003 1414684 35002->35003 35004 141469f 35003->35004 35008 1414800 35003->35008 35013 1414224 35004->35013 35006 14146be 35009 1414825 35008->35009 35017 1414901 35009->35017 35021 1414910 35009->35021 35014 141422f 35013->35014 35029 1417bbc 35014->35029 35016 1417e7a 35016->35006 35018 1414937 35017->35018 35019 1414a14 35018->35019 35025 1414524 35018->35025 35022 1414937 35021->35022 35023 1414524 CreateActCtxA 35022->35023 35024 1414a14 35022->35024 35023->35024 35026 1415da0 CreateActCtxA 35025->35026 35028 1415e63 35026->35028 35030 1417bc7 35029->35030 35033 1417cbc 35030->35033 35032 141894d 35032->35016 35034 1417cc7 35033->35034 35037 1417cec 35034->35037 35036 1418a22 35036->35032 35038 1417cf7 35037->35038 35041 1417d1c 35038->35041 35040 1418b25 35040->35036 35042 1417d27 35041->35042 35047 14197c0 35042->35047 35044 1419dd1 35044->35040 35045 1419ba8 35045->35044 35052 141e130 35045->35052 35048 14197cb 35047->35048 35049 141b022 35048->35049 35056 141b080 35048->35056 35060 141b072 35048->35060 35049->35045 35053 141e151 35052->35053 35054 141e175 35053->35054 35064 141e6e8 35053->35064 35054->35044 35057 141b0c3 35056->35057 35058 141b0ce KiUserCallbackDispatcher 35057->35058 35059 141b0f8 35057->35059 35058->35059 35059->35049 35061 141b0c3 35060->35061 35062 141b0ce KiUserCallbackDispatcher 35061->35062 35063 141b0f8 35061->35063 35062->35063 35063->35049 35066 141e6f5 35064->35066 35065 141e72f 35065->35054 35066->35065 35068 141e510 35066->35068 35069 141e51b 35068->35069 35070 141f040 35069->35070 35072 141e63c 35069->35072 35073 141e647 35072->35073 35074 1417d1c 2 API calls 35073->35074 35075 141f0af 35074->35075 35075->35070

                          Executed Functions

                          Function 0786407A Relevance: 1.5, Strings: 1, Instructions: 251COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID: 5{
                          • API String ID: 0-2291050889
                          • Opcode ID: 7000d5ac931908b46e830dcfc89322b3fb408dcdcbf7a26581349f1d8e350fe9
                          • Instruction ID: 23f719d26295bda99d7b516045233800c0cea590f389e22d44306ef28a0ccba3
                          • Opcode Fuzzy Hash: 7000d5ac931908b46e830dcfc89322b3fb408dcdcbf7a26581349f1d8e350fe9
                          • Instruction Fuzzy Hash: 6FB169B4E01209AFCB04DFA9D5455AEFBB2FF99300F209469D809EB354DB389A45CF61
                          Function 07864088 Relevance: 1.5, Strings: 1, Instructions: 246COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID: 5{
                          • API String ID: 0-2291050889
                          • Opcode ID: 51ea755a2846b6289d2b4a79d3bd0c8f2309abf5ae2ef2e91fb94bfa33b6bce2
                          • Instruction ID: 4fe6f701884a48100381668810fe80c1ce3b5a6b6116bc645d659f07cc734f23
                          • Opcode Fuzzy Hash: 51ea755a2846b6289d2b4a79d3bd0c8f2309abf5ae2ef2e91fb94bfa33b6bce2
                          • Instruction Fuzzy Hash: A3A168B4E01209EFCB04DFA9D5854AEFBB2FF99300F209469D809AB314DB399A41CF51
                          Function 07865B22 Relevance: 1.5, Strings: 1, Instructions: 208COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID: j4$y
                          • API String ID: 0-2391584009
                          • Opcode ID: 127a4f8d2dc29dee7012daf8f3da3c1a651d0d0b6df9cbcea92cb78526ac0eeb
                          • Instruction ID: 3295ee02a9eb529519692bd2ef53cfb7cc9cacc556c1673045a6f5e3afe4ab28
                          • Opcode Fuzzy Hash: 127a4f8d2dc29dee7012daf8f3da3c1a651d0d0b6df9cbcea92cb78526ac0eeb
                          • Instruction Fuzzy Hash: D68127B1D1520DEFCB08CFA5D58489EFBB2EF9A311F10942AE415EB264DB349956CF04
                          Function 07865B30 Relevance: 1.5, Strings: 1, Instructions: 208COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID: j4$y
                          • API String ID: 0-2391584009
                          • Opcode ID: 5a0c19adaaba6b8a78f7176f946d65cc5fae45709ee3721b2403c044ba0bf0be
                          • Instruction ID: e98aff26382614865604344b8188b4c45f58d9135e2d87d084011e9ab0c5f90f
                          • Opcode Fuzzy Hash: 5a0c19adaaba6b8a78f7176f946d65cc5fae45709ee3721b2403c044ba0bf0be
                          • Instruction Fuzzy Hash: 718117B0D1520DEFCB08CFA6D58489EFBB2EF9A315F10942AE415EB264DB349952CF04
                          Function 07864446 Relevance: .2, Instructions: 189COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 979d88c53eb4ecaada2002ee56e621d592cc7f1c0c5b7a65f2e52e807dde5eda
                          • Instruction ID: 2ddc0ecd36ad1e427d044d674731b5827e6efc93a609a26c5a47ef456ebe7085
                          • Opcode Fuzzy Hash: 979d88c53eb4ecaada2002ee56e621d592cc7f1c0c5b7a65f2e52e807dde5eda
                          • Instruction Fuzzy Hash: BD719CB0D193499FCB05CFA5E85959EFFB2EF9A300F04946AD416EB265DB384A01CF50
                          Function 078644B8 Relevance: .2, Instructions: 160COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 806a5fbd7c096d4a94cc4cd37dcac9cc2c1a93a410702fab9e4c440b027bf54a
                          • Instruction ID: aca887580e4389b4a81b566e0f95026065a054a2f493f7615c31c0c6ad1b25e2
                          • Opcode Fuzzy Hash: 806a5fbd7c096d4a94cc4cd37dcac9cc2c1a93a410702fab9e4c440b027bf54a
                          • Instruction Fuzzy Hash: 0A513DB4E152099FCB04CFA5E5494AEFFB2FF9A300F14942AD416E7254DB748A01CF54
                          Function 078644C8 Relevance: .2, Instructions: 152COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 25b9a8964f2534ad569d316f37f7878b1482df2b9a129f25539de8c7c61d69b0
                          • Instruction ID: 83e64fd6633de970191456a4bbe44b0555ef18a7d10fef257c26b263bd7b7679
                          • Opcode Fuzzy Hash: 25b9a8964f2534ad569d316f37f7878b1482df2b9a129f25539de8c7c61d69b0
                          • Instruction Fuzzy Hash: 2C512AB0E15209AFCB08CFA5E5494AEFBB6FF9A300F10982AD416E7254DB749A00CF54
                          Function 078605B0 Relevance: .1, Instructions: 76COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1eb18dfd6090b7895f6005e5ebf4993c2d04a669e369a6bb7db155243330ef8f
                          • Instruction ID: ded5aa01f485225b8060d332fb3e3f426c78481dbbcf893e9ae6aa791667c9d2
                          • Opcode Fuzzy Hash: 1eb18dfd6090b7895f6005e5ebf4993c2d04a669e369a6bb7db155243330ef8f
                          • Instruction Fuzzy Hash: A43106B1E012189BDB58CFAAD84469EBBB7EFC9310F14C0A9D409AB354DB355A85CF40
                          Function 078605A0 Relevance: .1, Instructions: 68COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2e1c4b787b6b027b78e4b1eede6bf206504126036f3efdcb4276cc553b23a7bb
                          • Instruction ID: 238c7595ccb2033542c6484aa24b53d66d25903f3da141cba0d3ac6db1119102
                          • Opcode Fuzzy Hash: 2e1c4b787b6b027b78e4b1eede6bf206504126036f3efdcb4276cc553b23a7bb
                          • Instruction Fuzzy Hash: E42137B1E016589BEB18CFABC8446DEBBF7AFC9310F14C07AD408A6258DA740A45CF91
                          Function 01415D78 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 937 1415d78-1415d8e 939 1415d91-1415e61 CreateActCtxA 937->939 941 1415e63-1415e69 939->941 942 1415e6a-1415ec4 939->942 941->942 949 1415ed3-1415ed7 942->949 950 1415ec6-1415ec9 942->950 951 1415ed9-1415ee5 949->951 952 1415ee8 949->952 950->949 951->952 954 1415ee9 952->954 954->954
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 01415E51
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1312790282.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1410000_qlOtJNH.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: ef189adc85c424047453eb06ef506bc512be17a4b9e532fec2271747d6bca5de
                          • Instruction ID: 493eda01b71d69c08ad738e32720de3224fa2e9831877df8b886e1bbe7d6d615
                          • Opcode Fuzzy Hash: ef189adc85c424047453eb06ef506bc512be17a4b9e532fec2271747d6bca5de
                          • Instruction Fuzzy Hash: F841E0B1C007198FEB25CFA9C8447CDBBF1AF89314F24806AD508AB265DBB56946CF50
                          Function 01414524 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 955 1414524-1415e61 CreateActCtxA 958 1415e63-1415e69 955->958 959 1415e6a-1415ec4 955->959 958->959 966 1415ed3-1415ed7 959->966 967 1415ec6-1415ec9 959->967 968 1415ed9-1415ee5 966->968 969 1415ee8 966->969 967->966 968->969 971 1415ee9 969->971 971->971
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 01415E51
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1312790282.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1410000_qlOtJNH.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: de7cfa0cfc131104a4ed7f7240a5ceded88a47c7b88d99015f1005bca324b2a6
                          • Instruction ID: 953fb7e7eb023848ef3a1dc86e8b422bc41e0892d56f2d57b0bed7b3ad24157e
                          • Opcode Fuzzy Hash: de7cfa0cfc131104a4ed7f7240a5ceded88a47c7b88d99015f1005bca324b2a6
                          • Instruction Fuzzy Hash: 4B41D2B1C00719CBEB24DFA9C8447CEBBF5BF89314F24806AD408AB255DBB56946CF90
                          Function 06018F88 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 972 6018f88-6018f9a 973 6018fa2-6018fad 972->973 974 6018f9d call 6018104 972->974 975 6018fc2-6019054 CreateIconFromResourceEx 973->975 976 6018faf-6018fbf 973->976 974->973 979 6019056-601905c 975->979 980 601905d-601907a 975->980 979->980
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1317627631.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_6010000_qlOtJNH.jbxd
                          Similarity
                          • API ID: CreateFromIconResource
                          • String ID:
                          • API String ID: 3668623891-0
                          • Opcode ID: 624d60ad1f66b1640137f63bf1b8e3eb628b569da2ab84c3266bdab8fda8b4f4
                          • Instruction ID: 4b0a5aff1d0923dd798da50f1c2d3872ace544990cd29d8bcb87fb4be8583808
                          • Opcode Fuzzy Hash: 624d60ad1f66b1640137f63bf1b8e3eb628b569da2ab84c3266bdab8fda8b4f4
                          • Instruction Fuzzy Hash: BF3189769003499FCB12DFA9D840AEEBFF8EF09310F14846AE654EB261C3359950DFA1
                          Function 0141E5D8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 983 141e5d8-141eadc DuplicateHandle 985 141eae5-141eb02 983->985 986 141eade-141eae4 983->986 986->985
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0141EA0E,?,?,?,?,?), ref: 0141EACF
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1312790282.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1410000_qlOtJNH.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: df0d8bd319e9d2e5c2727e382fb9b2797a996e1a00745aed91d83e7b32cd4e84
                          • Instruction ID: a7d2da3a0b352b7c7eddb9484607718f548e4c1a8297d6f1f5744878948aac06
                          • Opcode Fuzzy Hash: df0d8bd319e9d2e5c2727e382fb9b2797a996e1a00745aed91d83e7b32cd4e84
                          • Instruction Fuzzy Hash: F321D2B5D002489FDB10CF9AD884ADEBBF4FB48320F14841AE914A3350D378A941CFA4
                          Function 06018104 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 989 6018104-6019054 CreateIconFromResourceEx 991 6019056-601905c 989->991 992 601905d-601907a 989->992 991->992
                          APIs
                          • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,06018FA2,?,?,?,?,?), ref: 06019047
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1317627631.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_6010000_qlOtJNH.jbxd
                          Similarity
                          • API ID: CreateFromIconResource
                          • String ID:
                          • API String ID: 3668623891-0
                          • Opcode ID: 68ca9fa96c8b13cf4427bfb2612bd2b42dabca7ee8ae7f0cf181a8b5b3477af8
                          • Instruction ID: 3f7c06bb890c0bd43c786eded069ccf4d78a4d35fcf19c155fd3c94c8858a834
                          • Opcode Fuzzy Hash: 68ca9fa96c8b13cf4427bfb2612bd2b42dabca7ee8ae7f0cf181a8b5b3477af8
                          • Instruction Fuzzy Hash: 1C113AB580034D9FDB20DF9AC844BDEBFF8EB48320F14841AE614A7250C379A954CFA4
                          Function 0141B072 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 995 141b072-141b0cc 997 141b11a-141b133 995->997 998 141b0ce-141b0f6 KiUserCallbackDispatcher 995->998 999 141b0f8-141b0fe 998->999 1000 141b0ff-141b113 998->1000 999->1000 1000->997
                          APIs
                          • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0141B0E5
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1312790282.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1410000_qlOtJNH.jbxd
                          Similarity
                          • API ID: CallbackDispatcherUser
                          • String ID:
                          • API String ID: 2492992576-0
                          • Opcode ID: 9c60091bdf7ba7ec9483414c4f080fd38a5234f3a075866a4ff50cfbb271e708
                          • Instruction ID: d0053bb1068c534b3e9e5f8b054af038cb6fb219a8956f34197102b1203ed179
                          • Opcode Fuzzy Hash: 9c60091bdf7ba7ec9483414c4f080fd38a5234f3a075866a4ff50cfbb271e708
                          • Instruction Fuzzy Hash: 2011E1B18043888FDB21CF69C5053EABFF4EF05314F14809AD498B7292C3395A05CB66
                          Function 0141B080 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1002 141b080-141b0cc 1004 141b11a-141b133 1002->1004 1005 141b0ce-141b0f6 KiUserCallbackDispatcher 1002->1005 1006 141b0f8-141b0fe 1005->1006 1007 141b0ff-141b113 1005->1007 1006->1007 1007->1004
                          APIs
                          • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0141B0E5
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1312790282.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1410000_qlOtJNH.jbxd
                          Similarity
                          • API ID: CallbackDispatcherUser
                          • String ID:
                          • API String ID: 2492992576-0
                          • Opcode ID: d68d87107dc4a6bd73acb4eeaed4ef3ceefacdb7b57cfecead1da7cda7dbd03f
                          • Instruction ID: 582eacec8731c8d4cdfc0b0233b9201e98f8041f79aaa92a2056d8405b88acce
                          • Opcode Fuzzy Hash: d68d87107dc4a6bd73acb4eeaed4ef3ceefacdb7b57cfecead1da7cda7dbd03f
                          • Instruction Fuzzy Hash: 5111DDB18003898FDB20CF59C4053EEBFF4EB04314F10805AD458A7292C3395A04CFA6
                          Function 0141C760 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0141C7C6
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1312790282.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1410000_qlOtJNH.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 050f308319e6aaaced60e85cecf51ecc813b9e3519ac70b9ec813a2ea9602a10
                          • Instruction ID: d6528815eddd397bcde57a4acb63395909614ba8fc7cb8c2697c4111e77b988d
                          • Opcode Fuzzy Hash: 050f308319e6aaaced60e85cecf51ecc813b9e3519ac70b9ec813a2ea9602a10
                          • Instruction Fuzzy Hash: F411D2B5C0024A8FDB10DF9AD844A9EFBF5AB88220F14841AD529B7610C379A545CFA5
                          Function 07869841 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID: Teq
                          • API String ID: 0-1098410595
                          • Opcode ID: 53d2b47b0c1cec5e4182e621eabe14e3d08df8a07bf312bcd6f14365e47e82e0
                          • Instruction ID: 5491f5dfd988430b7a978b6c3cb562b5b05a08863feb7db198c8b7a7f52f7ce0
                          • Opcode Fuzzy Hash: 53d2b47b0c1cec5e4182e621eabe14e3d08df8a07bf312bcd6f14365e47e82e0
                          • Instruction Fuzzy Hash: 624108B0D0534CDBDB04DFA6D8486EEBBFABF9A304F14902AD409AB295EB345945CB50
                          Function 0786980C Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID: Teq
                          • API String ID: 0-1098410595
                          • Opcode ID: fd9c9dd7523a611ab53e8646bfbd1c63b0abec852de75068acd6259a7e67af8a
                          • Instruction ID: 81d9dabb975ebd83f94d18405dd81092e2127bb19b5b2e92e359a41eea6f03de
                          • Opcode Fuzzy Hash: fd9c9dd7523a611ab53e8646bfbd1c63b0abec852de75068acd6259a7e67af8a
                          • Instruction Fuzzy Hash: 26413AB0D09349DFDB04CFA6D8482ADBBFABF9A304F14902AD409EB295D7386905CF40
                          Function 07864970 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID: G'/.
                          • API String ID: 0-3562003039
                          • Opcode ID: 4276ab951a29ff717c89abbadb75fa8220b0efceb7404a5f04febbcf5e2f5228
                          • Instruction ID: 52b7990c6f375268dfb4ed6ba5c113d9ecb3ea3b9ea7730b6d58027c99f052ba
                          • Opcode Fuzzy Hash: 4276ab951a29ff717c89abbadb75fa8220b0efceb7404a5f04febbcf5e2f5228
                          • Instruction Fuzzy Hash: 0B31A1B0E55289EFCB08CFA4E5445ADBFB6EB96300F1491AAC419E7360EB304F51CB40
                          Function 07865A08 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID: 8q
                          • API String ID: 0-4083045702
                          • Opcode ID: 741ab1ae2c1d28941cb42242fc307143b53a468fd9b228fb47bc6020bd80dc71
                          • Instruction ID: 7493483445a9fc88e4c335098786a9bb0a2e66847c27519083e38ea2bcb3c576
                          • Opcode Fuzzy Hash: 741ab1ae2c1d28941cb42242fc307143b53a468fd9b228fb47bc6020bd80dc71
                          • Instruction Fuzzy Hash: 9031A9B0D0834AAFCB15DFA8D8456AEBFB0FF09300F0081AAD854E7392D7744A40CB91
                          Function 07861AA1 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID: ?H,a
                          • API String ID: 0-4093759987
                          • Opcode ID: d7462f25c5eeb1915c6d65cb9ec156d565197dd28881ad57ba5c35998e851d31
                          • Instruction ID: fb278120214db32aa35329656d2e028e6d146c0f20e2851bd519c7a62350f337
                          • Opcode Fuzzy Hash: d7462f25c5eeb1915c6d65cb9ec156d565197dd28881ad57ba5c35998e851d31
                          • Instruction Fuzzy Hash: 15214874E05208AFDB04DFA9D949A9EFBF6EF89300F14C1A6D519D7225D6349E41CB40
                          Function 0786D1C8 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID: [K$
                          • API String ID: 0-2748047997
                          • Opcode ID: 7aa1c64dcb54845b480d2ea0a03bcb0eb50016a931f49b4113232c472fe1cac1
                          • Instruction ID: 63cdacc57496066c2a70d0433dc2b5c42462ee62e5a9b5bfb8a8321b27c48295
                          • Opcode Fuzzy Hash: 7aa1c64dcb54845b480d2ea0a03bcb0eb50016a931f49b4113232c472fe1cac1
                          • Instruction Fuzzy Hash: CF316DB4A15318DFDB10DB64C948BA8BBB6FB99200F1042D5D80ADB358D7341D4ACF21
                          Function 078668EF Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID: u|P
                          • API String ID: 0-1764873574
                          • Opcode ID: 2151b53bc3a3c3bcd942c73c889f84623360ec79cf4d5a5aad8637de038e5e8c
                          • Instruction ID: 11b70dc9e157c89724581f5f96a4bda21b4e5af0022ed8f9fe70dc53d7b6dc5c
                          • Opcode Fuzzy Hash: 2151b53bc3a3c3bcd942c73c889f84623360ec79cf4d5a5aad8637de038e5e8c
                          • Instruction Fuzzy Hash: 49117CB4E1928AEFCB04CFA5C5456AEFFF2AF86310F24C1AAC915E7350E6344A01CB45
                          Function 07866900 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID: u|P
                          • API String ID: 0-1764873574
                          • Opcode ID: 340163ccbfb02532bc1a8ba73221a4118902748166f8de3bfe7cc621f4d64b5f
                          • Instruction ID: 10aadaca53bf73caa466f0f899e609cd9a5d8f4b4f4243c250c3f2b214608c62
                          • Opcode Fuzzy Hash: 340163ccbfb02532bc1a8ba73221a4118902748166f8de3bfe7cc621f4d64b5f
                          • Instruction Fuzzy Hash: 15113AB4E1524EEFCB04CFA9C5456AEFBF6EB89300F24C0AA8909E7304E6345A41CB45
                          Function 07865F22 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID: k
                          • API String ID: 0-140662621
                          • Opcode ID: fdc23b8b1bebf6586b05b464778078e7798abedc45c612cae2a35a02248ff76b
                          • Instruction ID: a53d0e5df0c686a6f97e11dd52141d3aed58d46038fb860a2f1091cbf029dea0
                          • Opcode Fuzzy Hash: fdc23b8b1bebf6586b05b464778078e7798abedc45c612cae2a35a02248ff76b
                          • Instruction Fuzzy Hash: 9D0192B5A0020EBFCF05DFE4E8448EEBF76EFA5250B104196E914DB260DB318A11CB91
                          Function 078648C0 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID: G'/.
                          • API String ID: 0-3562003039
                          • Opcode ID: ebb174d1531074c221f22fb94e54fc4de90d47d61987afa1f0dbff895a6510bb
                          • Instruction ID: 1a7fa0705e67d5b4669a52e6d3bb6fe6bdfc17756d4fc03f5ee1f34e0423b7fe
                          • Opcode Fuzzy Hash: ebb174d1531074c221f22fb94e54fc4de90d47d61987afa1f0dbff895a6510bb
                          • Instruction Fuzzy Hash: 4401D270E16288EFCB08CFB4E94459EBFB2EB96300F2494B6C509E3260E6308F01C710
                          Function 078698CB Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID: Teq
                          • API String ID: 0-1098410595
                          • Opcode ID: 742a9b2dcde4de52ac1f74e1301811f1cbbcf97f4e411bf974fa90ca62c5486f
                          • Instruction ID: a64674cf5816cb97db1a13c821c4de64bda94bacd341136b7e8df5acf1fba9d4
                          • Opcode Fuzzy Hash: 742a9b2dcde4de52ac1f74e1301811f1cbbcf97f4e411bf974fa90ca62c5486f
                          • Instruction Fuzzy Hash: 68118D75E002098FDB04DFE8C8809EDFBB2FB88310F20816AE919AB355C732A945CB50
                          Function 078648D0 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID: G'/.
                          • API String ID: 0-3562003039
                          • Opcode ID: 9ccb8d9bc3c89e4c85b899bee6121fb86cfd34000305780fa7713054c2d9b61e
                          • Instruction ID: 06bf3c85c6a8bb5644bb35a95965b00249677c3614188c6fe4fbefa20d21b7ff
                          • Opcode Fuzzy Hash: 9ccb8d9bc3c89e4c85b899bee6121fb86cfd34000305780fa7713054c2d9b61e
                          • Instruction Fuzzy Hash: B301D4B0E15248EBC708CFA5D94495DFEB6EB96300F20E475C41EE3254E6308B408700
                          Function 07869A70 Relevance: .3, Instructions: 272COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cbbab12966050972f4dca13d5e35acf7c084dbdf294781282da871cd60d5f133
                          • Instruction ID: 51354907cf26e2e9150f6565a25269306badcfd4a6d21f4b4edcf430ad918d61
                          • Opcode Fuzzy Hash: cbbab12966050972f4dca13d5e35acf7c084dbdf294781282da871cd60d5f133
                          • Instruction Fuzzy Hash: 12B14DB4E15219DFDB00DFA4D844ADDBBB5FF89300F109629D509EB285DB34A946CF80
                          Function 0786B1FD Relevance: .1, Instructions: 114COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 127727672da643826b450273d41ed0da3c21d94daf0f8036c352d10b10c73d4b
                          • Instruction ID: b3bb725667126a93935004d6ce8567fc0dc800c2211003118ad112c8542b443e
                          • Opcode Fuzzy Hash: 127727672da643826b450273d41ed0da3c21d94daf0f8036c352d10b10c73d4b
                          • Instruction Fuzzy Hash: 8D4127F0D19249EFCB04CF99D5896ADBFFAFB9A308F208165D809E7211D7349941CB50
                          Function 07867148 Relevance: .1, Instructions: 101COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a86662d2b79b317543b03644756028c1862641695609b9bb5965d6eec3ab1628
                          • Instruction ID: 263b5550dc36bbc3bc442727c345331ad6709fbc68f936de6aff3651affe0062
                          • Opcode Fuzzy Hash: a86662d2b79b317543b03644756028c1862641695609b9bb5965d6eec3ab1628
                          • Instruction Fuzzy Hash: 5231BFB0E19209EFCB04CFA5D94569EBBB2EF9A318F1091AAD415EB350D7348A41CB91
                          Function 0786D08F Relevance: .1, Instructions: 98COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ffe0c30208af0f4ab83895ced54eacf5868c920b6c0fdcda4ebf2a5beca32f2b
                          • Instruction ID: dd2d7daf0a5ac190a28a45a2f0ac8e4ea370255e1cb80575b1d1b4ed9a33887a
                          • Opcode Fuzzy Hash: ffe0c30208af0f4ab83895ced54eacf5868c920b6c0fdcda4ebf2a5beca32f2b
                          • Instruction Fuzzy Hash: C1414AB4B19248DFDF00EF64D5889ADBFF5FB5A204B00509AD44ADB356D7349841CF62
                          Function 0786A0B9 Relevance: .1, Instructions: 97COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9b43cec9f210fa56d602a4e1d17c324c5fa196cbcff7cb931f224bab4639e5c8
                          • Instruction ID: fb34b8aa3766c8eac8420f512253561e8e54fbeb9f22066e4248f7a6470367d0
                          • Opcode Fuzzy Hash: 9b43cec9f210fa56d602a4e1d17c324c5fa196cbcff7cb931f224bab4639e5c8
                          • Instruction Fuzzy Hash: 24319EB0D09249AFDB08CB99D4485FEFBBABFDA205F04D065D41AF7252C7345941CB42
                          Function 07865F58 Relevance: .1, Instructions: 95COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2ebeba5c44c456f66bae84d115fd1554563fef7021809c461ad60eb149ae013b
                          • Instruction ID: 8943bf45f2963d581c14a86c7d0ec7274da2ac67e4efda0e8f57ed4772e9fdb0
                          • Opcode Fuzzy Hash: 2ebeba5c44c456f66bae84d115fd1554563fef7021809c461ad60eb149ae013b
                          • Instruction Fuzzy Hash: B6313AB5900309AFCB14DFA9D844A9EBFF9EB48320F10842AE919E7210D735A945CFA5
                          Function 07861E58 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: efc698450791f7c47eea80255c2beadece74bbf959515442a4675b5c10885541
                          • Instruction ID: ac86b6ee1134265739bcc796bfcac4ff739409ec1b6b2d01c0cc842bef1de098
                          • Opcode Fuzzy Hash: efc698450791f7c47eea80255c2beadece74bbf959515442a4675b5c10885541
                          • Instruction Fuzzy Hash: 5A3149B4E1020AAFCB44CFA9C5885AEFBB2FF99200F14C96AD425E7355D3749A01CF90
                          Function 07867158 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8558c55785034b03d71c48c1fb64f69e5d842fc092e5b814dc2b31e037ba01e1
                          • Instruction ID: 24a9d0e8d780522bcc48a3ccd6f847e269b94b38ac626300c8e04821203d5e10
                          • Opcode Fuzzy Hash: 8558c55785034b03d71c48c1fb64f69e5d842fc092e5b814dc2b31e037ba01e1
                          • Instruction Fuzzy Hash: 313139B0E1420DEFDB44CFA9D5446AEBBF6FB99304F2094AAD416E7350D7349A41CB90
                          Function 07865218 Relevance: .1, Instructions: 90COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9fda605209d7f9e6bbc9770bd302cf64ab2cac4b3c7c7f9fe5a0dbf26ccf2fbd
                          • Instruction ID: 9efc541b5568769746f377f2913c877e7913018d1be984b476d1c5f5b5eeb95b
                          • Opcode Fuzzy Hash: 9fda605209d7f9e6bbc9770bd302cf64ab2cac4b3c7c7f9fe5a0dbf26ccf2fbd
                          • Instruction Fuzzy Hash: A93144B4E14209AFCB08CFA9E8496EEBBB2FF89310F10842AE811E7354DB745951CF50
                          Function 07865228 Relevance: .1, Instructions: 90COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 18f61b1eab041bfe84f339179989273ad684e705d1c799ebd868b986eac784be
                          • Instruction ID: 740c8e12936113f8e1927672966d2ff53eb2fa4a09a7760c56a7706fd9621249
                          • Opcode Fuzzy Hash: 18f61b1eab041bfe84f339179989273ad684e705d1c799ebd868b986eac784be
                          • Instruction Fuzzy Hash: EE3114B4E1020AAFCB04CFA9D4496EEBBB2FF89310F10842AE916E7344DB745951CF50
                          Function 07861E68 Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2acd76b1bc36e9e7c5e68ef9f980c624845956843c86b928797107f638aaaf38
                          • Instruction ID: 77b912f4a5524edb3bbd88014e05297e884eff5594c0848ea91a7cd9095d58fb
                          • Opcode Fuzzy Hash: 2acd76b1bc36e9e7c5e68ef9f980c624845956843c86b928797107f638aaaf38
                          • Instruction Fuzzy Hash: 563148B4E1020AAFCB44CFA9C5885AEFBB2FB99304F14C96AC415E7215D3749A01CF94
                          Function 0786FCF8 Relevance: .1, Instructions: 80COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cda3bcf46a2867825c19ea76b4e326727c7a4faecea8b7293538cf2fa08507e1
                          • Instruction ID: c825874dd0fd2321e080d7bda57382b2283df7ba0370496f0afe93aa9490adeb
                          • Opcode Fuzzy Hash: cda3bcf46a2867825c19ea76b4e326727c7a4faecea8b7293538cf2fa08507e1
                          • Instruction Fuzzy Hash: 2D3128B4D00209AFCB05DFA8D498ADDBBF5FF89310F00806AE905AB350DB34A945CFA1
                          Function 00F1D1FC Relevance: .1, Instructions: 76COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1311823403.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_f1d000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d3bb890869cea8fe218b23f3d93006ef78f380576c38dc10a2c3a0674e8e7429
                          • Instruction ID: 25b52009e3a7669397e2ec90fc10d5ad1449b634894fed0437ab8101ac9bc344
                          • Opcode Fuzzy Hash: d3bb890869cea8fe218b23f3d93006ef78f380576c38dc10a2c3a0674e8e7429
                          • Instruction Fuzzy Hash: C9210672904280DFDB15DF14D9C4B66BB75FB88320F20C669E8150B246C336D896EBA2
                          Function 00F1D4C4 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1311823403.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_f1d000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 69075e5d6e1a97ffa95380b617f2f55d3afc546743932b65de202388b015d935
                          • Instruction ID: c9cedc867cd1d55338194a2d481a9abe6087af4355436b0f630688c342ef65be
                          • Opcode Fuzzy Hash: 69075e5d6e1a97ffa95380b617f2f55d3afc546743932b65de202388b015d935
                          • Instruction Fuzzy Hash: E9213A72904240DFDB15DF14D9C0B66BF76FB94328F24C569D8050F256C336D896EBA2
                          Function 0786A124 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bc6d82468b3f8f253e4e5f70d401a0b1f4f39888dd153ac66b6238ff0c050f35
                          • Instruction ID: ed52b1d170e6d26d714348f1e1c9edf2eb3f05eb0e95cebecf773749df30eecf
                          • Opcode Fuzzy Hash: bc6d82468b3f8f253e4e5f70d401a0b1f4f39888dd153ac66b6238ff0c050f35
                          • Instruction Fuzzy Hash: 862105B4E15208AFCB08CF9AD4486EDBBF6AB9A315F10D029E41AF2251C7345941CE55
                          Function 0786FD08 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d4d2d3f1ab2686246cdeb5a71f22804ffce0ecb9e16f643bde2437829d8dc17f
                          • Instruction ID: 46ad93e3763e5a6e26a2d495c88ffe9a1245a31871c289c7b1faea61a2322894
                          • Opcode Fuzzy Hash: d4d2d3f1ab2686246cdeb5a71f22804ffce0ecb9e16f643bde2437829d8dc17f
                          • Instruction Fuzzy Hash: 6431E8B4E10209AFCB04DFA9D498ADDBBF5FF99310F10802AE505A7350DB34A941CF91
                          Function 00F2D1D4 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1311896843.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_f2d000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b4f5e38c0eac109f9f581b108001c8eed3796a9d841d2744fefd4659613dc23e
                          • Instruction ID: dd3a309f3127d2d810eefa89eb36e0797d93be95ca7d02f420821c811da3fe01
                          • Opcode Fuzzy Hash: b4f5e38c0eac109f9f581b108001c8eed3796a9d841d2744fefd4659613dc23e
                          • Instruction Fuzzy Hash: EC210471A04304EFDB15DF10E9C4B26BBA5FB84324F20C6ADE8494F292C336D846DA62
                          Function 00F2D01C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1311896843.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_f2d000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b919ff8260f78d0d33f9319cd02827380fe660bb90c0a4d6de0cc854161d1995
                          • Instruction ID: bfad005aef9bbf40d5357edcfa9b5e8b5fe931f6a74c4b421e6d37b797df0d49
                          • Opcode Fuzzy Hash: b919ff8260f78d0d33f9319cd02827380fe660bb90c0a4d6de0cc854161d1995
                          • Instruction Fuzzy Hash: E721F276A04340DFDB14DF14E9C4B16BB65EB84324F20C56DD84A4B2AAC33AD847DA62
                          Function 0786A260 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d3bf7c2a0f12a7a94132b6e6439908284bcdad2a13fc92823a7de97d1d65b98f
                          • Instruction ID: 4cf7fdc4aaa4d7301162d60f8ab50b115dba9daf2e8f7615f193424d0a5de06d
                          • Opcode Fuzzy Hash: d3bf7c2a0f12a7a94132b6e6439908284bcdad2a13fc92823a7de97d1d65b98f
                          • Instruction Fuzzy Hash: 0A21E7B4948209EFC744DFA9C185AAEBBF6BF5A300F209195D809F7312D7719A41CF52
                          Function 078619A8 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 22dcde98f69302e7f2140edc7ce2bb5f88c2333eba2c484eb540f89015f50a0d
                          • Instruction ID: 118725a893c7fd073d04d258852720bb19db57b7a51e8a051056d6c5b4b0b670
                          • Opcode Fuzzy Hash: 22dcde98f69302e7f2140edc7ce2bb5f88c2333eba2c484eb540f89015f50a0d
                          • Instruction Fuzzy Hash: 91216DB0E10209EFCB04CFA9C5456AEFFF2EF9A300F1080AAC404E7251E7349A01CB51
                          Function 078619B8 Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2f28c8ffcabef453400a6e027c2b83d88ace8b0a359456e86c618f988e5bd16b
                          • Instruction ID: 6b8971b4a71a267a45e7f206ceed6feb5e0b66881b797df5090383b8d06b1dbc
                          • Opcode Fuzzy Hash: 2f28c8ffcabef453400a6e027c2b83d88ace8b0a359456e86c618f988e5bd16b
                          • Instruction Fuzzy Hash: 49212AB0D1420EEFCB44CFAAC5856AEFBF2BF99300F10D56A8405E7251E7749A41CB91
                          Function 00F2D005 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1311896843.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_f2d000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a8bdf6e8d33f0449aee3df24bb7563b10dbed37873a477169116999ba2f74aa7
                          • Instruction ID: fdf2d1fbda2c05b77de24769f18ebcf2ebec4ece4ed26e86b833e142810fae40
                          • Opcode Fuzzy Hash: a8bdf6e8d33f0449aee3df24bb7563b10dbed37873a477169116999ba2f74aa7
                          • Instruction Fuzzy Hash: CC2162755093C08FCB16CF24D994715BF71EB46324F28C5EAD8498F6A7C33A980ADB62
                          Function 0786A7E2 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 41f2cf751e017d7632ac8b1ca1b648db4f99336ce00ba5c85cb84b75ca6f042b
                          • Instruction ID: a1242d2947de9ad5b02b3de563b43776450ae6911356246f0f9cb219ceb79425
                          • Opcode Fuzzy Hash: 41f2cf751e017d7632ac8b1ca1b648db4f99336ce00ba5c85cb84b75ca6f042b
                          • Instruction Fuzzy Hash: CA21E5B1D046589BEB19CFA6D8547EEFEB6AFC9300F14C06AD408A6264DB740949CFA1
                          Function 0786E528 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f62b2c99d59879a1d987de995e7b1a0d822b7f6477ddab968f5cdea63febad80
                          • Instruction ID: 9d4a03fd287f9cd288288c536d89ff8db4906f9d6feeb5e951ddb6007efa9308
                          • Opcode Fuzzy Hash: f62b2c99d59879a1d987de995e7b1a0d822b7f6477ddab968f5cdea63febad80
                          • Instruction Fuzzy Hash: 431191B8F10219ABDB289E79981C7BF76A2BB94B50F04812DA506D7388FA70CD0197D1
                          Function 0786A319 Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 88c4fa33a245b9cc2a7040fa2bc4aec296ebac94e2499d5a8282e317c678da8a
                          • Instruction ID: d953db21db573918465aa7328f11488d82cb9fda740d7ab2ea9fb13f05d8fddb
                          • Opcode Fuzzy Hash: 88c4fa33a245b9cc2a7040fa2bc4aec296ebac94e2499d5a8282e317c678da8a
                          • Instruction Fuzzy Hash: F9115BB4D08208EFCB08DFA9D6459EDBBF4FB5A350F00C196C418EB212C7309A45CB92
                          Function 0786A270 Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cde206de73714859156301f48abedaf4a8b0e54459ee2cfe1f156c1ba7424931
                          • Instruction ID: 13314653273f4255cfa2a599ded80af8df6a7fdd493e6df1146bc6388a29cfa7
                          • Opcode Fuzzy Hash: cde206de73714859156301f48abedaf4a8b0e54459ee2cfe1f156c1ba7424931
                          • Instruction Fuzzy Hash: 5121F7B4E48209EFCB44DFA9C185AAEBBF6BB59300F209055D809B7311D7719A40CF52
                          Function 0786D11B Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f470d93544f10ead6d09d4162c1554982d75d39447ce55bd38a429033e54bb50
                          • Instruction ID: 2331ded188f91a82214afe9ab7b0628af01514b7876efb05fcf824ab1b0ce05d
                          • Opcode Fuzzy Hash: f470d93544f10ead6d09d4162c1554982d75d39447ce55bd38a429033e54bb50
                          • Instruction Fuzzy Hash: 4721F8B4A00219DFCB10DF64D989AADBBB6FB99301F108596D80DEB344D7389D86CF20
                          Function 078670B0 Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8eea2e5aaa44a56cb97f02d32cf425b82fcf647ff445666c021f29e31f9ce710
                          • Instruction ID: a8539b5bb3e29db133a26547fa81233eed28c47ddb728364e2b2bb9e1a7e1b39
                          • Opcode Fuzzy Hash: 8eea2e5aaa44a56cb97f02d32cf425b82fcf647ff445666c021f29e31f9ce710
                          • Instruction Fuzzy Hash: 25117CB4E15209EFCB14DFB8D94529DBFB6EB86314F1491AAD408E7390DA348E44CB92
                          Function 00F1D1F7 Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1311823403.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_f1d000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6fa0a9b6888ab601070468a7c49be392b44274aed9e91ce62da6c30ec0883e0c
                          • Instruction ID: 3f8504ece0e1832e88852b083124009586b5463fb30f03ccd5eab8f95235ce08
                          • Opcode Fuzzy Hash: 6fa0a9b6888ab601070468a7c49be392b44274aed9e91ce62da6c30ec0883e0c
                          • Instruction Fuzzy Hash: 5621E176904280CFCB06CF00D9C4B56BF72FB84320F24C2A9DC080B656C33AD866DBA1
                          Function 0786D2CC Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a9c84cf9451c0d021626b0eaea740caf520e3d26064a8f2232a302ea4dcc5d8e
                          • Instruction ID: 7ffdd3160c0d627a465333060cb6eb1c84257b7d13a59b8b88aa3a4e50f21225
                          • Opcode Fuzzy Hash: a9c84cf9451c0d021626b0eaea740caf520e3d26064a8f2232a302ea4dcc5d8e
                          • Instruction Fuzzy Hash: EA2109B4A01219DFDB109F64D989BA9BBB6FB99204F0081D5DD09E7309DB385E49CF21
                          Function 07866EE8 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7821aa2e0f7b52f34f1924a034b7f2829a715021a8d4f487e0c1a8a201b05161
                          • Instruction ID: 148dc1fd2453f37fcf51ea4eb418351a2eb8d1aa275d8b31640026d60f03a070
                          • Opcode Fuzzy Hash: 7821aa2e0f7b52f34f1924a034b7f2829a715021a8d4f487e0c1a8a201b05161
                          • Instruction Fuzzy Hash: 851158B0E05249EFCB04CFE9E54429EBFF6EF9A240F24C4AAC019E7214E6309E00CB50
                          Function 00F1D4BF Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1311823403.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_f1d000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                          • Instruction ID: 0d3e061c0198f14f3a61769ddf441bcc740d891f352b93619208875267c2b63f
                          • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                          • Instruction Fuzzy Hash: 1B11E676904280CFCF15CF14D5C4B56BF72FB94328F28C6A9D8490B656C336D856DBA1
                          Function 07866FA9 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 54863980c42db2cc09614b5d81a8823a08dff0cfc95505dedefa9bd371ffaab9
                          • Instruction ID: 5396e657a08ab5836b5f4f8af948f2ef4740bd00a588c2a77bcc7736344a83ad
                          • Opcode Fuzzy Hash: 54863980c42db2cc09614b5d81a8823a08dff0cfc95505dedefa9bd371ffaab9
                          • Instruction Fuzzy Hash: 1D119DB0E19249EFCB09CFA8D54429EBFF2AF89304F24C4AAD405E3344E6309A00CB52
                          Function 00F2D1CF Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1311896843.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_f2d000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                          • Instruction ID: e5f3b102861f8a558730a04b00d41b358c4318e01256d28b0791c2621bbed044
                          • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                          • Instruction Fuzzy Hash: BD11DD75904280DFCB05CF10D9C0B15FBB2FB84324F24C6ADD8494B296C33AD80ACB62
                          Function 07865168 Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 779fd0585b551e4583b2e066a8f2b2a4208352eedd41472f582c0eb19161a5c9
                          • Instruction ID: 0a80d7d05566c35c443ba24c3052d72fadcab74813b3f95b1bf565331c251a7d
                          • Opcode Fuzzy Hash: 779fd0585b551e4583b2e066a8f2b2a4208352eedd41472f582c0eb19161a5c9
                          • Instruction Fuzzy Hash: 86119EB4E0520AEFCB04CFE5DA456DEBFF2EB96310F2485AAD414E7340D7344A419B91
                          Function 0786B680 Relevance: .1, Instructions: 51COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9b669792dab3507c8d663c7287d5e3785fe4fa21a24bc0f33e277da38c4ab78e
                          • Instruction ID: 646cd3208b750a7194d4e03751330692bdfe1389f501695bac72936128f602bd
                          • Opcode Fuzzy Hash: 9b669792dab3507c8d663c7287d5e3785fe4fa21a24bc0f33e277da38c4ab78e
                          • Instruction Fuzzy Hash: C6019AF094C249FFCB00CB25C8449BABFB8EFAA308F249295D409CB112C3308E45DB90
                          Function 0786A7F0 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 46b612d9416c661bc3976ad9adc2a74eac67abc86076e30c72b235f78d0f52eb
                          • Instruction ID: 4c14677e514ecb497a21f8276d818c509101e865cb68ba45ae516c0bfd695df7
                          • Opcode Fuzzy Hash: 46b612d9416c661bc3976ad9adc2a74eac67abc86076e30c72b235f78d0f52eb
                          • Instruction Fuzzy Hash: AA11A4B1D006189BEB18CF9BC8597DEFAF6AFC9304F14C06AD509B6264DB7509458FA0
                          Function 07866FB8 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 29310afa5027d73ffa199387b914b20f05376f60e0f4f288ac3e523fdcf1e25f
                          • Instruction ID: 7ea6f7cf1e7227b8b114cdeb140e03f59ff9d9b488994682c56fb0c517862a01
                          • Opcode Fuzzy Hash: 29310afa5027d73ffa199387b914b20f05376f60e0f4f288ac3e523fdcf1e25f
                          • Instruction Fuzzy Hash: 09115AB0E15209EFCB48DFA9D54469EBBF6AF99304F20D5AAD405E3344EB309A41CB52
                          Function 07866EF8 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 66107c2ee4cad34b41fbb00dbc54c35aa2c1e9272071c12a8e836343b06d69a1
                          • Instruction ID: 2f462e5f3b1477380cc7f1d116100c13a0a74004f610a424cbd7a52a5ba053fe
                          • Opcode Fuzzy Hash: 66107c2ee4cad34b41fbb00dbc54c35aa2c1e9272071c12a8e836343b06d69a1
                          • Instruction Fuzzy Hash: 081118B0E15249EFCB44CFA9D54569EFBF6EF99300F20D4AAD419E7214E6309A00CB50
                          Function 0786A902 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7c2287091ca3100e89d470f66c7b32df57729ffe687c816bc33ca29636b71d87
                          • Instruction ID: a1a46f01f8e1285db68ba9329ade548a5a19457ed6e34e9141e7162b6018c453
                          • Opcode Fuzzy Hash: 7c2287091ca3100e89d470f66c7b32df57729ffe687c816bc33ca29636b71d87
                          • Instruction Fuzzy Hash: 951158B4809218DFCB29CF64C5486ECBBB6FB1A309F108599C41AB7341C7359980CF52
                          Function 0786D010 Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 698c58ee0f793e3c371ac3edf2bd24cca37ec1f0d98151c82f75784c0f06de0c
                          • Instruction ID: d1c56f50a676e7b949939615d10b18e087a525497dda02f624ba7968030f5ea6
                          • Opcode Fuzzy Hash: 698c58ee0f793e3c371ac3edf2bd24cca37ec1f0d98151c82f75784c0f06de0c
                          • Instruction Fuzzy Hash: BA11ADB4F04219EBCF10EB64D8897ADBBBABB99200F009954C40AE7249D7785945CF62
                          Function 0786D05E Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 222761bf05f6e1cd58c31099033772ba8269dbc79f4164e7960fca612ee51ac2
                          • Instruction ID: fcf612dc973c4c3270f311a0d12d1f84f0b0d3817059f994088fd271d0e94539
                          • Opcode Fuzzy Hash: 222761bf05f6e1cd58c31099033772ba8269dbc79f4164e7960fca612ee51ac2
                          • Instruction Fuzzy Hash: 95115BB5B18208DBCF00EF68D5899A97BF9FB69204B106055D41AE7206D7389900CF72
                          Function 0786AA8B Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 91a51c4c03639c7a950736a3b789e29286810e8b91b326fa5ff210fb7d2dc9d6
                          • Instruction ID: 4d1ae60e96a2186e265e7eed19cb03caf0399ff725bfeb3b7b58838aba72c6b7
                          • Opcode Fuzzy Hash: 91a51c4c03639c7a950736a3b789e29286810e8b91b326fa5ff210fb7d2dc9d6
                          • Instruction Fuzzy Hash: C511F5B4914218DFCB18DFA4C588ADCBBB6BB5E315F1490AAD50ABB301C734AD81CF61
                          Function 0786B6FA Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b1b524d21db73a1dd275ad3becd4aff00a5a2968f611576e51b3babf47572893
                          • Instruction ID: c3394989978481c2f1b2c465d5835d9c5d2ccafafe3fb7c569390bec10f6d119
                          • Opcode Fuzzy Hash: b1b524d21db73a1dd275ad3becd4aff00a5a2968f611576e51b3babf47572893
                          • Instruction Fuzzy Hash: F9015EB8904308EFD700DFA8CA49EA9BFF5EF8A300F25C195E408DB262D6349E00DB50
                          Function 07865178 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bb120bde32a764765003578b7c795fb18664a333be6871f5e69c5600bab8db92
                          • Instruction ID: ba35efb53d776f2b4783db0715d5f08ade18b937433e5a78166d79cf945c4aa0
                          • Opcode Fuzzy Hash: bb120bde32a764765003578b7c795fb18664a333be6871f5e69c5600bab8db92
                          • Instruction Fuzzy Hash: 45111EB4E0520DEFCB48CFE9D5456AEFBF6EB98300F10806AD509E3344E7705A509B91
                          Function 0786D000 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d7e16423254ff7cec126e9249e115ec987be3f78391437121f09911ce7665a6c
                          • Instruction ID: b7889123d15f1264ddf09e8eaa442e24b95ee6e1898082e19c84d57634419e5a
                          • Opcode Fuzzy Hash: d7e16423254ff7cec126e9249e115ec987be3f78391437121f09911ce7665a6c
                          • Instruction Fuzzy Hash: CE0126B0F08308FFDB00EB64C4887EE7BB9ABD9300F008155D401D6245D778054ACB72
                          Function 0786D151 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3a6c66af64472b20bda00c22208bf580537fc36eda108edb2e5df06655d00613
                          • Instruction ID: d29b4263bcc7de726ec235fa3fa3180ec3460b7739d98010ea7d312f235451af
                          • Opcode Fuzzy Hash: 3a6c66af64472b20bda00c22208bf580537fc36eda108edb2e5df06655d00613
                          • Instruction Fuzzy Hash: 06112AB4A01219DFDB10DB64DC89B98BBB6FB88200F1081D6D90DAB758DA345E85CF71
                          Function 0786907F Relevance: .0, Instructions: 40COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5b7e5529b630bf56442c129edc5845cf720f67d9f56d6a5c66c86c04de9b64eb
                          • Instruction ID: 0af60d66bb31028a48ffadb9d3391c997ccc2bd1941353712895f79db7726564
                          • Opcode Fuzzy Hash: 5b7e5529b630bf56442c129edc5845cf720f67d9f56d6a5c66c86c04de9b64eb
                          • Instruction Fuzzy Hash: 0BF081B090A389DFCB11CB54C9986EDBBB9ABAA318F0065EDC109D7195D6312945CF13
                          Function 0786B690 Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5723811ab5b8f08a866b384806c9a9e58ad72e8cf9b4ce8e1d56152c668ab437
                          • Instruction ID: b3f620a6345767afc090e64078bd813e354de77c0923e096253ff4f40c666984
                          • Opcode Fuzzy Hash: 5723811ab5b8f08a866b384806c9a9e58ad72e8cf9b4ce8e1d56152c668ab437
                          • Instruction Fuzzy Hash: 72F03CF095C20CFBCB04CF55C548AB9BFB9AFAA309F2491A5D409DB212D7309A45DB40
                          Function 078670C0 Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 75d83493c40af4c2ebc6bb1ceb150b54f2c4ce584ca17a9e46a55782d9df6848
                          • Instruction ID: d7fba650cb6be0421427a3c910eff97c8c2ee2f5c55839774c9e7c461eb09db8
                          • Opcode Fuzzy Hash: 75d83493c40af4c2ebc6bb1ceb150b54f2c4ce584ca17a9e46a55782d9df6848
                          • Instruction Fuzzy Hash: 1B01A4B4E15208EFC744CFA8DA4525DFBF6EB86304F14D0AAC408E3354EB308E448B95
                          Function 07865AB0 Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 639eef2f099fba48cd5d88bd6aa8fe6bcb13b3db00a66725198b5b798fcf32a3
                          • Instruction ID: 6e5ddecc4e7d735d33c0506af693594b8d559a9b50e043c565e7012009c50fd9
                          • Opcode Fuzzy Hash: 639eef2f099fba48cd5d88bd6aa8fe6bcb13b3db00a66725198b5b798fcf32a3
                          • Instruction Fuzzy Hash: 9C0124B0E18249AFCB55CFB8D9182AEBFB4AF1A300F1040AAD805E7381E7714A00CB51
                          Function 0786D0E6 Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a1c488b804f1260096acefc41c49ec2ad4ee3d90881f61b955cb8bae694417e1
                          • Instruction ID: 7fb3c0dc78d1d18cb809acbf510f6a26253ba600b5ad23b84943f84388a2d320
                          • Opcode Fuzzy Hash: a1c488b804f1260096acefc41c49ec2ad4ee3d90881f61b955cb8bae694417e1
                          • Instruction Fuzzy Hash: 3801E5B4A18308DFDF04DFA8E4895ACBBB5FB99305B14906AD90ADB345D7385805CF21
                          Function 0786A8A8 Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fd98824c9fc85a0aec93e91cd3734e7d05978d67676160b555fde21b78d027a1
                          • Instruction ID: 47249a0a1922ab6007479fba143c5ad5473b35e0fcb25aa314ae27c904192e4f
                          • Opcode Fuzzy Hash: fd98824c9fc85a0aec93e91cd3734e7d05978d67676160b555fde21b78d027a1
                          • Instruction Fuzzy Hash: B301E274A45219DFCB68CF54C984BE8BBF6AB4D311F1090E9E909B7341D635AE80CF10
                          Function 07861D41 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3e302103d25ea2fab5b755e398b4fc60f5439c4a2c86744dffa6fbb3fa71a313
                          • Instruction ID: 7232575952c676025637db177aaaf14210643784288275e4c567ce1d70676077
                          • Opcode Fuzzy Hash: 3e302103d25ea2fab5b755e398b4fc60f5439c4a2c86744dffa6fbb3fa71a313
                          • Instruction Fuzzy Hash: 63F04FB1E5421AAFDB04DFA8C409AEEBFF5BF09320F10456AE500E7301D77085418BD0
                          Function 0786D22C Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 210e330678f5e02c9f69aa040e978f64b0545368e2ebf97c01631ec60f51b549
                          • Instruction ID: 11ec0492450748d26c41cf9bf9b5b06e54c9e29049a0fabbe1285278a6ff3257
                          • Opcode Fuzzy Hash: 210e330678f5e02c9f69aa040e978f64b0545368e2ebf97c01631ec60f51b549
                          • Instruction Fuzzy Hash: F90156B4B142488FCB00DBE4C888A9C7BB6FB88304F105295D80ADF74CD634580ACB60
                          Function 0786A113 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b4c381df586f0e54f19486db6b0b4158e82c8165ed292706d2a85064de8022b8
                          • Instruction ID: 7446dfa83a28d34156aef0479de67d04579f6c19033d09ce4f3f01765dee7614
                          • Opcode Fuzzy Hash: b4c381df586f0e54f19486db6b0b4158e82c8165ed292706d2a85064de8022b8
                          • Instruction Fuzzy Hash: 1EF0F4B4A5914DEBCB09CA94E8498FDB73AFBDB216F00D015D41BF2251C7345945CF52
                          Function 0786AD35 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b890c967b8b03fb09cb18e247ea63ec078fe32f939df461f8d440f5a9fa329f3
                          • Instruction ID: 2c5abd8f63d8900448ab62cd16f1122bafedd1469ef0b0a4e398886fee17d424
                          • Opcode Fuzzy Hash: b890c967b8b03fb09cb18e247ea63ec078fe32f939df461f8d440f5a9fa329f3
                          • Instruction Fuzzy Hash: 7A01A4B0955218EFCB29DFA4D588AACBBB6BB5A205F10C59AD50AB7201C7359880CF52
                          Function 07865AC0 Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5936483562aca676b0ad3ac5474e6b7e3bb8a0f9327aa5a2214f3f90341ff30b
                          • Instruction ID: 1b8dbc579c6ae2fa2e4c36e352c5f2ffb5c3d7f2f65b050bf18823e913ab1646
                          • Opcode Fuzzy Hash: 5936483562aca676b0ad3ac5474e6b7e3bb8a0f9327aa5a2214f3f90341ff30b
                          • Instruction Fuzzy Hash: FEF0A4B4D14209AFCB54DFA9D5456AEFBF9FF58300F10806A9819E7381EB715A00CB91
                          Function 0786E4B8 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 209539ba046eaa444ac10be16e882ff8ff4b2df8d8c9b426c9f136b025f02ee6
                          • Instruction ID: cb9487b80a27b0790f8f9c454d7611bd0ca3058cf951a89218c2047ec9cc55f8
                          • Opcode Fuzzy Hash: 209539ba046eaa444ac10be16e882ff8ff4b2df8d8c9b426c9f136b025f02ee6
                          • Instruction Fuzzy Hash: 2AF090B4904388BFCB01DFA8D81469DBFF0EF49300F1081AAD85492351D6384E95DF51
                          Function 0786D0B8 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d24e276de083a04a2f66bfbd3c5f1e4db09a67171014575ff61e0ae884b97dc6
                          • Instruction ID: fecc8c44243ac5d159f18e203768c8578d8e40b6c42f4ce8a7531b98ae0d9b9f
                          • Opcode Fuzzy Hash: d24e276de083a04a2f66bfbd3c5f1e4db09a67171014575ff61e0ae884b97dc6
                          • Instruction Fuzzy Hash: CCF0F9B4A14308EFDB10EFA4E5889ACBFF6FB99201F144199D90ADB355D7389806CF15
                          Function 07861D50 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b5e28f39b5429136b9f665d5930a807e47523f60e3854589a88766b928e459e6
                          • Instruction ID: c161eb3a90016af3a133fc4f281595d82c61a1243716983bb552a581a8d0c82d
                          • Opcode Fuzzy Hash: b5e28f39b5429136b9f665d5930a807e47523f60e3854589a88766b928e459e6
                          • Instruction Fuzzy Hash: 7CF0DAB0E0420EAFDB44DFA9C849BAEBFF4BB48310F1049A9D518E7301DB7595408B90
                          Function 07868E20 Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a3b9257ee115256f19371a66a3e5f65ca6de744ec6dbd3399f7650b6ae0c574e
                          • Instruction ID: 6b77753128673baff5a9eeb4ea732a9c678326b7bb2666defe9d8da68b7d0c43
                          • Opcode Fuzzy Hash: a3b9257ee115256f19371a66a3e5f65ca6de744ec6dbd3399f7650b6ae0c574e
                          • Instruction Fuzzy Hash: A0F0BEB4D09389AFCB02DFB8C8006ADBFB4FF49300F1085AAD858A3341E3704A55DB91
                          Function 0786AC69 Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c4a42c698bc4ef6c4eb2c6c81bbec50c2733543064cf79dce21d398fff828443
                          • Instruction ID: 40a17127b7e583755163354cc22b38dde3f5f90086d2e19fb5d6d913bbc7f0ff
                          • Opcode Fuzzy Hash: c4a42c698bc4ef6c4eb2c6c81bbec50c2733543064cf79dce21d398fff828443
                          • Instruction Fuzzy Hash: 6BF09A70A092488FC709CBA4C4986D8BFF6AB4F309F1490A9C409AB212C3369D80CF01
                          Function 07865F56 Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d57bdcd130575cdfba2b09ba60e31c7e8cf64d70b6b400dab8d7cf3a2d1bbdf7
                          • Instruction ID: b599d6bd58179b416b1bdbfbc65edd893aafbe3b238e72a47704717b8e1528e3
                          • Opcode Fuzzy Hash: d57bdcd130575cdfba2b09ba60e31c7e8cf64d70b6b400dab8d7cf3a2d1bbdf7
                          • Instruction Fuzzy Hash: A6F06D72600109BFDF48DF98D945D9E7FFAEB48220B11816AE408D7224E730E9508B44
                          Function 0786EEA0 Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cf4fa17030b1da9760787b09b8e376f7ab6d11300e614e0aa24efa49f978f41e
                          • Instruction ID: 4bc136bc8531c354469c97e1e7860e435876afeaafb865f298fb2c216ce105c8
                          • Opcode Fuzzy Hash: cf4fa17030b1da9760787b09b8e376f7ab6d11300e614e0aa24efa49f978f41e
                          • Instruction Fuzzy Hash: 6AE092B0805348AFDB119B68A8153DD7FB4FF41341F1142BADC4897391EB380E85DBA2
                          Function 07861CE8 Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1c004c21a0025193fcc6b409b469e8e6ee3a73e3a6f89e481b6c1a73afc0910b
                          • Instruction ID: 8b3f1f00fe0260fe0fa1502cc06e29b481446602174156cd5c20e633dfedba48
                          • Opcode Fuzzy Hash: 1c004c21a0025193fcc6b409b469e8e6ee3a73e3a6f89e481b6c1a73afc0910b
                          • Instruction Fuzzy Hash: 67E039B1D50119AFDB40DFA8C808ADABFF1AF09225F248566D114E7321D37445018B90
                          Function 0786E4C8 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b14ea549b0bba9d8c0dd63298082a470a387285f90b126fb7f8def4b9842a083
                          • Instruction ID: e787467c5f16bb0703900a082f673361ecedfb442da33da8faf1593040498747
                          • Opcode Fuzzy Hash: b14ea549b0bba9d8c0dd63298082a470a387285f90b126fb7f8def4b9842a083
                          • Instruction Fuzzy Hash: D4F0A5B4D0420CBBCB55EFA8D44569DBBF5EB88301F1081A9E918A2350D6385E95DB91
                          Function 07861DE1 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 710a18d7e8e7ffc8904ee3a72ed43da9a4332d0feba21a4832755f6cc6539cc4
                          • Instruction ID: 7f7f8dddfec7d8624a7d39634a80be4c64232fde68fba27620dc7fb41dca7f23
                          • Opcode Fuzzy Hash: 710a18d7e8e7ffc8904ee3a72ed43da9a4332d0feba21a4832755f6cc6539cc4
                          • Instruction Fuzzy Hash: 30E0C2EB95A3E527CB9341A4AD556CA7FA4BB132B3B150497E480C6043E254030AA7E0
                          Function 07861278 Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 277671bf0b6cc779d66111bb4e3ae479db31bba22ed7f4dab7a069dda5dc5a09
                          • Instruction ID: bb763a59cbe84fc4592d36087c9b9665c0ee54d2f6c62d677020d4ef40998cc6
                          • Opcode Fuzzy Hash: 277671bf0b6cc779d66111bb4e3ae479db31bba22ed7f4dab7a069dda5dc5a09
                          • Instruction Fuzzy Hash: 04E0923A900314DFC7118F64E8858947731FF993B6B1002F5E826872A2CB3A8E81CF50
                          Function 07867068 Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 08a774d57ac939ae08350d4f775c64136854aab1b1403bda73a1c9051af533eb
                          • Instruction ID: c5f4375a58c35442710d391751d96d5cc228cab02f2fcc68b7385fa8b17c5469
                          • Opcode Fuzzy Hash: 08a774d57ac939ae08350d4f775c64136854aab1b1403bda73a1c9051af533eb
                          • Instruction Fuzzy Hash: B6E0D8719053D6AFCB1ADBBCC4412DDFFB4DB03355F0486DAD4189B292C6354A46C752
                          Function 0786D46B Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 55b5a541ead5a4a1d459d07909d0a2c94ac2ab7f8b31314bdb402d39487b020f
                          • Instruction ID: 5d0e9fa9a0b2bad47201cdd5c77f2cbebd52102c1f0c4dc58e33ef8e0166cc0b
                          • Opcode Fuzzy Hash: 55b5a541ead5a4a1d459d07909d0a2c94ac2ab7f8b31314bdb402d39487b020f
                          • Instruction Fuzzy Hash: CDF039B8A04246DFDB00CF68D18996EBFF4FB59300B058094D449DB311C738AC40CB61
                          Function 078672A2 Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 61973e11a85f6323d06b0b7896f1d709238819121f5ff70f2cb61f510eed9e8c
                          • Instruction ID: 46b0d6e2e440c92370a60e96da216854d678601817bd4a075c2a71cc3eccb8df
                          • Opcode Fuzzy Hash: 61973e11a85f6323d06b0b7896f1d709238819121f5ff70f2cb61f510eed9e8c
                          • Instruction Fuzzy Hash: 1AE08675910245AFCB54DFB8C445ACCFBB4EF06366F1082D9E9298B3A1C7369946CF80
                          Function 07868E30 Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 308407fba7eaa9b612d20a48b1a6da9cfaea87ae6ff45274fdfc9e66f42bc8d6
                          • Instruction ID: c57b534237f45f2de8381f86b747ac391aba7555b1093037487b7af5f06448b0
                          • Opcode Fuzzy Hash: 308407fba7eaa9b612d20a48b1a6da9cfaea87ae6ff45274fdfc9e66f42bc8d6
                          • Instruction Fuzzy Hash: DAE0EDB4D01309EFCB44DFA8C5056ADBBB5FB18300F5085A9D818A3340D7755A51DB85
                          Function 07868E72 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: be61f2cd33f8dac06e28afbb49fb5b00977e84ee58c46b101189a6e5fe6e482f
                          • Instruction ID: d234d57b647d4b46dae0ffd5ac729de3faba1fe40d098abc92d2bfcb1707a612
                          • Opcode Fuzzy Hash: be61f2cd33f8dac06e28afbb49fb5b00977e84ee58c46b101189a6e5fe6e482f
                          • Instruction Fuzzy Hash: 8ED05B750493C5AFD31267A4B80D2757F78DBD2211B454152E98D81052C76C0998C7B3
                          Function 0786AB97 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 77f60c1ad8632ed211bab53916c0e8fd25abded3f46fda646de693cad016a634
                          • Instruction ID: 54ead0c204f121a35561c5fa81466ed63456e5335f15c5e70cb38c2dfa5b5b8b
                          • Opcode Fuzzy Hash: 77f60c1ad8632ed211bab53916c0e8fd25abded3f46fda646de693cad016a634
                          • Instruction Fuzzy Hash: 63F015B0809258DFCB29DF64C94C798BBB2EB0A205F0184AAC41EBB252C7744985CF62
                          Function 078672A8 Relevance: .0, Instructions: 19COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7962dc3703b8c3cd061d888ca292379b4cfc81b6caa51ae8f1333f79b5b683ec
                          • Instruction ID: 14337b30a33dd5476514773cf22605bc200a29dc2d5d19f87993e8d957ae746b
                          • Opcode Fuzzy Hash: 7962dc3703b8c3cd061d888ca292379b4cfc81b6caa51ae8f1333f79b5b683ec
                          • Instruction Fuzzy Hash: 1AE09A74D10208AFC784DFA9D449A5CBBF4EB09714F0080E9D819D7350E6749944CF41
                          Function 07861260 Relevance: .0, Instructions: 18COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7ea958c468a0afbdf5e4e31589bbb35bddba2e548bfc8f5befe5be69e4d6cc0e
                          • Instruction ID: 0052d9f975fe8802a557e6851cd158fae2a41a48caa6b0c09be2951f9226e798
                          • Opcode Fuzzy Hash: 7ea958c468a0afbdf5e4e31589bbb35bddba2e548bfc8f5befe5be69e4d6cc0e
                          • Instruction Fuzzy Hash: EEE0127AA01304DFC316DF69E5544987F72FF863AAB9000A5E505C7721C73AD950CF50
                          Function 07861CF8 Relevance: .0, Instructions: 18COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dcdeb0dd4b28383a97f4926e32f6e975a3bbf887482abd25f7a7c6ac9a5f4e39
                          • Instruction ID: 042a8027ca615e9e29eb9e9d9a6f86d8e664060db99ed71f0da71380fd6370ab
                          • Opcode Fuzzy Hash: dcdeb0dd4b28383a97f4926e32f6e975a3bbf887482abd25f7a7c6ac9a5f4e39
                          • Instruction Fuzzy Hash: E6E092B0D4020DAFD780EFB9C909B5EBBF0AB09604F1189A9D119E7252E7B49A058F91
                          Function 0786901A Relevance: .0, Instructions: 17COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c3b62cd8ea967a3eb72f597152c73669652e17023bc5711686fa96eaead67b49
                          • Instruction ID: a618f3cac82dce6a88739e924dafc3d175d7c118d9940a33a020b09076ce34e7
                          • Opcode Fuzzy Hash: c3b62cd8ea967a3eb72f597152c73669652e17023bc5711686fa96eaead67b49
                          • Instruction Fuzzy Hash: 90D01736A4A269CFDB11CB10ED447ECBBB5EB86315F0051E6D009D7265C7342B89CF52
                          Function 07867078 Relevance: .0, Instructions: 17COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9545558042aa68175327ab194f9809965137c30374f858077e59b7e96a64cff2
                          • Instruction ID: fb5d46d64d38d29ccc297477b1760b55046b12288ab28729fbe6780d3d5bd8ee
                          • Opcode Fuzzy Hash: 9545558042aa68175327ab194f9809965137c30374f858077e59b7e96a64cff2
                          • Instruction Fuzzy Hash: EFE0E2B0D00209BFCB54EFB9D44569CBBF8EB44304F0080AA8818E3240EA745A84CF82
                          Function 0786EEB0 Relevance: .0, Instructions: 17COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 050ead7b677e0c51f35b777bdb6e0145a38dde0d1ea52d4c260e4462efe4a5e0
                          • Instruction ID: 45dc03059821609ea843ab8e6ed4cf6c22c85def37be8b763414ae15c34d1be0
                          • Opcode Fuzzy Hash: 050ead7b677e0c51f35b777bdb6e0145a38dde0d1ea52d4c260e4462efe4a5e0
                          • Instruction Fuzzy Hash: 28E0C2B490020CFBCB00EFA8E40539C7BB8FB40302F5001A8D908A3380DF340E80D781
                          Function 07864980 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: be01e2e9d993f210dde740ce1de47d04bb3f643496bad1b65a3e3412f748f7d9
                          • Instruction ID: 1017fd9515efdcaabb6c7784c82e5d9f134fc12fecf945acad5e070f86b3e3bc
                          • Opcode Fuzzy Hash: be01e2e9d993f210dde740ce1de47d04bb3f643496bad1b65a3e3412f748f7d9
                          • Instruction Fuzzy Hash: D7D0A9B085224CEFC704EFB8990AB5DBBB8AB00300F2000A88908932A0FA700F44C781
                          Function 07861DF0 Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 25ba813d7799fc9ee77bb1e8e0722954c142608dcad3b2585090bcbdb7cba94c
                          • Instruction ID: 82beda5bbe01afa0292d44453e693f1e1deef75cefcbfd037179a5a262703972
                          • Opcode Fuzzy Hash: 25ba813d7799fc9ee77bb1e8e0722954c142608dcad3b2585090bcbdb7cba94c
                          • Instruction Fuzzy Hash: 86D0123624010D5F4B80EFA4E804D567BDCBB24700B40C822E508CB031F621E534D791
                          Function 07868E80 Relevance: .0, Instructions: 10COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7687ff8310a7fa7eebf9f66c486378fba7a296821fd4c552a047a6751f12c611
                          • Instruction ID: 7cd9543a8d0f1a5649ccdac3d110bb1b2994d2cf677968ed0018d412dc6bb187
                          • Opcode Fuzzy Hash: 7687ff8310a7fa7eebf9f66c486378fba7a296821fd4c552a047a6751f12c611
                          • Instruction Fuzzy Hash: CEC04C75041748ABD7656BD8B84E3287EACA781216F800110EA4D414614BBC54D4C6A6
                          Function 0786ADC1 Relevance: .0, Instructions: 8COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6b63465156be1bae5d983dace4f0616bab1aa31b657de357ad8c0b3684a9dfce
                          • Instruction ID: b81798e0acf4f15a606e2afe658cea3d51f80a30c899ca85132034a05bb79459
                          • Opcode Fuzzy Hash: 6b63465156be1bae5d983dace4f0616bab1aa31b657de357ad8c0b3684a9dfce
                          • Instruction Fuzzy Hash: FAC012384083858FCB014F50D8545A57F315F8B211F0080C2944962151C6305D90DB60

                          Non-executed Functions

                          Function 078623B8 Relevance: 5.2, Strings: 4, Instructions: 174COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID: %O@8$%O@8$tQ=)$tQ=)
                          • API String ID: 0-749352435
                          • Opcode ID: 67728e4ed918526a61703685f720bae2e455df57cfb2d736b441444253b985a0
                          • Instruction ID: c9dcd76fd6a8121540e2e964cb20981cd6411fff380115308f3abd12a7c83e8c
                          • Opcode Fuzzy Hash: 67728e4ed918526a61703685f720bae2e455df57cfb2d736b441444253b985a0
                          • Instruction Fuzzy Hash: 0871C2B4E1120AAFCB44CF99D5889AEFBF1FF89310F14856AE415EB224D734AA41CF50
                          Function 07862F68 Relevance: 5.2, Strings: 4, Instructions: 162COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1318698232.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_7860000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID: 18'$18'$aY$aY
                          • API String ID: 0-3687307736
                          • Opcode ID: 01365930f685abe26a16c9780644c4878608b02b75a8e2004d2a1e1cfa358667
                          • Instruction ID: 5dd591a19a6c2d05f00aaf7bccaf8209d30fbcfa07cbd9a2f7cf8be6f0804936
                          • Opcode Fuzzy Hash: 01365930f685abe26a16c9780644c4878608b02b75a8e2004d2a1e1cfa358667
                          • Instruction Fuzzy Hash: 0971E1B4E1020AEFCB14DF99C5849AEFBB2FF59210F14855AD815EB304D734A982CF95

                          Executed Functions

                          Function 00411000 Relevance: 10.9, Strings: 8, Instructions: 888COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2518175365.0000000000411000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000012.00000002.2518175365.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000424000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000428000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000459000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.000000000045B000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.000000000045D000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID: $G@$0_@$4]@$P^@$\G@$k$tY@$|G@
                          • API String ID: 0-1505186566
                          • Opcode ID: a457a6aadfb95efd9d811b548ddf244f115a337b3ba61db05062b627b9471e83
                          • Instruction ID: 029baee8e13628125fdcb70dd56885d0ba5aa80ace3f137a05d3e0a692edb883
                          • Opcode Fuzzy Hash: a457a6aadfb95efd9d811b548ddf244f115a337b3ba61db05062b627b9471e83
                          • Instruction Fuzzy Hash: 04A2E671900229DFDB24DF60DD98BDAB7B5BB48301F1081EAE24AB7260DB745B89CF54
                          Function 0042C700 Relevance: 9.5, Strings: 7, Instructions: 759COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2518175365.0000000000428000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000012.00000002.2518175365.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000424000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000459000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.000000000045B000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.000000000045D000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID: %@$$G@$PO@$\G@$g$|G@$VC
                          • API String ID: 0-4080626169
                          • Opcode ID: fc07feb507e71cf0cbaab3b56002bf1e0946edd59ac1e03c78c3207ded804a5c
                          • Instruction ID: c1ee8d93ed19d549b06c584a64ba40e7de7d25a444fea8d0b315004005537a3c
                          • Opcode Fuzzy Hash: fc07feb507e71cf0cbaab3b56002bf1e0946edd59ac1e03c78c3207ded804a5c
                          • Instruction Fuzzy Hash: BE72DA75900218DFDB14DFA0DD88BDEBBB8FB48305F1085A9E50AB72A0DB745A89CF54
                          Function 00413001 Relevance: 7.3, Strings: 5, Instructions: 1019COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2518175365.0000000000413000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000012.00000002.2518175365.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000424000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000428000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000459000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.000000000045B000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.000000000045D000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4b@$8T@$`a@$lT@$xa@
                          • API String ID: 0-3505363105
                          • Opcode ID: edd77c9115f7b60db697a7f34f11f3a9b586b5c3d7bbb8b40a1635f89f546a25
                          • Instruction ID: a400128bb87dac45816ffa7a7e66e89345024923f5d77596905f50bb48d416e0
                          • Opcode Fuzzy Hash: edd77c9115f7b60db697a7f34f11f3a9b586b5c3d7bbb8b40a1635f89f546a25
                          • Instruction Fuzzy Hash: FAA2F475900218DFCB14DFA0DD88BEEB7B5FB48301F1081AAE50AB72A4DB745A89CF55
                          Function 00433510 Relevance: 4.1, Strings: 3, Instructions: 307COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2518175365.0000000000428000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000012.00000002.2518175365.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000424000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000459000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.000000000045B000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.000000000045D000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID: H,@$H,@$h,@
                          • API String ID: 0-2294541158
                          • Opcode ID: 3a6e41bb9a48741c7d9d529b6cf345b9bfd78e2043669eac93eba96d33de36aa
                          • Instruction ID: 4d591d9560f626a5bb843abf54819f2b6fe4ab3bd44d3370877925fd3bf10889
                          • Opcode Fuzzy Hash: 3a6e41bb9a48741c7d9d529b6cf345b9bfd78e2043669eac93eba96d33de36aa
                          • Instruction Fuzzy Hash: 3CB13CB5D00209AFDB04DFA4D985AEEBBB8FB4C711F10816AF901B7250D774A945CBA8
                          Function 0042E240 Relevance: 1.7, Strings: 1, Instructions: 409COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2518175365.0000000000428000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000012.00000002.2518175365.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000424000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000459000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.000000000045B000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.000000000045D000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID: H(@
                          • API String ID: 0-2856970832
                          • Opcode ID: 6e25ffe7afa57ca5b6f30a296effc712e0b005f94327b94689d6f39b6db0e611
                          • Instruction ID: ef64de49db07e334905c70525539baa3313e180217d99c363c828ade0486112c
                          • Opcode Fuzzy Hash: 6e25ffe7afa57ca5b6f30a296effc712e0b005f94327b94689d6f39b6db0e611
                          • Instruction Fuzzy Hash: BCF10AB1900219EFDB00DFA4DA49BDEBBB8FF48705F108169E505B72A0D7B85A44CF69
                          Function 0042C420 Relevance: .2, Instructions: 153COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000012.00000002.2518175365.0000000000428000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000012.00000002.2518175365.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000413000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000424000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.0000000000459000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.000000000045B000.00000040.00000400.00020000.00000000.sdmpDownload File
                          • Associated: 00000012.00000002.2518175365.000000000045D000.00000040.00000400.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_qlOtJNH.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8d01fa7cc0fddd2f8058fd47c669b9d8255475b056862d48a9bb8b10bfd72338
                          • Instruction ID: 9de5cf69fd60912415d2c67555e89655c770743b85e7fa61459d465d2eaf990a
                          • Opcode Fuzzy Hash: 8d01fa7cc0fddd2f8058fd47c669b9d8255475b056862d48a9bb8b10bfd72338
                          • Instruction Fuzzy Hash: 0861E5B5C00208DFDB00DFD0DA48BDEBBB8BB48305F10816AE556BB2A4DB745A49CF64