Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Quote.exe

Overview

General Information

Sample name:Quote.exe
Analysis ID:1427944
MD5:4bde497149d69bd21bce08c8dd20cbe6
SHA1:51b7b2a217a8ee771ba08cddb9afc94c9d57ddbb
SHA256:646da2f80123a9ae67c58d474c19609900b5816941164677dc24238316b512e9
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Quote.exe (PID: 6904 cmdline: "C:\Users\user\Desktop\Quote.exe" MD5: 4BDE497149D69BD21BCE08C8DD20CBE6)
    • Quote.exe (PID: 3484 cmdline: "C:\Users\user\Desktop\Quote.exe" MD5: 4BDE497149D69BD21BCE08C8DD20CBE6)
    • Quote.exe (PID: 6208 cmdline: "C:\Users\user\Desktop\Quote.exe" MD5: 4BDE497149D69BD21BCE08C8DD20CBE6)
    • MpCmdRun.exe (PID: 3484 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 6936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "kk@framsanjuen.com", "Password": "fzesv)c2"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2878079925.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.2878079925.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.2880214725.0000000002EEE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.1692358614.0000000003B99000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.1692358614.0000000003B99000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.Quote.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              2.2.Quote.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                2.2.Quote.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x33e27:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33e99:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33f23:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33fb5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x3401f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x34091:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x34127:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x341b7:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.Quote.exe.3bd9dc8.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.Quote.exe.3bd9dc8.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 8 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 208.91.198.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Quote.exe, Initiated: true, ProcessId: 6208, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.Quote.exe.3bd9dc8.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "kk@framsanjuen.com", "Password": "fzesv)c2"}
                    Multi AV Scanner detection for submitted file
                    Source: Quote.exeVirustotal: Detection: 37%Perma Link
                    Source: Quote.exeReversingLabs: Detection: 34%
                    Machine Learning detection for sample
                    Source: Quote.exeJoe Sandbox ML: detected
                    Source: Quote.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: Quote.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: xLZii.pdb source: Quote.exe
                    Source: Binary string: xLZii.pdbSHA256 source: Quote.exe
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 4x nop then jmp 04B90F35h0_2_04B9048D
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 4x nop then jmp 04B90F35h0_2_04B903E8
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 4x nop then jmp 04B90F35h0_2_04B90469
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 4x nop then jmp 04B90F35h0_2_04B9061A
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 4x nop then jmp 04B90F35h0_2_04B909FA

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.Quote.exe.488f1a8.0.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.4:49730 -> 208.91.198.143:587
                    Source: global trafficTCP traffic: 192.168.2.4:49730 -> 208.91.199.223:587
                    Source: global trafficTCP traffic: 192.168.2.4:49730 -> 208.91.199.225:587
                    Source: global trafficTCP traffic: 192.168.2.4:49730 -> 208.91.199.224:587
                    Source: Joe Sandbox ViewIP Address: 208.91.198.143 208.91.198.143
                    Source: Joe Sandbox ViewIP Address: 208.91.199.225 208.91.199.225
                    Source: Joe Sandbox ViewIP Address: 208.91.199.223 208.91.199.223
                    Source: Joe Sandbox ViewIP Address: 208.91.199.224 208.91.199.224
                    Source: global trafficTCP traffic: 192.168.2.4:49730 -> 208.91.198.143:587
                    Source: global trafficTCP traffic: 192.168.2.4:49730 -> 208.91.199.223:587
                    Source: global trafficTCP traffic: 192.168.2.4:49730 -> 208.91.199.225:587
                    Source: global trafficTCP traffic: 192.168.2.4:49730 -> 208.91.199.224:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com
                    Source: Quote.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd)Microsoft
                    Source: Quote.exe, 00000002.00000002.2880214725.0000000002EF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                    Source: Quote.exe, 00000000.00000002.1692358614.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, Quote.exe, 00000000.00000002.1692358614.00000000045F5000.00000004.00000800.00020000.00000000.sdmp, Quote.exe, 00000002.00000002.2878079925.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.Quote.exe.3bd9dc8.1.raw.unpack, cPKWk.cs.Net Code: Bt4Hz

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 2.2.Quote.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Quote.exe.3bd9dc8.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Quote.exe.3bd9dc8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 0.2.Quote.exe.5770000.2.raw.unpack, LoginForm.csLarge array initialization: : array initializer size 33603
                    .NET source code contains very large strings
                    Source: Quote.exe, Form1.csLong String: Length: 131612
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 0_2_0122D59C0_2_0122D59C
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 0_2_04B902D00_2_04B902D0
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 0_2_04B931480_2_04B93148
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 0_2_04B902C10_2_04B902C1
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 0_2_085BC8180_2_085BC818
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 0_2_085BE8900_2_085BE890
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 0_2_085BE8A00_2_085BE8A0
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 0_2_085BDAB80_2_085BDAB8
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 0_2_085B3B700_2_085B3B70
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 0_2_085B3B800_2_085B3B80
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 0_2_085BDEF00_2_085BDEF0
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 0_2_085BDEE00_2_085BDEE0
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 0_2_085BC3C20_2_085BC3C2
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 0_2_085BC3E00_2_085BC3E0
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 0_2_085B569F0_2_085B569F
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 0_2_085B56A00_2_085B56A0
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 2_2_011D4A982_2_011D4A98
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 2_2_011D9C002_2_011D9C00
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 2_2_011DCF602_2_011DCF60
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 2_2_011D3E802_2_011D3E80
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 2_2_011D41C82_2_011D41C8
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 2_2_012588402_2_01258840
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 2_2_0125B3602_2_0125B360
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 2_2_01259AA82_2_01259AA8
                    Source: C:\Users\user\Desktop\Quote.exeCode function: 2_2_011DD2402_2_011DD240
                    Source: Quote.exe, 00000000.00000002.1691749786.0000000002BC6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec7c7bdcc-01c6-4686-b6a8-e115dc8b943c.exe4 vs Quote.exe
                    Source: Quote.exe, 00000000.00000000.1629494668.0000000000850000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamexLZii.exeT vs Quote.exe
                    Source: Quote.exe, 00000000.00000002.1690847319.0000000000FCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Quote.exe
                    Source: Quote.exe, 00000000.00000002.1692358614.0000000003B99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec7c7bdcc-01c6-4686-b6a8-e115dc8b943c.exe4 vs Quote.exe
                    Source: Quote.exe, 00000000.00000002.1697141984.0000000008AD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Quote.exe
                    Source: Quote.exe, 00000000.00000002.1695598593.0000000005770000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs Quote.exe
                    Source: Quote.exe, 00000000.00000002.1692358614.00000000045F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Quote.exe
                    Source: Quote.exe, 00000000.00000002.1692358614.00000000045F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec7c7bdcc-01c6-4686-b6a8-e115dc8b943c.exe4 vs Quote.exe
                    Source: Quote.exe, 00000002.00000002.2878079925.000000000043E000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec7c7bdcc-01c6-4686-b6a8-e115dc8b943c.exe4 vs Quote.exe
                    Source: Quote.exe, 00000002.00000002.2878320559.0000000000F38000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Quote.exe
                    Source: Quote.exeBinary or memory string: OriginalFilenamexLZii.exeT vs Quote.exe
                    Source: Quote.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 2.2.Quote.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Quote.exe.3bd9dc8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Quote.exe.3bd9dc8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: Quote.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.Quote.exe.3bd9dc8.1.raw.unpack, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Quote.exe.3bd9dc8.1.raw.unpack, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Quote.exe.3bd9dc8.1.raw.unpack, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Quote.exe.3bd9dc8.1.raw.unpack, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.Quote.exe.3bd9dc8.1.raw.unpack, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Quote.exe.3bd9dc8.1.raw.unpack, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.Quote.exe.3bd9dc8.1.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Quote.exe.3bd9dc8.1.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, dusU9FUqOeCN2dcgfT.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, dusU9FUqOeCN2dcgfT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, dusU9FUqOeCN2dcgfT.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, dusU9FUqOeCN2dcgfT.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, dusU9FUqOeCN2dcgfT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, dusU9FUqOeCN2dcgfT.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, aJKD1lJZ1eWhKJQBCo.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, aJKD1lJZ1eWhKJQBCo.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@1/4
                    Source: C:\Users\user\Desktop\Quote.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quote.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6936:120:WilError_03
                    Source: Quote.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Quote.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\Quote.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Quote.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Quote.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Quote.exeVirustotal: Detection: 37%
                    Source: Quote.exeReversingLabs: Detection: 34%
                    Source: unknownProcess created: C:\Users\user\Desktop\Quote.exe "C:\Users\user\Desktop\Quote.exe"
                    Source: C:\Users\user\Desktop\Quote.exeProcess created: C:\Users\user\Desktop\Quote.exe "C:\Users\user\Desktop\Quote.exe"
                    Source: C:\Users\user\Desktop\Quote.exeProcess created: C:\Users\user\Desktop\Quote.exe "C:\Users\user\Desktop\Quote.exe"
                    Source: C:\Users\user\Desktop\Quote.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Quote.exeProcess created: C:\Users\user\Desktop\Quote.exe "C:\Users\user\Desktop\Quote.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess created: C:\Users\user\Desktop\Quote.exe "C:\Users\user\Desktop\Quote.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Quote.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Quote.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Quote.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: xLZii.pdb source: Quote.exe
                    Source: Binary string: xLZii.pdbSHA256 source: Quote.exe

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, dusU9FUqOeCN2dcgfT.cs.Net Code: W6WelnT8sP System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Quote.exe.5770000.2.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, dusU9FUqOeCN2dcgfT.cs.Net Code: W6WelnT8sP System.Reflection.Assembly.Load(byte[])
                    Source: Quote.exeStatic PE information: 0xF430D9AD [Wed Oct 28 03:42:37 2099 UTC]
                    Source: Quote.exeStatic PE information: section name: .text entropy: 7.284313720335351
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, oDqPgchOEduOpRGb6x.csHigh entropy of concatenated method names: 'NlDQR62Khn', 'NU4QHw8Sxl', 'GrCQu50egf', 'kMVQPQZcgN', 'WQsQSl7WH8', 'vyHQZK3Fxy', 'osdQKpmx0h', 'YbEQD7qS29', 'T0jQwI8No4', 'LVQQvMI7Aw'
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, jY9IDVrxbISJ2mFqDNl.csHigh entropy of concatenated method names: 'hMgB3Yf2IH', 'k7yBmKPwyS', 's97BlMxKmE', 'IeaBUV0392', 'YisBMI729X', 'nEeBGNTxrK', 'kqEBjCa2ZG', 'wnbBRVlihN', 'BCjBH547Jf', 'hTVBJcq5Tx'
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, rZ0tUc6sjYil5041q9.csHigh entropy of concatenated method names: 'EVxpumH4Bd', 'YiWpPeB0v2', 'hYppoOExyq', 'bS0pSthX0u', 'LdcpkXZjDO', 'u9apZyAvwp', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, DZPMNMTl2XCOTCDo0x.csHigh entropy of concatenated method names: 'lXgBrknEWt', 'JCZBO2yu3W', 'rAaBeagpag', 'OnGBNeDqe9', 'uGHByutIJc', 'VNaB6RGy5E', 'K5RBIWCcUQ', 'OgRp4lDAmF', 'DXopXw6v1Q', 'adqp7JhPeN'
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, hHLfLFfChJJ2nfmChT.csHigh entropy of concatenated method names: 'Dwi6MWNEIS', 'y0e6jVSbkT', 'FxugoZDQhf', 'sjDgSZTMge', 'gmogZYokua', 'unagTYGu5D', 'tGPgKpx9LI', 'IXogDLN2Lb', 'mnPgs542FR', 'ejrgwo6x3t'
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, wqv2JArNmuicgUdZpdH.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wLh5kqgbeu', 'q0C51U9iym', 'S9b5cA0reo', 'nsi52xnjhI', 'ecM5C74IO3', 'Wvx5FeyaDR', 'TQG540YmAg'
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, NZJObT0WPWtn1QcQkv.csHigh entropy of concatenated method names: 'ayQAN6R2EU', 'RZRAgGCfIS', 'jdZAIbk6MW', 'jhkIqlxh3u', 'xwxIzWuerJ', 'OBnAx3fNZX', 'iLjArlXhuu', 't64Af5KbiO', 'MojAOY4MkJ', 'WY6AeWVco0'
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, aJKD1lJZ1eWhKJQBCo.csHigh entropy of concatenated method names: 'zThyk30M0p', 'sfOy1J6YA0', 'i9Vycj4fOU', 'KW4y2DQpcn', 'GLuyCxAkN8', 'UbsyFONBaU', 'a0By451odL', 'HqfyXSeHPo', 'bOYy75FR1j', 'amQyqyaqc5'
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, qjeHK2rgkyFMKQhGq7i.csHigh entropy of concatenated method names: 'j7K53ar1Sy', 'RXN5mGVjAE', 'WLx5lpJVt3', 'yr0bESBbwCcatAWJpA9', 'L1oMs3BhUWvnxMdJGh3', 'WvqMQhBUp2jnv2xXBUF', 'ODBGu8BI4CyHQZufwOB'
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, dusU9FUqOeCN2dcgfT.csHigh entropy of concatenated method names: 'zGROVyAV3k', 'bqlONxxEHd', 'm4MOyCKQIX', 'rPsOgHxvWk', 'mt6O64GPlY', 'BxBOIHg79v', 'YU2OAwCHqV', 'yB3O03sB6c', 'vNrOassll8', 'DiJO82C8dO'
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, Tn5BvgzgtSP3IMfIZc.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tyNBQAlDo9', 'mLxBELwPOD', 'PRNB93nSS9', 'aaHBtKEFpY', 'FP6Bp9ASKv', 'YdEBBfVmxx', 'ugIB52Z5Dk'
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, b49EfBjmB3RWT14Akn.csHigh entropy of concatenated method names: 'rKxIVJo245', 'xjkIyHPhod', 'QbfI67gK8C', 'V9VIAneqPt', 'pNsI0AqZS9', 'Y9R6CbXiOH', 'gtV6FcDYTW', 'LLw64wJ4M8', 'jYt6XPPYJV', 'qAy67q9Sfo'
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, bmMe2wtHomAOKIdiDJ.csHigh entropy of concatenated method names: 'CPEtXKI5UH', 'iW2tq23QT6', 'y3OpxSuhQc', 'Q8dprmNhLI', 'TlCtv6idTX', 'XZltbpjMeq', 'S6Mtd04ykZ', 'TaotklGfkH', 'khvt1Ujqdd', 'BTMtcIfBeS'
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, qdu2VxKAfRMv4iq68B.csHigh entropy of concatenated method names: 'bjaA3Je16w', 'pnVAmeZalA', 'a6SAlJjDm7', 'oSQAU5gkME', 'ykdAMZTK0P', 'YEaAGoIQtP', 'VGTAjj1Lfo', 'UbNAREltWf', 'TwBAHSPrLk', 'O8AAJuQxqV'
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, Rg9BeoBmU3Bm6DRvlj.csHigh entropy of concatenated method names: 'ToString', 'LB19v6w5Df', 'cIt9PK6OBv', 'W7X9obA5vG', 'AxG9SsNUaS', 'jhC9Zu5K8h', 'vUX9TKZANJ', 'NQK9KV5rlO', 'ncW9DIdgQT', 'd4n9sWK0xy'
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, YpD5iVpvFqL5T9qYP6.csHigh entropy of concatenated method names: 'Q4xrAT4Ue3', 'cNar0pGGFW', 'sylr8A9tQe', 'Q8Trh9TP3a', 'JwErEE1h0f', 'YUmr9hO6rx', 'exHXi405QpD6vhjnYY', 'hTmeHFNYxwn88o1sL4', 'kjxrrleakW', 'pMerO5Hgoh'
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, mnc9nCeFT7NTLh5jGQ.csHigh entropy of concatenated method names: 'UF4t8ZSiWw', 'TGBthBcouE', 'ToString', 'fPItNFv1DR', 'LwatyTxJuD', 'CQAtgSrgsJ', 'Rr3t6qeKAu', 'r7HtIyckfF', 'ETRtAJwyGk', 'b9tt0535cR'
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, p1Q13Ryq2DmEfQtp5p.csHigh entropy of concatenated method names: 'Dispose', 'O5wr7nKonG', 'mdOfPQR6eG', 'w3Riic6Af2', 'wmarqGJoXc', 'GxQrzC4afJ', 'ProcessDialogKey', 'YsBfxxj0gX', 'kBLfr5BFWj', 'BPXffOUtbV'
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, zK3tQ8CNp39aAk0UGC.csHigh entropy of concatenated method names: 'l5CpNZcRIT', 'pimpyShJ8L', 'BTbpg21JQd', 'DJFp6nsFUx', 'tskpILswFk', 'YmtpAHR2I8', 'z9Ap0xiQtu', 'CA6paCpZvm', 'hvlp8VpVtZ', 'jDephr1XmP'
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, Ea9OQpRKEUYYgGC1Kk.csHigh entropy of concatenated method names: 'x40gULYrVV', 'msogGVFA9e', 'okMgRE3FAe', 's5HgHZBBEj', 'zeHgEiBZcm', 'QZNg9cDfPu', 'NOIgtgKWIE', 'Pkvgp2Kile', 'AFlgBHjSVm', 'kDEg50iUyT'
                    Source: 0.2.Quote.exe.8ad0000.5.raw.unpack, OU0diqgdjVN0wlEQO2.csHigh entropy of concatenated method names: 'DsololCaL', 'KjHUe6NQA', 'WtRGbdHY6', 'thljApXX7', 'dpsHOMock', 'Jc2JtQmw6', 'aGdKOyjfQ4vvLFn4go', 'zjtMvyA5MKL8ZNPm2P', 'iBdpBlYuL', 'W5n5Rk8C9'
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, oDqPgchOEduOpRGb6x.csHigh entropy of concatenated method names: 'NlDQR62Khn', 'NU4QHw8Sxl', 'GrCQu50egf', 'kMVQPQZcgN', 'WQsQSl7WH8', 'vyHQZK3Fxy', 'osdQKpmx0h', 'YbEQD7qS29', 'T0jQwI8No4', 'LVQQvMI7Aw'
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, jY9IDVrxbISJ2mFqDNl.csHigh entropy of concatenated method names: 'hMgB3Yf2IH', 'k7yBmKPwyS', 's97BlMxKmE', 'IeaBUV0392', 'YisBMI729X', 'nEeBGNTxrK', 'kqEBjCa2ZG', 'wnbBRVlihN', 'BCjBH547Jf', 'hTVBJcq5Tx'
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, rZ0tUc6sjYil5041q9.csHigh entropy of concatenated method names: 'EVxpumH4Bd', 'YiWpPeB0v2', 'hYppoOExyq', 'bS0pSthX0u', 'LdcpkXZjDO', 'u9apZyAvwp', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, DZPMNMTl2XCOTCDo0x.csHigh entropy of concatenated method names: 'lXgBrknEWt', 'JCZBO2yu3W', 'rAaBeagpag', 'OnGBNeDqe9', 'uGHByutIJc', 'VNaB6RGy5E', 'K5RBIWCcUQ', 'OgRp4lDAmF', 'DXopXw6v1Q', 'adqp7JhPeN'
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, hHLfLFfChJJ2nfmChT.csHigh entropy of concatenated method names: 'Dwi6MWNEIS', 'y0e6jVSbkT', 'FxugoZDQhf', 'sjDgSZTMge', 'gmogZYokua', 'unagTYGu5D', 'tGPgKpx9LI', 'IXogDLN2Lb', 'mnPgs542FR', 'ejrgwo6x3t'
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, wqv2JArNmuicgUdZpdH.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wLh5kqgbeu', 'q0C51U9iym', 'S9b5cA0reo', 'nsi52xnjhI', 'ecM5C74IO3', 'Wvx5FeyaDR', 'TQG540YmAg'
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, NZJObT0WPWtn1QcQkv.csHigh entropy of concatenated method names: 'ayQAN6R2EU', 'RZRAgGCfIS', 'jdZAIbk6MW', 'jhkIqlxh3u', 'xwxIzWuerJ', 'OBnAx3fNZX', 'iLjArlXhuu', 't64Af5KbiO', 'MojAOY4MkJ', 'WY6AeWVco0'
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, aJKD1lJZ1eWhKJQBCo.csHigh entropy of concatenated method names: 'zThyk30M0p', 'sfOy1J6YA0', 'i9Vycj4fOU', 'KW4y2DQpcn', 'GLuyCxAkN8', 'UbsyFONBaU', 'a0By451odL', 'HqfyXSeHPo', 'bOYy75FR1j', 'amQyqyaqc5'
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, qjeHK2rgkyFMKQhGq7i.csHigh entropy of concatenated method names: 'j7K53ar1Sy', 'RXN5mGVjAE', 'WLx5lpJVt3', 'yr0bESBbwCcatAWJpA9', 'L1oMs3BhUWvnxMdJGh3', 'WvqMQhBUp2jnv2xXBUF', 'ODBGu8BI4CyHQZufwOB'
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, dusU9FUqOeCN2dcgfT.csHigh entropy of concatenated method names: 'zGROVyAV3k', 'bqlONxxEHd', 'm4MOyCKQIX', 'rPsOgHxvWk', 'mt6O64GPlY', 'BxBOIHg79v', 'YU2OAwCHqV', 'yB3O03sB6c', 'vNrOassll8', 'DiJO82C8dO'
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, Tn5BvgzgtSP3IMfIZc.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tyNBQAlDo9', 'mLxBELwPOD', 'PRNB93nSS9', 'aaHBtKEFpY', 'FP6Bp9ASKv', 'YdEBBfVmxx', 'ugIB52Z5Dk'
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, b49EfBjmB3RWT14Akn.csHigh entropy of concatenated method names: 'rKxIVJo245', 'xjkIyHPhod', 'QbfI67gK8C', 'V9VIAneqPt', 'pNsI0AqZS9', 'Y9R6CbXiOH', 'gtV6FcDYTW', 'LLw64wJ4M8', 'jYt6XPPYJV', 'qAy67q9Sfo'
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, bmMe2wtHomAOKIdiDJ.csHigh entropy of concatenated method names: 'CPEtXKI5UH', 'iW2tq23QT6', 'y3OpxSuhQc', 'Q8dprmNhLI', 'TlCtv6idTX', 'XZltbpjMeq', 'S6Mtd04ykZ', 'TaotklGfkH', 'khvt1Ujqdd', 'BTMtcIfBeS'
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, qdu2VxKAfRMv4iq68B.csHigh entropy of concatenated method names: 'bjaA3Je16w', 'pnVAmeZalA', 'a6SAlJjDm7', 'oSQAU5gkME', 'ykdAMZTK0P', 'YEaAGoIQtP', 'VGTAjj1Lfo', 'UbNAREltWf', 'TwBAHSPrLk', 'O8AAJuQxqV'
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, Rg9BeoBmU3Bm6DRvlj.csHigh entropy of concatenated method names: 'ToString', 'LB19v6w5Df', 'cIt9PK6OBv', 'W7X9obA5vG', 'AxG9SsNUaS', 'jhC9Zu5K8h', 'vUX9TKZANJ', 'NQK9KV5rlO', 'ncW9DIdgQT', 'd4n9sWK0xy'
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, YpD5iVpvFqL5T9qYP6.csHigh entropy of concatenated method names: 'Q4xrAT4Ue3', 'cNar0pGGFW', 'sylr8A9tQe', 'Q8Trh9TP3a', 'JwErEE1h0f', 'YUmr9hO6rx', 'exHXi405QpD6vhjnYY', 'hTmeHFNYxwn88o1sL4', 'kjxrrleakW', 'pMerO5Hgoh'
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, mnc9nCeFT7NTLh5jGQ.csHigh entropy of concatenated method names: 'UF4t8ZSiWw', 'TGBthBcouE', 'ToString', 'fPItNFv1DR', 'LwatyTxJuD', 'CQAtgSrgsJ', 'Rr3t6qeKAu', 'r7HtIyckfF', 'ETRtAJwyGk', 'b9tt0535cR'
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, p1Q13Ryq2DmEfQtp5p.csHigh entropy of concatenated method names: 'Dispose', 'O5wr7nKonG', 'mdOfPQR6eG', 'w3Riic6Af2', 'wmarqGJoXc', 'GxQrzC4afJ', 'ProcessDialogKey', 'YsBfxxj0gX', 'kBLfr5BFWj', 'BPXffOUtbV'
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, zK3tQ8CNp39aAk0UGC.csHigh entropy of concatenated method names: 'l5CpNZcRIT', 'pimpyShJ8L', 'BTbpg21JQd', 'DJFp6nsFUx', 'tskpILswFk', 'YmtpAHR2I8', 'z9Ap0xiQtu', 'CA6paCpZvm', 'hvlp8VpVtZ', 'jDephr1XmP'
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, Ea9OQpRKEUYYgGC1Kk.csHigh entropy of concatenated method names: 'x40gULYrVV', 'msogGVFA9e', 'okMgRE3FAe', 's5HgHZBBEj', 'zeHgEiBZcm', 'QZNg9cDfPu', 'NOIgtgKWIE', 'Pkvgp2Kile', 'AFlgBHjSVm', 'kDEg50iUyT'
                    Source: 0.2.Quote.exe.488f1a8.0.raw.unpack, OU0diqgdjVN0wlEQO2.csHigh entropy of concatenated method names: 'DsololCaL', 'KjHUe6NQA', 'WtRGbdHY6', 'thljApXX7', 'dpsHOMock', 'Jc2JtQmw6', 'aGdKOyjfQ4vvLFn4go', 'zjtMvyA5MKL8ZNPm2P', 'iBdpBlYuL', 'W5n5Rk8C9'
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: Quote.exe PID: 6904, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Quote.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\Quote.exeMemory allocated: 11C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeMemory allocated: 2B90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeMemory allocated: 4B90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeMemory allocated: 61F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeMemory allocated: 71F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeMemory allocated: 7330000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeMemory allocated: 8330000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeMemory allocated: 8B80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeMemory allocated: 9B80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeMemory allocated: AB80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeMemory allocated: BB80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeMemory allocated: 11D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeMemory allocated: 2EA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeMemory allocated: 2D20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeWindow / User API: threadDelayed 698Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeWindow / User API: threadDelayed 9163Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 6960Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep count: 33 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7092Thread sleep count: 698 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -99874s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7092Thread sleep count: 9163 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -99765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -99546s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -99437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -99326s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -99217s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -99109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -99000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -98890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -98781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -98671s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -98562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -98453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -98343s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -98234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -98124s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -98015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -97906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -97796s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -97687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -97578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -97468s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -97359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -97250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -97140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -97031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -96921s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -96812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -96703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -96582s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -96453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -96343s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -96234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -96125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -96015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -95894s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -95765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -95656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -95546s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -95437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -95328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -95207s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -95078s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -94968s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -94859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -94750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -94640s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exe TID: 7088Thread sleep time: -94531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\Quote.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Quote.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 99874Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 99765Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 99546Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 99437Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 99326Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 99217Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 99109Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 99000Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 98890Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 98781Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 98671Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 98562Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 98453Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 98343Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 98234Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 98124Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 98015Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 97906Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 97796Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 97687Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 97578Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 97468Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 97359Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 97250Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 97140Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 97031Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 96921Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 96812Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 96703Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 96582Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 96453Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 96343Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 96234Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 96125Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 96015Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 95894Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 95765Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 95656Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 95546Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 95437Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 95328Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 95207Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 95078Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 94968Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 94859Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 94750Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 94640Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeThread delayed: delay time: 94531Jump to behavior
                    Source: Quote.exe, 00000002.00000002.2879179529.000000000139B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
                    Source: C:\Users\user\Desktop\Quote.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Quote.exeMemory written: C:\Users\user\Desktop\Quote.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess created: C:\Users\user\Desktop\Quote.exe "C:\Users\user\Desktop\Quote.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeProcess created: C:\Users\user\Desktop\Quote.exe "C:\Users\user\Desktop\Quote.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeQueries volume information: C:\Users\user\Desktop\Quote.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeQueries volume information: C:\Users\user\Desktop\Quote.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                    Source: C:\Users\user\Desktop\Quote.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 2.2.Quote.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quote.exe.3bd9dc8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quote.exe.3bd9dc8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quote.exe.488f1a8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2878079925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2880214725.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1692358614.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2880214725.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1692358614.00000000045F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Quote.exe PID: 6904, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Quote.exe PID: 6208, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\Quote.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\Quote.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\Quote.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\Quote.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\Quote.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 2.2.Quote.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quote.exe.3bd9dc8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quote.exe.3bd9dc8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quote.exe.488f1a8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2878079925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1692358614.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2880214725.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1692358614.00000000045F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Quote.exe PID: 6904, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Quote.exe PID: 6208, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 2.2.Quote.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quote.exe.3bd9dc8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quote.exe.3bd9dc8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quote.exe.488f1a8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2878079925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2880214725.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1692358614.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2880214725.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1692358614.00000000045F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Quote.exe PID: 6904, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Quote.exe PID: 6208, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts131
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		111
                    Process Injection                    		1
                    Masquerading                    		2
                    OS Credential Dumping                    		121
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		1
                    Input Capture                    		1
                    Process Discovery                    		Remote Desktop Protocol1
                    Input Capture                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)141
                    Virtualization/Sandbox Evasion                    		1
                    Credentials in Registry                    		141
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares11
                    Archive Collected Data                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object Model2
                    Data from Local System                    		11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Obfuscated Files or Information                    		Cached Domain Credentials24
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                    Software Packing                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Timestomp                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    DLL Side-Loading                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Quote.exe37%VirustotalBrowse
                    Quote.exe34%ReversingLabsByteCode-MSIL.Trojan.Generic
                    Quote.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://tempuri.org/DataSet1.xsd)Microsoft1%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    us2.smtp.mailhostbox.com
                    		208.91.198.143
                    		truefalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://account.dyn.com/Quote.exe, 00000000.00000002.1692358614.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, Quote.exe, 00000000.00000002.1692358614.00000000045F5000.00000004.00000800.00020000.00000000.sdmp, Quote.exe, 00000002.00000002.2878079925.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        		high
                        http://tempuri.org/DataSet1.xsd)MicrosoftQuote.exefalseunknown
                        http://us2.smtp.mailhostbox.comQuote.exe, 00000002.00000002.2880214725.0000000002EF6000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          208.91.198.143
                          		us2.smtp.mailhostbox.comUnited States
                          		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                          208.91.199.225
                          		unknownUnited States
                          		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                          208.91.199.223
                          		unknownUnited States
                          		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                          208.91.199.224
                          		unknownUnited States
                          		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1427944
                          Start date and time:2024-04-18 11:17:06 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 25s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:8
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:Quote.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@7/2@1/4
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 96
                          • Number of non-executed functions: 17
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          11:17:55API Interceptor127352x Sleep call for process: Quote.exe modified
                          11:18:21API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          208.91.198.143SecuriteInfo.com.Heur.15333.25205.exeGet hashmaliciousAgentTeslaBrowse
                            Fsd5TmAZfy.exeGet hashmaliciousAgentTeslaBrowse
                              April 2024 order Pdf.exeGet hashmaliciousAgentTeslaBrowse
                                TT Invoice copy.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  MT103.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                    Transmiison Remit.exeGet hashmaliciousAgentTeslaBrowse
                                      account details ptgd.exeGet hashmaliciousAgentTeslaBrowse
                                        DHL-7654544CNT Pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          SecuriteInfo.com.Trojan.PackedNET.2794.21912.2151.exeGet hashmaliciousAgentTeslaBrowse
                                            Prices.exeGet hashmaliciousAgentTeslaBrowse
                                              208.91.199.225Quote.exeGet hashmaliciousAgentTeslaBrowse
                                                Quotation 0048484.exeGet hashmaliciousAgentTeslaBrowse
                                                  MV SUN OCEAN BUNKER INV.docGet hashmaliciousAgentTeslaBrowse
                                                    Transmiison Remit.exeGet hashmaliciousAgentTeslaBrowse
                                                      Quotation.exeGet hashmaliciousAgentTeslaBrowse
                                                        euFL17ioCm.exeGet hashmaliciousAgentTeslaBrowse
                                                          Quote.exeGet hashmaliciousAgentTeslaBrowse
                                                            Zarefy4bOs.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              Request for Quotation.exeGet hashmaliciousAgentTeslaBrowse
                                                                Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  208.91.199.223Quote.exeGet hashmaliciousAgentTeslaBrowse
                                                                    Cleared Payment.exeGet hashmaliciousAgentTeslaBrowse
                                                                      ReInquiry Lenght Error.exeGet hashmaliciousAgentTeslaBrowse
                                                                        Transmiison Remit.exeGet hashmaliciousAgentTeslaBrowse
                                                                          MT103 .exeGet hashmaliciousAgentTeslaBrowse
                                                                            New Order 0048757.exeGet hashmaliciousAgentTeslaBrowse
                                                                              SecuriteInfo.com.Win32.TrojanX-gen.19751.7678.exeGet hashmaliciousAgentTeslaBrowse
                                                                                Po094847 Urgent .exeGet hashmaliciousAgentTeslaBrowse
                                                                                  PO_10042024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    cgprgRztWc.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      208.91.199.224MV SUN OCEAN BUNKER INV.docGet hashmaliciousAgentTeslaBrowse
                                                                                        ES502900012.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          SecuriteInfo.com.Win32.PWSX-gen.22951.7290.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            Transmiison Remit.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              Quote.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                  Quotation.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    Quote.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      CLQJDkgY3X.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        UPS 984645.exeGet hashmaliciousAgentTeslaBrowse

                                                                                                          Domains

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          us2.smtp.mailhostbox.comQuote.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.223
                                                                                                          SecuriteInfo.com.Heur.15333.25205.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.198.143
                                                                                                          Cleared Payment.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.223
                                                                                                          Quote.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.225
                                                                                                          Quotation 0048484.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.225
                                                                                                          Fsd5TmAZfy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.198.143
                                                                                                          MV SUN OCEAN BUNKER INV.docGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.225
                                                                                                          ReInquiry Lenght Error.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.223
                                                                                                          ES502900012.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.224
                                                                                                          April 2024 order Pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.198.143

                                                                                                          ASNs

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          PUBLIC-DOMAIN-REGISTRYUSQuote.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.223
                                                                                                          SecuriteInfo.com.Heur.15333.25205.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.198.143
                                                                                                          DOCUMENTS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 162.222.226.100
                                                                                                          Cleared Payment.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.223
                                                                                                          Quote.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.225
                                                                                                          Quotation 0048484.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.225
                                                                                                          SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 162.222.226.100
                                                                                                          Fsd5TmAZfy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.198.143
                                                                                                          SHIPPING ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 162.222.226.100
                                                                                                          MV SUN OCEAN BUNKER INV.docGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.224
                                                                                                          PUBLIC-DOMAIN-REGISTRYUSQuote.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.223
                                                                                                          SecuriteInfo.com.Heur.15333.25205.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.198.143
                                                                                                          DOCUMENTS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 162.222.226.100
                                                                                                          Cleared Payment.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.223
                                                                                                          Quote.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.225
                                                                                                          Quotation 0048484.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.225
                                                                                                          SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 162.222.226.100
                                                                                                          Fsd5TmAZfy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.198.143
                                                                                                          SHIPPING ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 162.222.226.100
                                                                                                          MV SUN OCEAN BUNKER INV.docGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.224
                                                                                                          PUBLIC-DOMAIN-REGISTRYUSQuote.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.223
                                                                                                          SecuriteInfo.com.Heur.15333.25205.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.198.143
                                                                                                          DOCUMENTS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 162.222.226.100
                                                                                                          Cleared Payment.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.223
                                                                                                          Quote.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.225
                                                                                                          Quotation 0048484.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.225
                                                                                                          SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 162.222.226.100
                                                                                                          Fsd5TmAZfy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.198.143
                                                                                                          SHIPPING ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 162.222.226.100
                                                                                                          MV SUN OCEAN BUNKER INV.docGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.224
                                                                                                          PUBLIC-DOMAIN-REGISTRYUSQuote.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.223
                                                                                                          SecuriteInfo.com.Heur.15333.25205.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.198.143
                                                                                                          DOCUMENTS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 162.222.226.100
                                                                                                          Cleared Payment.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.223
                                                                                                          Quote.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.225
                                                                                                          Quotation 0048484.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.225
                                                                                                          SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 162.222.226.100
                                                                                                          Fsd5TmAZfy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.198.143
                                                                                                          SHIPPING ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 162.222.226.100
                                                                                                          MV SUN OCEAN BUNKER INV.docGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.224

                                                                                                          JA3 Fingerprints

                                                                                                          No context

                                                                                                          Dropped Files

                                                                                                          No context

                                                                                                          Created / dropped Files

                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quote.exe.log

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\Quote.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1216
                                                                                                          Entropy (8bit):5.34331486778365
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                          Malicious:false
                                                                                                          Reputation:high, very likely benign file
                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                                                                          Download File
                                                                                                          Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                          Category:modified
                                                                                                          Size (bytes):4926
                                                                                                          Entropy (8bit):3.2439260532546705
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:FaqdF79/0+AAHdKoqKFxcxkF3/waqdF70+AAHdKoqKFxcxkFV:cEi+AAsoJjykzE0+AAsoJjyk/
                                                                                                          MD5:A302FE36F47524F9EB23A3442AE11901
                                                                                                          SHA1:506BC2EAFF79414E9B6F02A7172F5F7AC28E497E
                                                                                                          SHA-256:25498382CA1AAF97A2811FEAAD1275623737691F46FE9B8325E3F4E399F77112
                                                                                                          SHA-512:66B891042AF754C3323F6FE159BCEBD439860152873629E69949C695D71D219E19B91E6326D4DF206B5266C81F5BF835E776210D6BDA652D20DEF6F21CA6FE1A
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. O.c.t. .. 0.4. .. 2.0.2.3. .1.2.:.0.3.:.4.2.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Entropy (8bit):7.276564135948447
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                                          File name:Quote.exe
                                                                                                          File size:1'036'800 bytes
                                                                                                          MD5:4bde497149d69bd21bce08c8dd20cbe6
                                                                                                          SHA1:51b7b2a217a8ee771ba08cddb9afc94c9d57ddbb
                                                                                                          SHA256:646da2f80123a9ae67c58d474c19609900b5816941164677dc24238316b512e9
                                                                                                          SHA512:c5d741dfbd6453fa0da97e7964ce8baedd1a0c042b15df49c42f38bb5720ca22ecb730c5cdb7b8d990e47fa951b5e5a91a6a5367ed6faf2be308316e695f0150
                                                                                                          SSDEEP:12288:yYEuIzHyxF+p8AkFrenbnx1BCHrqZKgnZdHYDsQDl0mFVWooGorRLxg7SD9cZ6m/:XE1zSypl0glPkMX0D2mFVW3+Aco2mE
                                                                                                          TLSH:4F25E23D1CBD2A3B9075D2A9CFE98567F040D47B3A11AD7A88D383958346A9379C313E
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....0...............0.............*.... ........@.. .......................@............@................................

                                                                                                          File Icon

                                                                                                          Icon Hash:90cececece8e8eb0

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x4fe52a
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                          Time Stamp:0xF430D9AD [Wed Oct 28 03:42:37 2099 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:4
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:4
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:4
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          jmp dword ptr [00402000h]
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xfe4d80x4f.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1000000x624.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1020000xc.reloc
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xfc1fc0x70.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x20000xfc5300xfc600243b1e4ec64a25c2a378b0ff65dcaad3False0.7812567716072313data7.284313720335351IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                          .rsrc0x1000000x6240x8009b0cf8a275cc1e926cabffb2b586b31eFalse0.333984375data3.4587830036363085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .reloc0x1020000xc0x200fc23b933bd7748e3599e22eb4f084f95False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                          Resources

                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                          RT_VERSION0x1000900x394OpenPGP Secret Key0.42248908296943233
                                                                                                          RT_MANIFEST0x1004340x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          mscoree.dll_CorExeMain

                                                                                                          Network Behavior

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Apr 18, 2024 11:18:02.344532967 CEST49730587192.168.2.4208.91.198.143
                                                                                                          Apr 18, 2024 11:18:03.337131023 CEST49730587192.168.2.4208.91.198.143
                                                                                                          Apr 18, 2024 11:18:05.337068081 CEST49730587192.168.2.4208.91.198.143
                                                                                                          Apr 18, 2024 11:18:09.337074041 CEST49730587192.168.2.4208.91.198.143
                                                                                                          Apr 18, 2024 11:18:17.352746010 CEST49730587192.168.2.4208.91.198.143
                                                                                                          Apr 18, 2024 11:18:23.370054007 CEST49730587192.168.2.4208.91.199.223
                                                                                                          Apr 18, 2024 11:18:24.383977890 CEST49730587192.168.2.4208.91.199.223
                                                                                                          Apr 18, 2024 11:18:26.399636030 CEST49730587192.168.2.4208.91.199.223
                                                                                                          Apr 18, 2024 11:18:30.399765015 CEST49730587192.168.2.4208.91.199.223
                                                                                                          Apr 18, 2024 11:18:38.415304899 CEST49730587192.168.2.4208.91.199.223
                                                                                                          Apr 18, 2024 11:18:44.431261063 CEST49730587192.168.2.4208.91.199.225
                                                                                                          Apr 18, 2024 11:18:45.446526051 CEST49730587192.168.2.4208.91.199.225
                                                                                                          Apr 18, 2024 11:18:47.446544886 CEST49730587192.168.2.4208.91.199.225
                                                                                                          Apr 18, 2024 11:18:51.446645021 CEST49730587192.168.2.4208.91.199.225
                                                                                                          Apr 18, 2024 11:18:59.446585894 CEST49730587192.168.2.4208.91.199.225
                                                                                                          Apr 18, 2024 11:19:05.446878910 CEST49730587192.168.2.4208.91.199.224
                                                                                                          Apr 18, 2024 11:19:06.446671009 CEST49730587192.168.2.4208.91.199.224
                                                                                                          Apr 18, 2024 11:19:08.446755886 CEST49730587192.168.2.4208.91.199.224
                                                                                                          Apr 18, 2024 11:19:12.446588039 CEST49730587192.168.2.4208.91.199.224
                                                                                                          Apr 18, 2024 11:19:20.446647882 CEST49730587192.168.2.4208.91.199.224

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Apr 18, 2024 11:18:02.229640961 CEST5310653192.168.2.41.1.1.1
                                                                                                          Apr 18, 2024 11:18:02.336376905 CEST53531061.1.1.1192.168.2.4

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                          Apr 18, 2024 11:18:02.229640961 CEST192.168.2.41.1.1.10x2326Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)false

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                          Apr 18, 2024 11:18:02.336376905 CEST1.1.1.1192.168.2.40x2326No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                                                                                          Apr 18, 2024 11:18:02.336376905 CEST1.1.1.1192.168.2.40x2326No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                                                                                          Apr 18, 2024 11:18:02.336376905 CEST1.1.1.1192.168.2.40x2326No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                                                                                          Apr 18, 2024 11:18:02.336376905 CEST1.1.1.1192.168.2.40x2326No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false

                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          General

                                                                                                          Target ID:0
                                                                                                          Start time:11:17:54
                                                                                                          Start date:18/04/2024
                                                                                                          Path:C:\Users\user\Desktop\Quote.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\Quote.exe"
                                                                                                          Imagebase:0x750000
                                                                                                          File size:1'036'800 bytes
                                                                                                          MD5 hash:4BDE497149D69BD21BCE08C8DD20CBE6
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1692358614.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1692358614.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1692358614.00000000045F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1692358614.00000000045F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:1
                                                                                                          Start time:11:18:00
                                                                                                          Start date:18/04/2024
                                                                                                          Path:C:\Users\user\Desktop\Quote.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Users\user\Desktop\Quote.exe"
                                                                                                          Imagebase:0x160000
                                                                                                          File size:1'036'800 bytes
                                                                                                          MD5 hash:4BDE497149D69BD21BCE08C8DD20CBE6
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:2
                                                                                                          Start time:11:18:00
                                                                                                          Start date:18/04/2024
                                                                                                          Path:C:\Users\user\Desktop\Quote.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\Quote.exe"
                                                                                                          Imagebase:0xa80000
                                                                                                          File size:1'036'800 bytes
                                                                                                          MD5 hash:4BDE497149D69BD21BCE08C8DD20CBE6
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2878079925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2878079925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2880214725.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2880214725.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2880214725.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Reputation:low
                                                                                                          Has exited:false

                                                                                                          General

                                                                                                          Target ID:4
                                                                                                          Start time:11:18:21
                                                                                                          Start date:18/04/2024
                                                                                                          Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                          Imagebase:0x7ff6fb0e0000
                                                                                                          File size:468'120 bytes
                                                                                                          MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:5
                                                                                                          Start time:11:18:21
                                                                                                          Start date:18/04/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          Disassembly

                                                                                                          Reset < >

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:9.3%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:7.4%
                                                                                                            Total number of Nodes:231
                                                                                                            Total number of Limit Nodes:12
                                                                                                            execution_graph 26622 122d020 26623 122d066 GetCurrentProcess 26622->26623 26625 122d0b1 26623->26625 26626 122d0b8 GetCurrentThread 26623->26626 26625->26626 26627 122d0f5 GetCurrentProcess 26626->26627 26628 122d0ee 26626->26628 26629 122d12b 26627->26629 26628->26627 26630 122d153 GetCurrentThreadId 26629->26630 26631 122d184 26630->26631 26913 122d670 DuplicateHandle 26914 122d706 26913->26914 26632 85bf793 26633 85bf43c 26632->26633 26634 85bf44b 26633->26634 26637 85bfe49 26633->26637 26655 85bfe58 26633->26655 26638 85bfe72 26637->26638 26642 85bfe96 26638->26642 26673 4b909fa 26638->26673 26683 4b908c4 26638->26683 26687 4b90864 26638->26687 26692 4b90522 26638->26692 26697 4b90b03 26638->26697 26702 4b90841 26638->26702 26712 4b90b4f 26638->26712 26717 4b905ac 26638->26717 26727 4b909ad 26638->26727 26737 4b9048d 26638->26737 26742 4b9056a 26638->26742 26747 4b903e8 26638->26747 26754 4b90469 26638->26754 26759 4b90a53 26638->26759 26763 4b9067d 26638->26763 26642->26634 26656 85bfe72 26655->26656 26657 85bfe96 26656->26657 26658 4b909fa 4 API calls 26656->26658 26659 4b9067d 2 API calls 26656->26659 26660 4b90a53 2 API calls 26656->26660 26661 4b90469 2 API calls 26656->26661 26662 4b903e8 4 API calls 26656->26662 26663 4b9056a 2 API calls 26656->26663 26664 4b9048d 2 API calls 26656->26664 26665 4b909ad 4 API calls 26656->26665 26666 4b905ac 4 API calls 26656->26666 26667 4b90b4f 2 API calls 26656->26667 26668 4b90841 4 API calls 26656->26668 26669 4b90b03 2 API calls 26656->26669 26670 4b90522 2 API calls 26656->26670 26671 4b90864 2 API calls 26656->26671 26672 4b908c4 2 API calls 26656->26672 26657->26634 26658->26657 26659->26657 26660->26657 26661->26657 26662->26657 26663->26657 26664->26657 26665->26657 26666->26657 26667->26657 26668->26657 26669->26657 26670->26657 26671->26657 26672->26657 26675 4b905ac 26673->26675 26674 4b90487 26674->26642 26675->26674 26676 4b90475 26675->26676 26677 4b909c1 26675->26677 26676->26674 26768 85be718 26676->26768 26772 85be710 26676->26772 26776 85be7c8 26677->26776 26780 85be7c0 26677->26780 26678 4b90cc0 26678->26678 26784 85bed98 26683->26784 26788 85bed90 26683->26788 26684 4b908ef 26684->26642 26688 4b9086a 26687->26688 26690 85bed98 WriteProcessMemory 26688->26690 26691 85bed90 WriteProcessMemory 26688->26691 26689 4b9089c 26689->26642 26690->26689 26691->26689 26693 4b90528 26692->26693 26792 85bee88 26693->26792 26796 85bee80 26693->26796 26694 4b9054b 26694->26642 26698 4b9087b 26697->26698 26699 4b9089c 26697->26699 26700 85bed98 WriteProcessMemory 26698->26700 26701 85bed90 WriteProcessMemory 26698->26701 26699->26642 26700->26699 26701->26699 26703 4b909b4 26702->26703 26704 4b909c1 26703->26704 26707 4b90475 26703->26707 26708 85be7c8 Wow64SetThreadContext 26704->26708 26709 85be7c0 Wow64SetThreadContext 26704->26709 26705 4b90cc0 26706 4b90487 26706->26642 26707->26706 26710 85be718 ResumeThread 26707->26710 26711 85be710 ResumeThread 26707->26711 26708->26705 26709->26705 26710->26707 26711->26707 26713 4b90ad6 26712->26713 26713->26712 26714 4b90e07 26713->26714 26715 85be7c8 Wow64SetThreadContext 26713->26715 26716 85be7c0 Wow64SetThreadContext 26713->26716 26714->26642 26715->26713 26716->26713 26718 4b905c1 26717->26718 26719 4b909c1 26718->26719 26720 4b90475 26718->26720 26725 85be7c8 Wow64SetThreadContext 26719->26725 26726 85be7c0 Wow64SetThreadContext 26719->26726 26722 4b90487 26720->26722 26723 85be718 ResumeThread 26720->26723 26724 85be710 ResumeThread 26720->26724 26721 4b90cc0 26722->26642 26723->26720 26724->26720 26725->26721 26726->26721 26728 4b909b3 26727->26728 26729 4b909c1 26728->26729 26731 4b90475 26728->26731 26735 85be7c8 Wow64SetThreadContext 26729->26735 26736 85be7c0 Wow64SetThreadContext 26729->26736 26730 4b90cc0 26732 4b90487 26731->26732 26733 85be718 ResumeThread 26731->26733 26734 85be710 ResumeThread 26731->26734 26732->26642 26733->26731 26734->26731 26735->26730 26736->26730 26738 4b90475 26737->26738 26738->26737 26739 4b90487 26738->26739 26740 85be718 ResumeThread 26738->26740 26741 85be710 ResumeThread 26738->26741 26739->26642 26740->26738 26741->26738 26743 4b90529 26742->26743 26744 4b9054b 26742->26744 26743->26744 26745 85bee88 ReadProcessMemory 26743->26745 26746 85bee80 ReadProcessMemory 26743->26746 26744->26642 26745->26744 26746->26744 26800 85bf020 26747->26800 26804 85bf017 26747->26804 26756 4b90475 26754->26756 26755 4b90487 26755->26642 26756->26755 26757 85be718 ResumeThread 26756->26757 26758 85be710 ResumeThread 26756->26758 26757->26756 26758->26756 26761 85bed98 WriteProcessMemory 26759->26761 26762 85bed90 WriteProcessMemory 26759->26762 26760 4b90a81 26761->26760 26762->26760 26764 4b9068c 26763->26764 26765 4b90680 26763->26765 26808 85becd8 26764->26808 26812 85becd1 26764->26812 26765->26642 26769 85be758 ResumeThread 26768->26769 26771 85be789 26769->26771 26771->26676 26773 85be758 ResumeThread 26772->26773 26775 85be789 26773->26775 26775->26676 26777 85be80d Wow64SetThreadContext 26776->26777 26779 85be855 26777->26779 26779->26678 26781 85be80d Wow64SetThreadContext 26780->26781 26783 85be855 26781->26783 26783->26678 26785 85bede0 WriteProcessMemory 26784->26785 26787 85bee37 26785->26787 26787->26684 26789 85bede0 WriteProcessMemory 26788->26789 26791 85bee37 26789->26791 26791->26684 26793 85beed3 ReadProcessMemory 26792->26793 26795 85bef17 26793->26795 26795->26694 26797 85beed3 ReadProcessMemory 26796->26797 26799 85bef17 26797->26799 26799->26694 26801 85bf0a9 26800->26801 26801->26801 26802 85bf20e CreateProcessA 26801->26802 26803 85bf26b 26802->26803 26803->26803 26805 85bf0a9 26804->26805 26805->26805 26806 85bf20e CreateProcessA 26805->26806 26807 85bf26b 26806->26807 26807->26807 26809 85bed18 VirtualAllocEx 26808->26809 26811 85bed55 26809->26811 26811->26765 26813 85bed18 VirtualAllocEx 26812->26813 26815 85bed55 26813->26815 26815->26765 26915 4b917c0 26916 4b9194b 26915->26916 26918 4b917e6 26915->26918 26918->26916 26919 4b91278 26918->26919 26920 4b91a40 PostMessageW 26919->26920 26921 4b91aac 26920->26921 26921->26918 26816 1224668 26817 122467a 26816->26817 26818 1224686 26817->26818 26822 1224778 26817->26822 26827 1223e28 26818->26827 26820 12246a5 26823 122479d 26822->26823 26831 1224878 26823->26831 26835 1224888 26823->26835 26828 1223e33 26827->26828 26843 1225c44 26828->26843 26830 122702c 26830->26820 26833 12248af 26831->26833 26832 122498c 26832->26832 26833->26832 26839 12244b0 26833->26839 26837 12248af 26835->26837 26836 122498c 26836->26836 26837->26836 26838 12244b0 CreateActCtxA 26837->26838 26838->26836 26840 1225918 CreateActCtxA 26839->26840 26842 12259db 26840->26842 26844 1225c4f 26843->26844 26847 1225c64 26844->26847 26846 12270d5 26846->26830 26848 1225c6f 26847->26848 26851 1225c94 26848->26851 26850 12271ba 26850->26846 26852 1225c9f 26851->26852 26855 1225cc4 26852->26855 26854 12272ad 26854->26850 26856 1225ccf 26855->26856 26858 12285ab 26856->26858 26862 122ac5a 26856->26862 26857 12285e9 26857->26854 26858->26857 26866 122cd48 26858->26866 26870 122cd57 26858->26870 26874 122ac90 26862->26874 26877 122ac7f 26862->26877 26863 122ac6e 26863->26858 26867 122cd84 26866->26867 26868 122cd9d 26867->26868 26901 122cf08 26867->26901 26868->26857 26871 122cd79 26870->26871 26872 122cd9d 26871->26872 26873 122cf08 2 API calls 26871->26873 26872->26857 26873->26872 26881 122ad88 26874->26881 26875 122ac9f 26875->26863 26878 122ac90 26877->26878 26880 122ad88 2 API calls 26878->26880 26879 122ac9f 26879->26863 26880->26879 26882 122ad99 26881->26882 26883 122adbc 26881->26883 26882->26883 26889 122b020 26882->26889 26893 122b010 26882->26893 26883->26875 26884 122adb4 26884->26883 26885 122afc0 GetModuleHandleW 26884->26885 26886 122afed 26885->26886 26886->26875 26890 122b034 26889->26890 26892 122b059 26890->26892 26897 122a110 26890->26897 26892->26884 26894 122b034 26893->26894 26895 122a110 LoadLibraryExW 26894->26895 26896 122b059 26894->26896 26895->26896 26896->26884 26898 122b200 LoadLibraryExW 26897->26898 26900 122b279 26898->26900 26900->26892 26902 122cf15 26901->26902 26904 122cf4f 26902->26904 26905 122bac0 26902->26905 26904->26868 26906 122bacb 26905->26906 26908 122dc68 26906->26908 26909 122d2bc 26906->26909 26908->26908 26910 122d2c7 26909->26910 26911 1225cc4 2 API calls 26910->26911 26912 122dcd7 26911->26912 26912->26908

                                                                                                            Executed Functions

                                                                                                            Function 04B902D0 Relevance: .1, Instructions: 127COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1694064151.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4b90000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1b9fef9fb92814bf77bbce72e3cfb717c4a1978e68167f88f96a944a1541d060
                                                                                                            • Instruction ID: b7f9592a399362d21df9b24d253586ae8cedd409b7a35911868a137849ea916c
                                                                                                            • Opcode Fuzzy Hash: 1b9fef9fb92814bf77bbce72e3cfb717c4a1978e68167f88f96a944a1541d060
                                                                                                            • Instruction Fuzzy Hash: 5B51D671E4562ACBDB28DF66C8407E9BBF6BF89300F14D5FAC40DA6211EB705A859F40
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04B909FA Relevance: .1, Instructions: 107COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1694064151.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4b90000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9e1578015ae55c2f4c37f7569995b4f0ecdbba5a1d041d1ea911557ec633440a
                                                                                                            • Instruction ID: 05c57e57eb6d5a08ce7b50083aface7f0b68fa39eee14d2bb9b12707f4962f2b
                                                                                                            • Opcode Fuzzy Hash: 9e1578015ae55c2f4c37f7569995b4f0ecdbba5a1d041d1ea911557ec633440a
                                                                                                            • Instruction Fuzzy Hash: 1B41B174909229CFCB64EF68D9847E8BBF5EB49305F0490EAD40EA6252E7306E85DF11
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04B903E8 Relevance: .1, Instructions: 86COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1694064151.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4b90000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8039a560fc92f80b01781b88f2cded8078acfd2146e8a6b2f0cc60d702d08297
                                                                                                            • Instruction ID: 02f010bb8b7ac499ca70b11cfbaa426eb7b1f162c63c14c89966fa638a7b0cb6
                                                                                                            • Opcode Fuzzy Hash: 8039a560fc92f80b01781b88f2cded8078acfd2146e8a6b2f0cc60d702d08297
                                                                                                            • Instruction Fuzzy Hash: 3631E174A08228DFCB24DF68C9457E8BBF4EB49301F1094EAD54AA6292D7706EC5DF10
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04B9048D Relevance: .1, Instructions: 82COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1694064151.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4b90000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 485d3ae1296d60b8182e57e435b5bd60cd65421566485a8fde114c03f9812b98
                                                                                                            • Instruction ID: 91ef5c678390a2faed553530a7b62beec6e1a2fb456d874754868da1bedb969a
                                                                                                            • Opcode Fuzzy Hash: 485d3ae1296d60b8182e57e435b5bd60cd65421566485a8fde114c03f9812b98
                                                                                                            • Instruction Fuzzy Hash: B831E274905268CFCB24EF69D9487E8BBF4EB49311F0094EAD44AA3292E7305E85DF50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0122D010 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 294 122d010-122d0af GetCurrentProcess 298 122d0b1-122d0b7 294->298 299 122d0b8-122d0ec GetCurrentThread 294->299 298->299 300 122d0f5-122d129 GetCurrentProcess 299->300 301 122d0ee-122d0f4 299->301 302 122d132-122d14d call 122d5f8 300->302 303 122d12b-122d131 300->303 301->300 307 122d153-122d182 GetCurrentThreadId 302->307 303->302 308 122d184-122d18a 307->308 309 122d18b-122d1ed 307->309 308->309
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 0122D09E
                                                                                                            • GetCurrentThread.KERNEL32 ref: 0122D0DB
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 0122D118
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0122D171
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1691074941.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1220000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Current$ProcessThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2063062207-0
                                                                                                            • Opcode ID: 4c4f45f0ab08d69891ecab52ef583d1bdcccaf5de18dd543bb6b0b430a508da1
                                                                                                            • Instruction ID: c4ced9f1dcc81c71175509778d0e321a410d7facae7444f2427ac3cbd1692c5c
                                                                                                            • Opcode Fuzzy Hash: 4c4f45f0ab08d69891ecab52ef583d1bdcccaf5de18dd543bb6b0b430a508da1
                                                                                                            • Instruction Fuzzy Hash: 385177B0D11249DFDB18DFA9D548BDEBBF1AF48304F20C459E408AB2A1DB349984CF65
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0122D020 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 316 122d020-122d0af GetCurrentProcess 320 122d0b1-122d0b7 316->320 321 122d0b8-122d0ec GetCurrentThread 316->321 320->321 322 122d0f5-122d129 GetCurrentProcess 321->322 323 122d0ee-122d0f4 321->323 324 122d132-122d14d call 122d5f8 322->324 325 122d12b-122d131 322->325 323->322 329 122d153-122d182 GetCurrentThreadId 324->329 325->324 330 122d184-122d18a 329->330 331 122d18b-122d1ed 329->331 330->331
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 0122D09E
                                                                                                            • GetCurrentThread.KERNEL32 ref: 0122D0DB
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 0122D118
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0122D171
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1691074941.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1220000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Current$ProcessThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2063062207-0
                                                                                                            • Opcode ID: 86aeb99fbb8a64b96f8a64972e214bcdb72974d86f932d7b127826196f4da92a
                                                                                                            • Instruction ID: a89afeae739c389c4c6f34e071b9098187f467b030115e33b417e3a6732631c1
                                                                                                            • Opcode Fuzzy Hash: 86aeb99fbb8a64b96f8a64972e214bcdb72974d86f932d7b127826196f4da92a
                                                                                                            • Instruction Fuzzy Hash: 445154B09112499FDB18DFAAD548BEEBBF1AF88314F20C019E419A7260DB749984CF65
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 085BF017 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 664 85bf017-85bf0b5 666 85bf0ee-85bf10e 664->666 667 85bf0b7-85bf0c1 664->667 672 85bf110-85bf11a 666->672 673 85bf147-85bf176 666->673 667->666 668 85bf0c3-85bf0c5 667->668 670 85bf0e8-85bf0eb 668->670 671 85bf0c7-85bf0d1 668->671 670->666 674 85bf0d3 671->674 675 85bf0d5-85bf0e4 671->675 672->673 676 85bf11c-85bf11e 672->676 683 85bf178-85bf182 673->683 684 85bf1af-85bf269 CreateProcessA 673->684 674->675 675->675 677 85bf0e6 675->677 678 85bf141-85bf144 676->678 679 85bf120-85bf12a 676->679 677->670 678->673 681 85bf12e-85bf13d 679->681 682 85bf12c 679->682 681->681 685 85bf13f 681->685 682->681 683->684 686 85bf184-85bf186 683->686 695 85bf26b-85bf271 684->695 696 85bf272-85bf2f8 684->696 685->678 688 85bf1a9-85bf1ac 686->688 689 85bf188-85bf192 686->689 688->684 690 85bf196-85bf1a5 689->690 691 85bf194 689->691 690->690 692 85bf1a7 690->692 691->690 692->688 695->696 706 85bf2fa-85bf2fe 696->706 707 85bf308-85bf30c 696->707 706->707 710 85bf300 706->710 708 85bf30e-85bf312 707->708 709 85bf31c-85bf320 707->709 708->709 711 85bf314 708->711 712 85bf322-85bf326 709->712 713 85bf330-85bf334 709->713 710->707 711->709 712->713 714 85bf328 712->714 715 85bf346-85bf34d 713->715 716 85bf336-85bf33c 713->716 714->713 717 85bf34f-85bf35e 715->717 718 85bf364 715->718 716->715 717->718 719 85bf365 718->719 719->719
                                                                                                            APIs
                                                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 085BF256
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 963392458-0
                                                                                                            • Opcode ID: c018907ed74176db04936070a07b1290e22f95c4b57c346777edf4d520d9e91b
                                                                                                            • Instruction ID: f095abf01e3d8f2b3e0a4d0b2ef76cabac9b8381a5c76fb3013ba689adf796d4
                                                                                                            • Opcode Fuzzy Hash: c018907ed74176db04936070a07b1290e22f95c4b57c346777edf4d520d9e91b
                                                                                                            • Instruction Fuzzy Hash: 80913871D00219DFEB10CFA8CC41BEEBBB2BF48315F1485A9E859A7250DB749986CF91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 085BF020 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 721 85bf020-85bf0b5 723 85bf0ee-85bf10e 721->723 724 85bf0b7-85bf0c1 721->724 729 85bf110-85bf11a 723->729 730 85bf147-85bf176 723->730 724->723 725 85bf0c3-85bf0c5 724->725 727 85bf0e8-85bf0eb 725->727 728 85bf0c7-85bf0d1 725->728 727->723 731 85bf0d3 728->731 732 85bf0d5-85bf0e4 728->732 729->730 733 85bf11c-85bf11e 729->733 740 85bf178-85bf182 730->740 741 85bf1af-85bf269 CreateProcessA 730->741 731->732 732->732 734 85bf0e6 732->734 735 85bf141-85bf144 733->735 736 85bf120-85bf12a 733->736 734->727 735->730 738 85bf12e-85bf13d 736->738 739 85bf12c 736->739 738->738 742 85bf13f 738->742 739->738 740->741 743 85bf184-85bf186 740->743 752 85bf26b-85bf271 741->752 753 85bf272-85bf2f8 741->753 742->735 745 85bf1a9-85bf1ac 743->745 746 85bf188-85bf192 743->746 745->741 747 85bf196-85bf1a5 746->747 748 85bf194 746->748 747->747 749 85bf1a7 747->749 748->747 749->745 752->753 763 85bf2fa-85bf2fe 753->763 764 85bf308-85bf30c 753->764 763->764 767 85bf300 763->767 765 85bf30e-85bf312 764->765 766 85bf31c-85bf320 764->766 765->766 768 85bf314 765->768 769 85bf322-85bf326 766->769 770 85bf330-85bf334 766->770 767->764 768->766 769->770 771 85bf328 769->771 772 85bf346-85bf34d 770->772 773 85bf336-85bf33c 770->773 771->770 774 85bf34f-85bf35e 772->774 775 85bf364 772->775 773->772 774->775 776 85bf365 775->776 776->776
                                                                                                            APIs
                                                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 085BF256
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 963392458-0
                                                                                                            • Opcode ID: 9bdf54513535baee99eadbb182a4bcb1c39f4c444f9d5a0efe514b85c6d4ef04
                                                                                                            • Instruction ID: 0127931a30295969603a49f067c9b3d9411cd0add90cedaf1920df518becac9d
                                                                                                            • Opcode Fuzzy Hash: 9bdf54513535baee99eadbb182a4bcb1c39f4c444f9d5a0efe514b85c6d4ef04
                                                                                                            • Instruction Fuzzy Hash: EF913871D00219DFEB10CFA9CC417EEBBB2BF48315F1485AAE819A7250DB749985CF91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0122AD88 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 778 122ad88-122ad97 779 122adc3-122adc7 778->779 780 122ad99-122ada6 call 122a0ac 778->780 781 122addb-122ae1c 779->781 782 122adc9-122add3 779->782 785 122ada8 780->785 786 122adbc 780->786 789 122ae29-122ae37 781->789 790 122ae1e-122ae26 781->790 782->781 833 122adae call 122b020 785->833 834 122adae call 122b010 785->834 786->779 792 122ae5b-122ae5d 789->792 793 122ae39-122ae3e 789->793 790->789 791 122adb4-122adb6 791->786 796 122aef8-122afb8 791->796 797 122ae60-122ae67 792->797 794 122ae40-122ae47 call 122a0b8 793->794 795 122ae49 793->795 799 122ae4b-122ae59 794->799 795->799 828 122afc0-122afeb GetModuleHandleW 796->828 829 122afba-122afbd 796->829 800 122ae74-122ae7b 797->800 801 122ae69-122ae71 797->801 799->797 803 122ae88-122ae91 call 122a0c8 800->803 804 122ae7d-122ae85 800->804 801->800 809 122ae93-122ae9b 803->809 810 122ae9e-122aea3 803->810 804->803 809->810 812 122aec1-122aec5 810->812 813 122aea5-122aeac 810->813 817 122aecb-122aece 812->817 813->812 814 122aeae-122aebe call 122a0d8 call 122a0e8 813->814 814->812 819 122aed0-122aeee 817->819 820 122aef1-122aef7 817->820 819->820 830 122aff4-122b008 828->830 831 122afed-122aff3 828->831 829->828 831->830 833->791 834->791
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0122AFDE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1691074941.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1220000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HandleModule
                                                                                                            • String ID:
                                                                                                            • API String ID: 4139908857-0
                                                                                                            • Opcode ID: 2f66715813362ba8b7b89c7323f27d93c9296de4e3106f2609c703f84b7eef91
                                                                                                            • Instruction ID: efacab8aefd287e2f8793bc573cf6e9914dfbede8c2eafef95453a561bec8651
                                                                                                            • Opcode Fuzzy Hash: 2f66715813362ba8b7b89c7323f27d93c9296de4e3106f2609c703f84b7eef91
                                                                                                            • Instruction Fuzzy Hash: 6C714270A10B169FD724DF29D14479ABBF1FF88304F008A2DD58ADBA50DB75E94ACB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0122590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 835 122590c-12259d9 CreateActCtxA 837 12259e2-1225a3c 835->837 838 12259db-12259e1 835->838 845 1225a4b-1225a4f 837->845 846 1225a3e-1225a41 837->846 838->837 847 1225a60 845->847 848 1225a51-1225a5d 845->848 846->845 850 1225a61 847->850 848->847 850->850
                                                                                                            APIs
                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 012259C9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1691074941.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1220000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Create
                                                                                                            • String ID:
                                                                                                            • API String ID: 2289755597-0
                                                                                                            • Opcode ID: 54975e7e1acbb3a2520a627e492fee0d557731a20c590e32c48d679f043379a7
                                                                                                            • Instruction ID: 86eae886b6bfd3189e9e29c8295fd5c8695af17e303a7ace884ef8ffa9569240
                                                                                                            • Opcode Fuzzy Hash: 54975e7e1acbb3a2520a627e492fee0d557731a20c590e32c48d679f043379a7
                                                                                                            • Instruction Fuzzy Hash: 4A41EFB0C10729DFDB24CFA9C985ACEBBB5BF48304F24816AD408AB255DB755986CF90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 012244B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 851 12244b0-12259d9 CreateActCtxA 854 12259e2-1225a3c 851->854 855 12259db-12259e1 851->855 862 1225a4b-1225a4f 854->862 863 1225a3e-1225a41 854->863 855->854 864 1225a60 862->864 865 1225a51-1225a5d 862->865 863->862 867 1225a61 864->867 865->864 867->867
                                                                                                            APIs
                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 012259C9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1691074941.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1220000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Create
                                                                                                            • String ID:
                                                                                                            • API String ID: 2289755597-0
                                                                                                            • Opcode ID: 1eb94f336e3afa2f745a436cd6393cb2aa6d30071429d3bd5e26a36365855e31
                                                                                                            • Instruction ID: e8e1a3451fff5d75d0e2f5b3a950898a0fbe2e866fdaa55a5769b2736dc37dae
                                                                                                            • Opcode Fuzzy Hash: 1eb94f336e3afa2f745a436cd6393cb2aa6d30071429d3bd5e26a36365855e31
                                                                                                            • Instruction Fuzzy Hash: 7541D2B0C1071DDBDB24CFA9C8857DDBBB5BF49304F24805AD408AB255DB755985CF90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 085BED90 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 868 85bed90-85bede6 870 85bede8-85bedf4 868->870 871 85bedf6-85bee35 WriteProcessMemory 868->871 870->871 873 85bee3e-85bee6e 871->873 874 85bee37-85bee3d 871->874 874->873
                                                                                                            APIs
                                                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 085BEE28
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProcessWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3559483778-0
                                                                                                            • Opcode ID: e8515f8e2df42138194e0e94f6fe632ebff161a8b53ab3a182fed6c029bc9acf
                                                                                                            • Instruction ID: e3a23bd3d4d72c4f4f940355350ffe763f8b8c0cf5be624f2cdb5fbc12937cc3
                                                                                                            • Opcode Fuzzy Hash: e8515f8e2df42138194e0e94f6fe632ebff161a8b53ab3a182fed6c029bc9acf
                                                                                                            • Instruction Fuzzy Hash: 652135B19002599FCB10CFAAC885BEEBBF1FF88310F148429E959A7251C7789954CBA4
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 085BED98 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 878 85bed98-85bede6 880 85bede8-85bedf4 878->880 881 85bedf6-85bee35 WriteProcessMemory 878->881 880->881 883 85bee3e-85bee6e 881->883 884 85bee37-85bee3d 881->884 884->883
                                                                                                            APIs
                                                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 085BEE28
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProcessWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3559483778-0
                                                                                                            • Opcode ID: d5fb19485d1b755201cdf0fbf3cf26d241735ece01d986d35bf558f85b38df96
                                                                                                            • Instruction ID: 454700dabd1fd683ee5bacdf2000883318a105a0b231df7f77d9ae64f39a8b51
                                                                                                            • Opcode Fuzzy Hash: d5fb19485d1b755201cdf0fbf3cf26d241735ece01d986d35bf558f85b38df96
                                                                                                            • Instruction Fuzzy Hash: 122139B1900359DFCB10CFA9C885BDEBBF5FF48310F148429E958A7251D7789954CBA4
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 085BE7C0 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 888 85be7c0-85be813 890 85be823-85be853 Wow64SetThreadContext 888->890 891 85be815-85be821 888->891 893 85be85c-85be88c 890->893 894 85be855-85be85b 890->894 891->890 894->893
                                                                                                            APIs
                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 085BE846
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ContextThreadWow64
                                                                                                            • String ID:
                                                                                                            • API String ID: 983334009-0
                                                                                                            • Opcode ID: 9249802e06d48e3543f025710d6d70b2231ad1268f424dda499822c3c200f7a5
                                                                                                            • Instruction ID: 5f392674f3a05108a59f4de96c39644ec4c370b40a2004b927fc8f1d863c80a6
                                                                                                            • Opcode Fuzzy Hash: 9249802e06d48e3543f025710d6d70b2231ad1268f424dda499822c3c200f7a5
                                                                                                            • Instruction Fuzzy Hash: 6D2128B1D002098FDB10DFAAD4857EEBBF0AF88324F14842DD459A7241C7789945CFA5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 085BEE80 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 898 85bee80-85bef15 ReadProcessMemory 901 85bef1e-85bef4e 898->901 902 85bef17-85bef1d 898->902 902->901
                                                                                                            APIs
                                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 085BEF08
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProcessRead
                                                                                                            • String ID:
                                                                                                            • API String ID: 1726664587-0
                                                                                                            • Opcode ID: 924c50f05311fd6e94365fe66fb6b917c4b6aa086235a61012c8aafeeafdd851
                                                                                                            • Instruction ID: 5c3f5094a2db7de986e788ce31301f44469ea5651248d42a194b3375c92b36ed
                                                                                                            • Opcode Fuzzy Hash: 924c50f05311fd6e94365fe66fb6b917c4b6aa086235a61012c8aafeeafdd851
                                                                                                            • Instruction Fuzzy Hash: C12136B19002499FCB10CFAAD885AEEBBF1FF88320F10842DE559A7251C7789945CF64
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 085BEE88 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 085BEF08
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProcessRead
                                                                                                            • String ID:
                                                                                                            • API String ID: 1726664587-0
                                                                                                            • Opcode ID: 97dc05447b2820d0415852d0599478c2aec43a552a878313acb7314881f06dc3
                                                                                                            • Instruction ID: 9425b17408f3d6b1cf51027e0fdb721725a40bed2cdfe663393d8015602ccf7b
                                                                                                            • Opcode Fuzzy Hash: 97dc05447b2820d0415852d0599478c2aec43a552a878313acb7314881f06dc3
                                                                                                            • Instruction Fuzzy Hash: 972128B18002599FCB10DFAAC885ADEFBF5FF48320F108429E558A7251C7749944CBA5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 085BE7C8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 906 85be7c8-85be813 908 85be823-85be853 Wow64SetThreadContext 906->908 909 85be815-85be821 906->909 911 85be85c-85be88c 908->911 912 85be855-85be85b 908->912 909->908 912->911
                                                                                                            APIs
                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 085BE846
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ContextThreadWow64
                                                                                                            • String ID:
                                                                                                            • API String ID: 983334009-0
                                                                                                            • Opcode ID: 805a09190aac7e9c3977bfe1a5ded3b6d85a3224985f93da49370990d3f3c198
                                                                                                            • Instruction ID: 216fa94516946f9104c440fd35092ea271da2bff99d645f9ca10f2c969a9453e
                                                                                                            • Opcode Fuzzy Hash: 805a09190aac7e9c3977bfe1a5ded3b6d85a3224985f93da49370990d3f3c198
                                                                                                            • Instruction Fuzzy Hash: AA2138B1D002098FDB10DFAAC4857EEBBF4EF88324F54842DD459A7241CB78A944CFA4
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0122D668 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0122D6F7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1691074941.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1220000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: 446b2e915e335bd51e0b897acfc9fe5aabb1aca98f3ff43d4d6a20c6363688b4
                                                                                                            • Instruction ID: 490f044b3a147e797ab95ef1332ef1fe56c5bcb8e5ba903f36ec53ce5e0fcfd1
                                                                                                            • Opcode Fuzzy Hash: 446b2e915e335bd51e0b897acfc9fe5aabb1aca98f3ff43d4d6a20c6363688b4
                                                                                                            • Instruction Fuzzy Hash: B82103B59002589FDB10CFA9E584AEEBFF4EB48320F14801AE918A7250C378A940CFA4
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0122D670 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0122D6F7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1691074941.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1220000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: f23b88048ee6fa49677acc24221f9ece8bfd5d849726a2e1acb467bfe0c8b234
                                                                                                            • Instruction ID: 93bfd84bee12672df7eba2f46c35a43766e52bb1797cb5fbdf2304593cd03e6f
                                                                                                            • Opcode Fuzzy Hash: f23b88048ee6fa49677acc24221f9ece8bfd5d849726a2e1acb467bfe0c8b234
                                                                                                            • Instruction Fuzzy Hash: 3021E4B5900258AFDB10CF9AD984ADEBFF4FB48320F14801AE918A7350D374A940CFA4
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0122A110 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0122B059,00000800,00000000,00000000), ref: 0122B26A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1691074941.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1220000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 1029625771-0
                                                                                                            • Opcode ID: 7a10ac67409b9c0ed49d80217e060292c00457452b8eee0367e5734542048f24
                                                                                                            • Instruction ID: 931ca7b1b1806f818ef2f235e18350a69a65eda2c592c0ab81c6fc136dbeef44
                                                                                                            • Opcode Fuzzy Hash: 7a10ac67409b9c0ed49d80217e060292c00457452b8eee0367e5734542048f24
                                                                                                            • Instruction Fuzzy Hash: 2A1126B6D103599FDB10CF9AD444ADEFBF4EB49310F10852AD519A7210C375A945CFA4
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0122B1F8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0122B059,00000800,00000000,00000000), ref: 0122B26A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1691074941.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1220000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 1029625771-0
                                                                                                            • Opcode ID: 03d47b67059775f8c21c6eeb51c31338203b780458a309aa84942b3b9c8e2bcf
                                                                                                            • Instruction ID: 0a4f6f99f380d90b2e45fc63a16bf113a02a4af19d2f64034a987f65798572ce
                                                                                                            • Opcode Fuzzy Hash: 03d47b67059775f8c21c6eeb51c31338203b780458a309aa84942b3b9c8e2bcf
                                                                                                            • Instruction Fuzzy Hash: 771112B6C003199FDB14CFAAD444ADEFBF4EB88320F10852AD559AB210C375A945CFA5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 085BECD1 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 085BED46
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: 4f275ce17c110eea98135403ec0da49c41a00cbdfe0d7b7a91b42cd6bb6a392e
                                                                                                            • Instruction ID: 0d48bf2daf071d90e3dcb301e3b20b3984da313623238f75960e2164e8e9e77a
                                                                                                            • Opcode Fuzzy Hash: 4f275ce17c110eea98135403ec0da49c41a00cbdfe0d7b7a91b42cd6bb6a392e
                                                                                                            • Instruction Fuzzy Hash: 731156B59002488FCB10DFAAC845AEFBFF1AF88320F24841DE559AB250C7759944CFA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 085BECD8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 085BED46
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: 8dce91c641bb250ada183af618dc5ab266266ef91a93d473281a2e091d8994cc
                                                                                                            • Instruction ID: f7e5e6654ecd6854ef7b24dc54537289ecb13f1399ee1c270df5914f33bb6109
                                                                                                            • Opcode Fuzzy Hash: 8dce91c641bb250ada183af618dc5ab266266ef91a93d473281a2e091d8994cc
                                                                                                            • Instruction Fuzzy Hash: 191134B29002499FCB10DFAAC845BDEBFF5EF88320F248419E559AB250C775A954CFA4
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 085BE710 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ResumeThread.KERNELBASE(5CF9E804), ref: 085BE77A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ResumeThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 947044025-0
                                                                                                            • Opcode ID: 51a3787f2c333064bdf8ff5fc15c2d5ac4e9633ab364b772cd1512722f5022df
                                                                                                            • Instruction ID: 01905ba8f768d1faead64c803517c9c0ddba0f1767ffa2f1ba23a1b20e074c70
                                                                                                            • Opcode Fuzzy Hash: 51a3787f2c333064bdf8ff5fc15c2d5ac4e9633ab364b772cd1512722f5022df
                                                                                                            • Instruction Fuzzy Hash: 0D1146B5D002488FDB20DFAAC4457EEFFF4AF88324F248429C459A7250C774A945CF94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 085BE718 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ResumeThread.KERNELBASE(5CF9E804), ref: 085BE77A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ResumeThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 947044025-0
                                                                                                            • Opcode ID: 0a8d93abbcf977b38dc8af58f2a8d33b5cc74fe4477b13520249e35198ea0b6c
                                                                                                            • Instruction ID: 825d73e9a7af84e44285dff5f364fcf5b35e3ad4365b8851b28780211b6cd6ac
                                                                                                            • Opcode Fuzzy Hash: 0a8d93abbcf977b38dc8af58f2a8d33b5cc74fe4477b13520249e35198ea0b6c
                                                                                                            • Instruction Fuzzy Hash: 281125B1D002488BCB20DFAAC8457DEFBF4AF88324F248429D459A7250CA79A944CFA4
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0122AF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0122AFDE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1691074941.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1220000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HandleModule
                                                                                                            • String ID:
                                                                                                            • API String ID: 4139908857-0
                                                                                                            • Opcode ID: 25ca38511a1b01c4cb5de4be4d9cdaa235a86ed11279fa49c60ad2c8b5340287
                                                                                                            • Instruction ID: 3d7fa643c3b159dfc9acd8c7b43275cbda6fcc31995d86ec1e290cb48096746e
                                                                                                            • Opcode Fuzzy Hash: 25ca38511a1b01c4cb5de4be4d9cdaa235a86ed11279fa49c60ad2c8b5340287
                                                                                                            • Instruction Fuzzy Hash: 671122B5C003598FDB10CF9AD444ADEFBF4EF88324F10842AD928A7A50C379A545CFA5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04B91278 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 04B91A9D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1694064151.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4b90000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePost
                                                                                                            • String ID:
                                                                                                            • API String ID: 410705778-0
                                                                                                            • Opcode ID: 4be534434c84c3afc7a7e276f31d806b55682849a54afcf95aae0ff3cb118259
                                                                                                            • Instruction ID: a79b9e70faf3007455573fe7927506b0cf4e79b9fc9eb700c452695994d55c01
                                                                                                            • Opcode Fuzzy Hash: 4be534434c84c3afc7a7e276f31d806b55682849a54afcf95aae0ff3cb118259
                                                                                                            • Instruction Fuzzy Hash: FA1125B58003499FDB10DF9AD584BDEBFF8EB48320F108459E914A7201C375A940CFA5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04B91A39 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 04B91A9D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1694064151.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4b90000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePost
                                                                                                            • String ID:
                                                                                                            • API String ID: 410705778-0
                                                                                                            • Opcode ID: fb4be0b65754ac49a3b0d2f9e6adc3ad9c7d50812c5e960b7d4178a45b411975
                                                                                                            • Instruction ID: 811913f35ba02e0bd342317b743faac4cc7b7997ff082ac687beb9df3c64daff
                                                                                                            • Opcode Fuzzy Hash: fb4be0b65754ac49a3b0d2f9e6adc3ad9c7d50812c5e960b7d4178a45b411975
                                                                                                            • Instruction Fuzzy Hash: DA1103B58002499FDB10CF9AD484BDEFFF4EB48320F20855AD858A7251C3B5A984CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00E0D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1690677751.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_e0d000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1065b2698fb7af6328dc6b63f3323e544f2ed1af737c9c1dac3c8322c2e8c1ea
                                                                                                            • Instruction ID: 97966e426c9a78737c908cde9b24ea0a7e98aa372bc7a5c0d8f0673ab6b2f24a
                                                                                                            • Opcode Fuzzy Hash: 1065b2698fb7af6328dc6b63f3323e544f2ed1af737c9c1dac3c8322c2e8c1ea
                                                                                                            • Instruction Fuzzy Hash: DB213A71508204DFDB05DF54DDC0B2BBF65FB94324F20C169E9095B296C336E896C7A2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00F2D01C Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1690745914.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_f2d000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: af838ccb10d2a399661d565b1674225ecae047f0137b961671dc77284343b0eb
                                                                                                            • Instruction ID: 101a29c3659044b7bee8c582f1678f1ef3b80bc9df848471d23ea9ce6211d2b3
                                                                                                            • Opcode Fuzzy Hash: af838ccb10d2a399661d565b1674225ecae047f0137b961671dc77284343b0eb
                                                                                                            • Instruction Fuzzy Hash: AF210471A04240DFCB14DF14E9C4B26BFA5FB84324F20C56DD94A4B2AAC33AD847DA61
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00F2D1EC Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1690745914.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_f2d000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6e1fcc4750dbe5f425365ab0f04aa32a2ba6bf0b64c5fe9c5c33504b1a31dbc4
                                                                                                            • Instruction ID: 142c2052531299986c2cff25978e130c2e07599dfc0e79c212a423fa19c6ad73
                                                                                                            • Opcode Fuzzy Hash: 6e1fcc4750dbe5f425365ab0f04aa32a2ba6bf0b64c5fe9c5c33504b1a31dbc4
                                                                                                            • Instruction Fuzzy Hash: 43210471944200DFDB04DF14E9C0B26BBA5FB98324F20C56DD8094B2D6C37AD846EAA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00F2D005 Relevance: .1, Instructions: 62COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1690745914.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_f2d000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 41188f49962c296389add89137c20b11fc6b3568757a05b1c00d98ed66152a04
                                                                                                            • Instruction ID: e03cfe68babb4c664c9d4b468ffec522b8cf6c8844d54726c0c6646add8b5367
                                                                                                            • Opcode Fuzzy Hash: 41188f49962c296389add89137c20b11fc6b3568757a05b1c00d98ed66152a04
                                                                                                            • Instruction Fuzzy Hash: 4F215E755093808FDB12CF24D994715BF71EB46324F28C5EAD8498F6A7C33A980ADB62
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00E0D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1690677751.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_e0d000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                            • Instruction ID: 916f635bd7cd2d98ae01a33fdfe6744ad54c245a30d9070ba44cf28ce6bc104a
                                                                                                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                            • Instruction Fuzzy Hash: EF112672404240CFCB12CF44D9C4B16BF71FB94328F24C2A9DC090B256C33AE85ACBA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00F2D1E7 Relevance: .1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1690745914.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_f2d000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                            • Instruction ID: f2fdb02c894a77eaa26dc5c41779fc886ac7027ecb8fb1307da17e48eba0ef43
                                                                                                            • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                            • Instruction Fuzzy Hash: AB119D75904280DFDB05CF54E5C4B15BFA2FB84328F24C6AAD8494B696C33AD84ADBA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00E0D731 Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1690677751.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_e0d000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2b5de73a720542dfac1fc9888f449beecd0c6e79464e215c31aa94efabab305a
                                                                                                            • Instruction ID: a8b1304dfcfcc38ac665f7062da3e48f90ddc667e6054d7c8e5dc91914269769
                                                                                                            • Opcode Fuzzy Hash: 2b5de73a720542dfac1fc9888f449beecd0c6e79464e215c31aa94efabab305a
                                                                                                            • Instruction Fuzzy Hash: 5A01A77140C3449AE7104A69CDC47A7FF98EF85324F1CC52BED095A1D6C6799C80C771
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00E0D730 Relevance: .0, Instructions: 36COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1690677751.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_e0d000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 38bff414e1cb80921ef0c9a94e517a27c9ab910ddaa100082860fe28d7e36f3a
                                                                                                            • Instruction ID: 7d165feabaa2f495a0b33955fa812ee955fc64bbd8500291b7bf1a04a34b640d
                                                                                                            • Opcode Fuzzy Hash: 38bff414e1cb80921ef0c9a94e517a27c9ab910ddaa100082860fe28d7e36f3a
                                                                                                            • Instruction Fuzzy Hash: 64F062714083449EE7108A1ACDC4BA6FFA8EF95738F18C55AED085E286C2799C84CB71
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions

                                                                                                            Function 085B56A0 Relevance: 5.3, Strings: 4, Instructions: 259COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: T+-q$[V~*$[V~*$]\`
                                                                                                            • API String ID: 0-1849991408
                                                                                                            • Opcode ID: fa87880ebd61830e52ba5a82b4d35293740e781f355f812c047b5b58fbb7cd2c
                                                                                                            • Instruction ID: f2e1969de60eeb3293a087ebf649b9067ae4a031fb2b99be54207c157550b7c1
                                                                                                            • Opcode Fuzzy Hash: fa87880ebd61830e52ba5a82b4d35293740e781f355f812c047b5b58fbb7cd2c
                                                                                                            • Instruction Fuzzy Hash: D2B1E574E15219DBCB08CFAAD9809DEFBF2BF99340B14D92AD415BB214E730A9068F54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 085B569F Relevance: 4.0, Strings: 3, Instructions: 251COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: T+-q$[V~*$]\`
                                                                                                            • API String ID: 0-3978741314
                                                                                                            • Opcode ID: b33c20510fef0211d2f7391d463d7b6e84f65779fd8d1b2864d49ecbda86bb7e
                                                                                                            • Instruction ID: d12e5094dbe687a1a8108a3cf8d87f16455589e8111457467b1e277213359b63
                                                                                                            • Opcode Fuzzy Hash: b33c20510fef0211d2f7391d463d7b6e84f65779fd8d1b2864d49ecbda86bb7e
                                                                                                            • Instruction Fuzzy Hash: 0FA1F774E15219DFCB08CFAAD9809DEFBF2BF99340B14D92AD415BB214E73099058F64
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04B93148 Relevance: .3, Instructions: 349COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1694064151.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4b90000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 389253414a2a28b35968b001be4a78882c59b27474108c5d1d9b65289cffad71
                                                                                                            • Instruction ID: 7ac980d15955ee643a8ec43a04e897c012b8d85d2f2774cbb1ea9f0660fd6d9d
                                                                                                            • Opcode Fuzzy Hash: 389253414a2a28b35968b001be4a78882c59b27474108c5d1d9b65289cffad71
                                                                                                            • Instruction Fuzzy Hash: 46D19931B006119FEB29DB79C450BAEB7F6EF89304F1488B9D5469B6A0DB35EC02CB51
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 085BC818 Relevance: .3, Instructions: 312COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f5ab6b0b8d3be3675369269db399bb8af8037798789387ffa4fadeda7ae11976
                                                                                                            • Instruction ID: 71d82b9c015a1e274706819738fe2bbc568d752f616c8807e730d91d5e403c1b
                                                                                                            • Opcode Fuzzy Hash: f5ab6b0b8d3be3675369269db399bb8af8037798789387ffa4fadeda7ae11976
                                                                                                            • Instruction Fuzzy Hash: 38E1F874E101198FDB14DFA9C5809AEFBF2BF89305F2481A9E415AB356DB30AD42CF64
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 085BE8A0 Relevance: .3, Instructions: 312COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 88211fc8aecf0eb6fe9f942cbbe0773d5a30bb328f83720c3204bece260dc784
                                                                                                            • Instruction ID: 2837d8cec1e0564e2e7271eeeb20a5420df724406d9f8b803334c739c1fc8ca8
                                                                                                            • Opcode Fuzzy Hash: 88211fc8aecf0eb6fe9f942cbbe0773d5a30bb328f83720c3204bece260dc784
                                                                                                            • Instruction Fuzzy Hash: 92E1F874E001198FCB14DFA9C5859AEFBF2BF89305F24C169E415AB356DB30A941CF61
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 085BDAB8 Relevance: .3, Instructions: 312COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3b0fea02a04090653ba1304984277942ca47c099db0c2efc409512943032a00d
                                                                                                            • Instruction ID: 1d8a47029a9bcbca4bb9c25005e78288f0dde5cbad04a8ca0c8c822b36b23f4c
                                                                                                            • Opcode Fuzzy Hash: 3b0fea02a04090653ba1304984277942ca47c099db0c2efc409512943032a00d
                                                                                                            • Instruction Fuzzy Hash: 18E1D874E001198FCB14DFA9C5859AEFBF2BF89305F2481AAE414AB356DB31A941CF61
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 085BDEF0 Relevance: .3, Instructions: 312COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 74b8f76fb035710bce3557f5f9e2b25f7ba28aa9b66801f6711637c4f348c312
                                                                                                            • Instruction ID: 3000547c325e35bc470c27468842175c9506951254bfeb5a9b3723eccf421a6f
                                                                                                            • Opcode Fuzzy Hash: 74b8f76fb035710bce3557f5f9e2b25f7ba28aa9b66801f6711637c4f348c312
                                                                                                            • Instruction Fuzzy Hash: B9E1F774E002198FDB14DFA9C5859AEFBF2BF89305F248169E414AB356DB30A942CF60
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 085BC3E0 Relevance: .3, Instructions: 312COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2d6a2a72cdf5eb986edfa5a2e810d69696dcf00bc921eef768c8feadfdc3f22b
                                                                                                            • Instruction ID: fd2e110893651dd2a28e9bd10e6b886840c2e7c85cc3055bf5c0b72db3aa0c59
                                                                                                            • Opcode Fuzzy Hash: 2d6a2a72cdf5eb986edfa5a2e810d69696dcf00bc921eef768c8feadfdc3f22b
                                                                                                            • Instruction Fuzzy Hash: EEE1E874E001198FCB14DFA9C5849AEFBF2BF89305F2481AAD414AB356DB31AD42CF64
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 085B3B70 Relevance: .3, Instructions: 272COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 83932c368234c41228c602fc5d3107f448e503e8718ffee83b750bf40c1fae85
                                                                                                            • Instruction ID: ee3795fdd3f81490cf554460d9365e0c64622d179a7cb237c4c1348dc3260c25
                                                                                                            • Opcode Fuzzy Hash: 83932c368234c41228c602fc5d3107f448e503e8718ffee83b750bf40c1fae85
                                                                                                            • Instruction Fuzzy Hash: 86D1E431920B5A8ECB10EBA4D950A9DB7B1FF95300F20C79AD00937665FB706AC9CF91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 085B3B80 Relevance: .3, Instructions: 264COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f81348055aec88659e6cd9547c7439cd489b556b7c1c50598d2cdc5fc81c7e71
                                                                                                            • Instruction ID: a9f07237447363c94b12a7c9a157e6c1564356d49286bf32584a30c0ccc7991b
                                                                                                            • Opcode Fuzzy Hash: f81348055aec88659e6cd9547c7439cd489b556b7c1c50598d2cdc5fc81c7e71
                                                                                                            • Instruction Fuzzy Hash: A2D1D43192075A8ECB00EBA4D950A9DB7B5FF95300F20C79AD40937665FB706AC9CF91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0122D59C Relevance: .3, Instructions: 264COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1691074941.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1220000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 748cd585175baa53848eacd9474d14fc6ed92a9ed5a3b434ae784e5e6c24448c
                                                                                                            • Instruction ID: 52343a95967a108cf508e1478f6f4b7e7020179ded717e58ddf6023ab63dae56
                                                                                                            • Opcode Fuzzy Hash: 748cd585175baa53848eacd9474d14fc6ed92a9ed5a3b434ae784e5e6c24448c
                                                                                                            • Instruction Fuzzy Hash: 2EA1B632E1021ADFCF15DFB4CA448EEB7B2FF85300B25856AE901AB265DB71D916CB40
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 085BC3C2 Relevance: .1, Instructions: 137COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 283dcca60c300f745fe05273027fffbf79e9f4195be9bfcf27131240b39ddc8b
                                                                                                            • Instruction ID: 5bdf67151387422c1a6ed95f879806eba681cf8809f74d080147b13f5a2df575
                                                                                                            • Opcode Fuzzy Hash: 283dcca60c300f745fe05273027fffbf79e9f4195be9bfcf27131240b39ddc8b
                                                                                                            • Instruction Fuzzy Hash: F4512874E002198FCB14CFA9C9845AEFBF2BF89305F24C1AAD418AB256D7319D42CF65
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 085BE890 Relevance: .1, Instructions: 134COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: dbdf78e535ddaf7cf7980773cf3def8971d5a31f875b96aa2c26f35affc634b5
                                                                                                            • Instruction ID: 4f867f96cb03a3e9dcdf1f5d2290d03121ac585c3417cb39f55dfc2f87ac2bfc
                                                                                                            • Opcode Fuzzy Hash: dbdf78e535ddaf7cf7980773cf3def8971d5a31f875b96aa2c26f35affc634b5
                                                                                                            • Instruction Fuzzy Hash: 9551F674E002198BDB14DFA9C5855EEFBF2BF89305F24C1AAD418A7256DB309942CF61
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 085BDEE0 Relevance: .1, Instructions: 131COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1696773832.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_85b0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7933731d37296c9df23a3a49a6b7cbb45ceed828c50efe3cb35416ffb97942b7
                                                                                                            • Instruction ID: 49efcc656aae7827663f10ddb74d3459e25a1c4f816970b3b5789576b12490d6
                                                                                                            • Opcode Fuzzy Hash: 7933731d37296c9df23a3a49a6b7cbb45ceed828c50efe3cb35416ffb97942b7
                                                                                                            • Instruction Fuzzy Hash: 4551FC74E002198FDB14CFA9C5855EEFBF2BF89305F24C1AAD418A7216D7319941CF61
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04B902C1 Relevance: .1, Instructions: 90COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1694064151.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4b90000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e6f3ed291a28b9864497e417f28e93c333272d7342b2b6907f07e828067be56c
                                                                                                            • Instruction ID: 85fe3f2091bf00fd1048656f35af744706c266b1b84d3a1694c2ce2bed2027b0
                                                                                                            • Opcode Fuzzy Hash: e6f3ed291a28b9864497e417f28e93c333272d7342b2b6907f07e828067be56c
                                                                                                            • Instruction Fuzzy Hash: 7E31DA71E456298BEB28DF6688047EDBBF6AFC9300F14C1FAC41DA6255EB341A859E00
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04B90469 Relevance: .1, Instructions: 55COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1694064151.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4b90000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6eb88a5fe12e0aa014770df7fe6378f131611b15f3c75aa56a784c486fe1c052
                                                                                                            • Instruction ID: 51392258b4744f215bed424e3b62a0ef870179d57282eeb579f90844c8fd705e
                                                                                                            • Opcode Fuzzy Hash: 6eb88a5fe12e0aa014770df7fe6378f131611b15f3c75aa56a784c486fe1c052
                                                                                                            • Instruction Fuzzy Hash: 4011BF74909668CFCB24EF28D9447E8BBF5EB4A302F0094EAD40AA2252E7305E84DF10
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04B9061A Relevance: .0, Instructions: 34COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1694064151.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4b90000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9d34746a185164a48f46eeb84d463e1a8666881d1741fa19ac6c8da5d30c830d
                                                                                                            • Instruction ID: 6d41ad258ca21c0dfa1d0e89500a50a5eca47b26d1565cd74fe5a174289b3426
                                                                                                            • Opcode Fuzzy Hash: 9d34746a185164a48f46eeb84d463e1a8666881d1741fa19ac6c8da5d30c830d
                                                                                                            • Instruction Fuzzy Hash: B3F01774A09645DFCB10EF94D4885F8BBF8EB4B311B0450FAD40A97213E7306955EB15
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:12%
                                                                                                            Dynamic/Decrypted Code Coverage:96.6%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:117
                                                                                                            Total number of Limit Nodes:12
                                                                                                            execution_graph 24287 125f800 24288 125f81d 24287->24288 24289 125f872 24288->24289 24290 125f91c 24288->24290 24292 125f8ca CallWindowProcW 24289->24292 24293 125f879 24289->24293 24294 125c68c 24290->24294 24292->24293 24295 125c697 24294->24295 24297 125e1d9 24295->24297 24298 125c7b4 CallWindowProcW 24295->24298 24298->24297 24319 11d0848 24321 11d084e 24319->24321 24320 11d091b 24321->24320 24324 1251767 24321->24324 24328 1251768 24321->24328 24325 1251777 24324->24325 24332 1250f2c 24325->24332 24329 1251777 24328->24329 24330 1250f2c 3 API calls 24329->24330 24331 1251798 24330->24331 24331->24321 24333 1250f37 24332->24333 24336 125268c 24333->24336 24335 125311e 24335->24335 24337 1252697 24336->24337 24338 1253844 24337->24338 24342 125556c 24337->24342 24346 12554c8 24337->24346 24351 12554b8 24337->24351 24338->24335 24343 1255568 24342->24343 24344 12555ad 24342->24344 24343->24342 24356 1255678 24343->24356 24348 12554e9 24346->24348 24347 125550d 24347->24338 24348->24347 24350 1255678 3 API calls 24348->24350 24349 12555ad 24350->24349 24352 12554e9 24351->24352 24353 125550d 24352->24353 24355 1255678 3 API calls 24352->24355 24353->24338 24354 12555ad 24355->24354 24357 1255685 24356->24357 24358 12556be 24357->24358 24360 12543b4 24357->24360 24358->24344 24361 12543bf 24360->24361 24363 1255730 24361->24363 24364 12543e8 24361->24364 24363->24363 24365 12543f3 24364->24365 24371 12543f8 24365->24371 24367 125579f 24375 125a9c0 24367->24375 24384 125a9a8 24367->24384 24368 12557d9 24368->24363 24374 1254403 24371->24374 24372 1256940 24372->24367 24373 12554c8 3 API calls 24373->24372 24374->24372 24374->24373 24377 125a9f1 24375->24377 24378 125aaf1 24375->24378 24376 125a9fd 24376->24368 24377->24376 24392 125ac36 24377->24392 24396 125ac38 24377->24396 24378->24368 24379 125aa3d 24399 125bf29 24379->24399 24403 125bf38 24379->24403 24385 125a9c0 24384->24385 24386 125a9fd 24385->24386 24390 125ac36 2 API calls 24385->24390 24391 125ac38 2 API calls 24385->24391 24386->24368 24387 125aa3d 24388 125bf29 CreateWindowExW 24387->24388 24389 125bf38 CreateWindowExW 24387->24389 24388->24386 24389->24386 24390->24387 24391->24387 24393 125ac38 24392->24393 24407 125ac78 24393->24407 24394 125ac42 24394->24379 24398 125ac78 2 API calls 24396->24398 24397 125ac42 24397->24379 24398->24397 24400 125bf36 24399->24400 24401 125c012 24400->24401 24415 125d225 24400->24415 24404 125bf3e 24403->24404 24405 125c012 24404->24405 24406 125d225 CreateWindowExW 24404->24406 24406->24405 24408 125ac7d 24407->24408 24409 125acbc 24408->24409 24413 125af20 LoadLibraryExW 24408->24413 24414 125af1f LoadLibraryExW 24408->24414 24409->24394 24410 125acb4 24410->24409 24411 125aec0 GetModuleHandleW 24410->24411 24412 125aeed 24411->24412 24412->24394 24413->24410 24414->24410 24416 125d229 24415->24416 24417 125d25d CreateWindowExW 24415->24417 24416->24401 24419 125d394 24417->24419 24419->24419 24420 1252870 24421 12528b6 GetCurrentProcess 24420->24421 24423 1252901 24421->24423 24424 1252908 GetCurrentThread 24421->24424 24423->24424 24425 1252945 GetCurrentProcess 24424->24425 24426 125293e 24424->24426 24427 125297b 24425->24427 24426->24425 24428 12529a3 GetCurrentThreadId 24427->24428 24429 12529d4 24428->24429 24299 114d01c 24300 114d034 24299->24300 24301 114d08e 24300->24301 24303 125c68c CallWindowProcW 24300->24303 24306 125e178 24300->24306 24310 125d417 24300->24310 24314 125d428 24300->24314 24303->24301 24308 125e1b5 24306->24308 24309 125e1d9 24308->24309 24318 125c7b4 CallWindowProcW 24308->24318 24311 125d425 24310->24311 24312 125c68c CallWindowProcW 24311->24312 24313 125d46f 24312->24313 24313->24301 24315 125d44e 24314->24315 24316 125c68c CallWindowProcW 24315->24316 24317 125d46f 24316->24317 24317->24301 24318->24309 24430 1252ab8 DuplicateHandle 24431 1252b4e 24430->24431

                                                                                                            Executed Functions

                                                                                                            Function 011D9C00 Relevance: 2.8, Instructions: 2772COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5cf57cca1d756100e936a358b4c006b48758b792227483c9ab5d37c2d2c4be47
                                                                                                            • Instruction ID: 02151914e71a391a60cd26baa0aceab89b4483285e33566494837a965f7eb791
                                                                                                            • Opcode Fuzzy Hash: 5cf57cca1d756100e936a358b4c006b48758b792227483c9ab5d37c2d2c4be47
                                                                                                            • Instruction Fuzzy Hash: 1953F831D10B1A8ADB15EF68C8846A9F7B1FF99300F15D79AE45867121FB70AAC4CF81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011DCF60 Relevance: 2.3, Instructions: 2324COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1997495627420b4dce315fa8e0679f99696f1fa95d2517d1ed7ef25548c66fcc
                                                                                                            • Instruction ID: 102bffdd484622422054c351298016e2c038559b75692a77ad5a1d4dbe86043a
                                                                                                            • Opcode Fuzzy Hash: 1997495627420b4dce315fa8e0679f99696f1fa95d2517d1ed7ef25548c66fcc
                                                                                                            • Instruction Fuzzy Hash: 1F333F31D1071A8ECB15DF68C8906ADF7B1FF99300F15C79AE459AB211EB70AAC5CB81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D3E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \Vl
                                                                                                            • API String ID: 0-682378881
                                                                                                            • Opcode ID: 97db795f1514c5d6505c074ffba07f3d14a37e1fde6bf1b2626157e832d38587
                                                                                                            • Instruction ID: 8ffbab87fb42fad324071ef336dde7b33e5749b7cb5ed92f3b9c4f580579b089
                                                                                                            • Opcode Fuzzy Hash: 97db795f1514c5d6505c074ffba07f3d14a37e1fde6bf1b2626157e832d38587
                                                                                                            • Instruction Fuzzy Hash: D9916FB0E10209CFDF18CFA9C9957DEBBF2BF48314F148529E415A7654EB749846CB82
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D4A98 Relevance: .3, Instructions: 266COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b8948e98e007f47621538d40a21d3e4516f3b347e8ca27b621429315ecd13b46
                                                                                                            • Instruction ID: c1ccdd3ff40036657f0df78f4df44ee76f26a52b479933f97b7dd3c03d489500
                                                                                                            • Opcode Fuzzy Hash: b8948e98e007f47621538d40a21d3e4516f3b347e8ca27b621429315ecd13b46
                                                                                                            • Instruction Fuzzy Hash: DAB18070E006098FDF18CFA9C8917EDBBF2AF98314F148529D819E7B54EB749845CB81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0125286C Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 526 125286c-12528ff GetCurrentProcess 530 1252901-1252907 526->530 531 1252908-125293c GetCurrentThread 526->531 530->531 532 1252945-1252979 GetCurrentProcess 531->532 533 125293e-1252944 531->533 535 1252982-125299a 532->535 536 125297b-1252981 532->536 533->532 547 125299d call 1252e20 535->547 548 125299d call 1252e30 535->548 549 125299d call 1252a40 535->549 536->535 538 12529a3-12529d2 GetCurrentThreadId 540 12529d4-12529da 538->540 541 12529db-1252a3d 538->541 540->541 547->538 548->538 549->538
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 012528EE
                                                                                                            • GetCurrentThread.KERNEL32 ref: 0125292B
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 01252968
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 012529C1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2879009682.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_1250000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Current$ProcessThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2063062207-0
                                                                                                            • Opcode ID: f068256a6b02c5f9dd999c05bf19e4ab0e1c36d67508e13433c07b40d0734410
                                                                                                            • Instruction ID: df39593415c66c67687674d06bdd44d2a5c6e2855f5cc0fb07e02899d32d8d9b
                                                                                                            • Opcode Fuzzy Hash: f068256a6b02c5f9dd999c05bf19e4ab0e1c36d67508e13433c07b40d0734410
                                                                                                            • Instruction Fuzzy Hash: BC5154B4910249CFDB58DFA9D588BDEBBF1EF88314F208419E459A73A0D7349884CF65
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 01252870 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 550 1252870-12528ff GetCurrentProcess 554 1252901-1252907 550->554 555 1252908-125293c GetCurrentThread 550->555 554->555 556 1252945-1252979 GetCurrentProcess 555->556 557 125293e-1252944 555->557 559 1252982-125299a 556->559 560 125297b-1252981 556->560 557->556 571 125299d call 1252e20 559->571 572 125299d call 1252e30 559->572 573 125299d call 1252a40 559->573 560->559 562 12529a3-12529d2 GetCurrentThreadId 564 12529d4-12529da 562->564 565 12529db-1252a3d 562->565 564->565 571->562 572->562 573->562
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 012528EE
                                                                                                            • GetCurrentThread.KERNEL32 ref: 0125292B
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 01252968
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 012529C1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2879009682.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_1250000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Current$ProcessThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2063062207-0
                                                                                                            • Opcode ID: 059753e4d19937efcb6363b2f074eddb47f804b242ef2cbce865f35d569ec290
                                                                                                            • Instruction ID: b04e45eb04eafab959b785e3e6ae469d71a3b737529ddbadf1d4df56e772e4f7
                                                                                                            • Opcode Fuzzy Hash: 059753e4d19937efcb6363b2f074eddb47f804b242ef2cbce865f35d569ec290
                                                                                                            • Instruction Fuzzy Hash: 595156B4910249CFDB58DFA9D588B9EBBF1EF88314F208419E459A73A0D7349884CF65
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D4810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1032 11d4810-11d489c 1035 11d489e-11d48a9 1032->1035 1036 11d48e6-11d48e8 1032->1036 1035->1036 1038 11d48ab-11d48b7 1035->1038 1037 11d48ea-11d4902 1036->1037 1044 11d494c-11d494e 1037->1044 1045 11d4904-11d490f 1037->1045 1039 11d48b9-11d48c3 1038->1039 1040 11d48da-11d48e4 1038->1040 1042 11d48c5 1039->1042 1043 11d48c7-11d48d6 1039->1043 1040->1037 1042->1043 1043->1043 1046 11d48d8 1043->1046 1048 11d4950-11d49a9 1044->1048 1045->1044 1047 11d4911-11d491d 1045->1047 1046->1040 1049 11d491f-11d4929 1047->1049 1050 11d4940-11d494a 1047->1050 1057 11d49ab-11d49b1 1048->1057 1058 11d49b2-11d49d2 1048->1058 1051 11d492d-11d493c 1049->1051 1052 11d492b 1049->1052 1050->1048 1051->1051 1054 11d493e 1051->1054 1052->1051 1054->1050 1057->1058 1062 11d49dc-11d4a0f 1058->1062 1065 11d4a1f-11d4a23 1062->1065 1066 11d4a11-11d4a15 1062->1066 1068 11d4a25-11d4a29 1065->1068 1069 11d4a33-11d4a37 1065->1069 1066->1065 1067 11d4a17-11d4a1a call 11d0ab8 1066->1067 1067->1065 1068->1069 1071 11d4a2b-11d4a2e call 11d0ab8 1068->1071 1072 11d4a39-11d4a3d 1069->1072 1073 11d4a47-11d4a4b 1069->1073 1071->1069 1072->1073 1075 11d4a3f 1072->1075 1076 11d4a4d-11d4a51 1073->1076 1077 11d4a5b 1073->1077 1075->1073 1076->1077 1078 11d4a53 1076->1078 1079 11d4a5c 1077->1079 1078->1077 1079->1079
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \Vl$\Vl
                                                                                                            • API String ID: 0-415357090
                                                                                                            • Opcode ID: 716f4c2e8e36228b1759570da91aa85bfd3866cefb246790820108c97a88be4b
                                                                                                            • Instruction ID: fe0dba940af2393bf4be13f1438bdacfbc7318f4e46ba2cf9f6486810434cb98
                                                                                                            • Opcode Fuzzy Hash: 716f4c2e8e36228b1759570da91aa85bfd3866cefb246790820108c97a88be4b
                                                                                                            • Instruction Fuzzy Hash: FF714FB0E00249CFDF18CFA9C9857DDBBF2AF48314F148129E419A7A54EB749846CB96
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D4804 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1080 11d4804-11d489c 1083 11d489e-11d48a9 1080->1083 1084 11d48e6-11d48e8 1080->1084 1083->1084 1086 11d48ab-11d48b7 1083->1086 1085 11d48ea-11d4902 1084->1085 1092 11d494c-11d494e 1085->1092 1093 11d4904-11d490f 1085->1093 1087 11d48b9-11d48c3 1086->1087 1088 11d48da-11d48e4 1086->1088 1090 11d48c5 1087->1090 1091 11d48c7-11d48d6 1087->1091 1088->1085 1090->1091 1091->1091 1094 11d48d8 1091->1094 1096 11d4950-11d4962 1092->1096 1093->1092 1095 11d4911-11d491d 1093->1095 1094->1088 1097 11d491f-11d4929 1095->1097 1098 11d4940-11d494a 1095->1098 1103 11d4969-11d4995 1096->1103 1099 11d492d-11d493c 1097->1099 1100 11d492b 1097->1100 1098->1096 1099->1099 1102 11d493e 1099->1102 1100->1099 1102->1098 1104 11d499b-11d49a9 1103->1104 1105 11d49ab-11d49b1 1104->1105 1106 11d49b2-11d49c0 1104->1106 1105->1106 1109 11d49c8-11d49d2 1106->1109 1110 11d49dc-11d4a0f 1109->1110 1113 11d4a1f-11d4a23 1110->1113 1114 11d4a11-11d4a15 1110->1114 1116 11d4a25-11d4a29 1113->1116 1117 11d4a33-11d4a37 1113->1117 1114->1113 1115 11d4a17-11d4a1a call 11d0ab8 1114->1115 1115->1113 1116->1117 1119 11d4a2b-11d4a2e call 11d0ab8 1116->1119 1120 11d4a39-11d4a3d 1117->1120 1121 11d4a47-11d4a4b 1117->1121 1119->1117 1120->1121 1123 11d4a3f 1120->1123 1124 11d4a4d-11d4a51 1121->1124 1125 11d4a5b 1121->1125 1123->1121 1124->1125 1126 11d4a53 1124->1126 1127 11d4a5c 1125->1127 1126->1125 1127->1127
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \Vl$\Vl
                                                                                                            • API String ID: 0-415357090
                                                                                                            • Opcode ID: 63cd4e7d752a6b8996600524f77d1742e23f80f0e9d3b78f0e1482d804c86f27
                                                                                                            • Instruction ID: a1d29281cb5980efcf0b8f00b9eea6c727de10db2c1b5abff2caf3d691bfc3b5
                                                                                                            • Opcode Fuzzy Hash: 63cd4e7d752a6b8996600524f77d1742e23f80f0e9d3b78f0e1482d804c86f27
                                                                                                            • Instruction Fuzzy Hash: 90715AB0E00249CFDF18CFA9C9857DEBBF1BF48314F148129E419A7A54EB749846CB96
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D6EDB Relevance: 2.6, Strings: 2, Instructions: 146COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1128 11d6edb-11d6f42 call 11d6c40 1137 11d6f5e-11d6f8c 1128->1137 1138 11d6f44-11d6f5d call 11d6764 1128->1138 1144 11d6f8e-11d6f91 1137->1144 1145 11d6fc4-11d6fc7 1144->1145 1146 11d6f93-11d6fa7 1144->1146 1147 11d6fc9 call 11d792f 1145->1147 1148 11d6fd7-11d6fda 1145->1148 1156 11d6fad 1146->1156 1157 11d6fa9-11d6fab 1146->1157 1158 11d6fcf-11d6fd2 1147->1158 1149 11d6fdc-11d6fe3 1148->1149 1150 11d6fee-11d6ff1 1148->1150 1152 11d6fe9 1149->1152 1153 11d70eb-11d70f2 1149->1153 1154 11d702d-11d702f 1150->1154 1155 11d6ff3-11d7028 1150->1155 1152->1150 1159 11d70f4 1153->1159 1160 11d7101-11d7107 1153->1160 1161 11d7036-11d7039 1154->1161 1162 11d7031 1154->1162 1155->1154 1163 11d6fb0-11d6fbf 1156->1163 1157->1163 1158->1148 1165 11d70fa 1159->1165 1161->1144 1164 11d703f-11d704e 1161->1164 1162->1161 1163->1145 1168 11d7078-11d708d 1164->1168 1169 11d7050-11d7053 1164->1169 1165->1160 1168->1153 1171 11d705b-11d7076 1169->1171 1171->1168 1171->1169
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: LR^q$LR^q
                                                                                                            • API String ID: 0-4089051495
                                                                                                            • Opcode ID: 5eadba02da2db91d3a12c39b65a2757d9e8074d63c92414fbcf8d88c2c3d7991
                                                                                                            • Instruction ID: 95acf464559ae2b8fb05f13c485a004a5cc11ec01dbbf97d7056650406ca7023
                                                                                                            • Opcode Fuzzy Hash: 5eadba02da2db91d3a12c39b65a2757d9e8074d63c92414fbcf8d88c2c3d7991
                                                                                                            • Instruction Fuzzy Hash: F351D530F006559FDB1ADF78C4507AEBBB2EF86304F14856AE405EB291DB719C46CB52
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0125AC78 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1641 125ac78-125ac97 1643 125acc3-125acc7 1641->1643 1644 125ac99-125aca6 call 1259bbc 1641->1644 1646 125acc9-125acd3 1643->1646 1647 125acdb-125ad1c 1643->1647 1650 125acbc 1644->1650 1651 125aca8 1644->1651 1646->1647 1653 125ad1e-125ad26 1647->1653 1654 125ad29-125ad37 1647->1654 1650->1643 1697 125acae call 125af20 1651->1697 1698 125acae call 125af1f 1651->1698 1653->1654 1655 125ad39-125ad3e 1654->1655 1656 125ad5b-125ad5d 1654->1656 1658 125ad40-125ad47 call 1259bc8 1655->1658 1659 125ad49 1655->1659 1661 125ad60-125ad67 1656->1661 1657 125acb4-125acb6 1657->1650 1660 125adf8-125aeb8 1657->1660 1663 125ad4b-125ad59 1658->1663 1659->1663 1692 125aec0-125aeeb GetModuleHandleW 1660->1692 1693 125aeba-125aebd 1660->1693 1664 125ad74-125ad7b 1661->1664 1665 125ad69-125ad71 1661->1665 1663->1661 1668 125ad7d-125ad85 1664->1668 1669 125ad88-125ad91 call 12533f4 1664->1669 1665->1664 1668->1669 1673 125ad93-125ad9b 1669->1673 1674 125ad9e-125ada3 1669->1674 1673->1674 1675 125ada5-125adac 1674->1675 1676 125adc1-125adce 1674->1676 1675->1676 1678 125adae-125adbe call 1259a38 call 1259bd8 1675->1678 1683 125adf1-125adf7 1676->1683 1684 125add0-125adee 1676->1684 1678->1676 1684->1683 1694 125aef4-125af08 1692->1694 1695 125aeed-125aef3 1692->1695 1693->1692 1695->1694 1697->1657 1698->1657
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0125AEDE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2879009682.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_1250000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HandleModule
                                                                                                            • String ID:
                                                                                                            • API String ID: 4139908857-0
                                                                                                            • Opcode ID: f889ee1e98423a077762019c925a525f538880cd423d11ee8b9247b335e34fb3
                                                                                                            • Instruction ID: 31a717111333395bc8a9074ecbcf208db48bb211588e43550bca3d553cd7aaa0
                                                                                                            • Opcode Fuzzy Hash: f889ee1e98423a077762019c925a525f538880cd423d11ee8b9247b335e34fb3
                                                                                                            • Instruction Fuzzy Hash: FA813670A10B068FDB65DF29D0857AABBF1FF88304F008A2DD98AD7A50D775E945CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0125D225 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1699 125d225-125d227 1700 125d25d-125d2d6 1699->1700 1701 125d229-125d250 call 125c664 1699->1701 1703 125d2e1-125d2e8 1700->1703 1704 125d2d8-125d2de 1700->1704 1705 125d255-125d256 1701->1705 1706 125d2f3-125d392 CreateWindowExW 1703->1706 1707 125d2ea-125d2f0 1703->1707 1704->1703 1709 125d394-125d39a 1706->1709 1710 125d39b-125d3d3 1706->1710 1707->1706 1709->1710 1714 125d3d5-125d3d8 1710->1714 1715 125d3e0 1710->1715 1714->1715 1716 125d3e1 1715->1716 1716->1716
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0125D382
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2879009682.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_1250000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: 576262e44e8b20006d130ac0397b3b4151783d4417d9124beb288c68d12abf5e
                                                                                                            • Instruction ID: 21dabf5a01828af9c45f7f4ade7b530d25adf817b7aedd98f4e8164193f8e3aa
                                                                                                            • Opcode Fuzzy Hash: 576262e44e8b20006d130ac0397b3b4151783d4417d9124beb288c68d12abf5e
                                                                                                            • Instruction Fuzzy Hash: 25510EB1C10349AFDF15CFA9C884ADEBFB1BF49314F24816AE908AB221D7719881CF51
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0125D264 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1717 125d264-125d2d6 1718 125d2e1-125d2e8 1717->1718 1719 125d2d8-125d2de 1717->1719 1720 125d2f3-125d32b 1718->1720 1721 125d2ea-125d2f0 1718->1721 1719->1718 1722 125d333-125d392 CreateWindowExW 1720->1722 1721->1720 1723 125d394-125d39a 1722->1723 1724 125d39b-125d3d3 1722->1724 1723->1724 1728 125d3d5-125d3d8 1724->1728 1729 125d3e0 1724->1729 1728->1729 1730 125d3e1 1729->1730 1730->1730
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0125D382
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2879009682.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_1250000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: bb0858680059a5bcfef6e6d64e0e15d522e21becd564d136c47fec5c40397b81
                                                                                                            • Instruction ID: e419f7c642677bc4af1c3eab84f2902bfb06aaf778a0f78a3ada5f45d122fe52
                                                                                                            • Opcode Fuzzy Hash: bb0858680059a5bcfef6e6d64e0e15d522e21becd564d136c47fec5c40397b81
                                                                                                            • Instruction Fuzzy Hash: 9051C0B1D10349DFDB14CFAAC884ADEBFB5BF48310F24852AE819AB251D7719885CF91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0125D270 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1731 125d270-125d2d6 1732 125d2e1-125d2e8 1731->1732 1733 125d2d8-125d2de 1731->1733 1734 125d2f3-125d32b 1732->1734 1735 125d2ea-125d2f0 1732->1735 1733->1732 1736 125d333-125d392 CreateWindowExW 1734->1736 1735->1734 1737 125d394-125d39a 1736->1737 1738 125d39b-125d3d3 1736->1738 1737->1738 1742 125d3d5-125d3d8 1738->1742 1743 125d3e0 1738->1743 1742->1743 1744 125d3e1 1743->1744 1744->1744
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0125D382
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2879009682.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_1250000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: ed66cc810da6a6cce43be6c02e8db1122443a5dfe235e256ed96335a0eab7999
                                                                                                            • Instruction ID: e27bf472218439c90291653416d5db6df22263306e738030a22d94e3dfc4ea70
                                                                                                            • Opcode Fuzzy Hash: ed66cc810da6a6cce43be6c02e8db1122443a5dfe235e256ed96335a0eab7999
                                                                                                            • Instruction Fuzzy Hash: DC41D2B1D103499FDB14CFAAC884ADEBBB5BF48310F24852AE819AB211D7709881CF91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0125C7B4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1745 125c7b4-125f86c 1748 125f872-125f877 1745->1748 1749 125f91c-125f93c call 125c68c 1745->1749 1751 125f879-125f8b0 1748->1751 1752 125f8ca-125f902 CallWindowProcW 1748->1752 1756 125f93f-125f94c 1749->1756 1759 125f8b2-125f8b8 1751->1759 1760 125f8b9-125f8c8 1751->1760 1754 125f904-125f90a 1752->1754 1755 125f90b-125f91a 1752->1755 1754->1755 1755->1756 1759->1760 1760->1756
                                                                                                            APIs
                                                                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 0125F8F1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2879009682.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_1250000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CallProcWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2714655100-0
                                                                                                            • Opcode ID: 6b92ab43a55cc4d8d25aff053d00fd46c087539d27548a6f70802ed4549398f3
                                                                                                            • Instruction ID: b059428665c69f56a33341642bef634fc8d82452c15671f74847902152417643
                                                                                                            • Opcode Fuzzy Hash: 6b92ab43a55cc4d8d25aff053d00fd46c087539d27548a6f70802ed4549398f3
                                                                                                            • Instruction Fuzzy Hash: 8F4138B4A10309DFDB54CF99C588AAAFBF5FB88314F24C459D919AB321D770A841CFA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 01252AB0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1762 1252ab0-1252b4c DuplicateHandle 1763 1252b55-1252b72 1762->1763 1764 1252b4e-1252b54 1762->1764 1764->1763
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01252B3F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2879009682.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_1250000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: 5ec918e4d6c3c11e2a6b34b4412a5ae5b8e81be64705b7ac2bb1711651892e6c
                                                                                                            • Instruction ID: 059665ee7ee27f10f94e5685c546f9143b858f5c3e85bfc4dc18195b69976f37
                                                                                                            • Opcode Fuzzy Hash: 5ec918e4d6c3c11e2a6b34b4412a5ae5b8e81be64705b7ac2bb1711651892e6c
                                                                                                            • Instruction Fuzzy Hash: D621E3B5D10248DFDB10CFA9D584AEEFBF8EB48310F14841AE958A7350D374A940CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 01252AB8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01252B3F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2879009682.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_1250000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: 81c67807b67068d8a86a0a6b7f69902d28a28148e9357e57d49f4824fa78d3f2
                                                                                                            • Instruction ID: c3aa3ebeb9064aaab0836065db56b3b26f727f82b74caed4c6ea52ce8e9176bc
                                                                                                            • Opcode Fuzzy Hash: 81c67807b67068d8a86a0a6b7f69902d28a28148e9357e57d49f4824fa78d3f2
                                                                                                            • Instruction Fuzzy Hash: 2421E2B5900248DFDB10CFAAD984ADEFFF8EB48320F14841AE918A7350D374A940CFA5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 01259C00 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0125AF59,00000800,00000000,00000000), ref: 0125B14A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2879009682.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_1250000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 1029625771-0
                                                                                                            • Opcode ID: 4c108f8f21bdb21b7814b1ff1ce86d101dba8eca955d06b22f99f825e6810f95
                                                                                                            • Instruction ID: d165ba18ea4dcbd40f2a37546986f9b15e129a5055334ceeb77fde5422d83143
                                                                                                            • Opcode Fuzzy Hash: 4c108f8f21bdb21b7814b1ff1ce86d101dba8eca955d06b22f99f825e6810f95
                                                                                                            • Instruction Fuzzy Hash: 5E1117B69103098FDB50CF9AC884BDEFBF5EB48310F10842AE919A7210C375A545CFA5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0125B0DE Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0125AF59,00000800,00000000,00000000), ref: 0125B14A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2879009682.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_1250000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 1029625771-0
                                                                                                            • Opcode ID: 6885fac47203bca3436010880b9836e99b843cc8399a03268bc121740e62784c
                                                                                                            • Instruction ID: ee8e790ed70c022031aec17315511492fb0efaf303c01bc28ba63f54b36e1962
                                                                                                            • Opcode Fuzzy Hash: 6885fac47203bca3436010880b9836e99b843cc8399a03268bc121740e62784c
                                                                                                            • Instruction Fuzzy Hash: 8811F6B6D003498FDB54CFAAD484AEEFBF5EB88310F10842ED919A7610C375A545CFA5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0125AE78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0125AEDE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2879009682.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_1250000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HandleModule
                                                                                                            • String ID:
                                                                                                            • API String ID: 4139908857-0
                                                                                                            • Opcode ID: f9544b1bc4d206b2daf462daf4c5aa5ee2bcd87a6aa9329fe31f926dff93bcd3
                                                                                                            • Instruction ID: 69be79e05ce4c5ea2094987b6c767173103d7a7fa64df46af726aeb50ff10f17
                                                                                                            • Opcode Fuzzy Hash: f9544b1bc4d206b2daf462daf4c5aa5ee2bcd87a6aa9329fe31f926dff93bcd3
                                                                                                            • Instruction Fuzzy Hash: 971110B6D002498FDB10CF9AC444ADEFBF4EB88324F10852AD929A7210C379A545CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D3E75 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \Vl
                                                                                                            • API String ID: 0-682378881
                                                                                                            • Opcode ID: e37b568273039d5f27ab3bf9969a31d80de0ff914aa6e74487562531bfa74229
                                                                                                            • Instruction ID: bd7b641e2ad83af00540ae2f8a803bd6146f42d4590b2d74f54cc9393892374e
                                                                                                            • Opcode Fuzzy Hash: e37b568273039d5f27ab3bf9969a31d80de0ff914aa6e74487562531bfa74229
                                                                                                            • Instruction Fuzzy Hash: 5D917DB0E10209CFDF18CFA9C9857DEBBF1BF48314F148129E459A7654EB749846CB92
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011DF3C5 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: PH^q
                                                                                                            • API String ID: 0-2549759414
                                                                                                            • Opcode ID: 4fe31d25f41f3e65ca26a5a0c0436bf8c7fd2bdb5d545859b8a4789bd25eee8b
                                                                                                            • Instruction ID: f08cb63640f8d6fe9ace81e9badc649c679b0a122a243a9923ba9f6326d5f72a
                                                                                                            • Opcode Fuzzy Hash: 4fe31d25f41f3e65ca26a5a0c0436bf8c7fd2bdb5d545859b8a4789bd25eee8b
                                                                                                            • Instruction Fuzzy Hash: 633100307002028FDB0A9B78D5642AE7BE2EF89214F244579D006DB399EF35DE47C7A1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D6F78 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: LR^q
                                                                                                            • API String ID: 0-2625958711
                                                                                                            • Opcode ID: 761e57e264cc3ea218f3cc05145cad0f2d46274345a798830c00a458af6b5445
                                                                                                            • Instruction ID: 4f4e6a548875b79fd85d8c0902804d8b9c44b29fae774311c57b5b2bffa6f935
                                                                                                            • Opcode Fuzzy Hash: 761e57e264cc3ea218f3cc05145cad0f2d46274345a798830c00a458af6b5445
                                                                                                            • Instruction Fuzzy Hash: 37318074E002199FDF1EDFA8C45479EB7B2FF85304F508569E905EB280EB71A846CB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D6BAF Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: LR^q
                                                                                                            • API String ID: 0-2625958711
                                                                                                            • Opcode ID: 6a312e6fbd74165001cae1e160309c472b042daceb9bd397a66e3884e5872fdf
                                                                                                            • Instruction ID: 227f8444ba7f8c10d0641b7d40f7e6b466e7f412c6a9714b3c03ed66e37312cf
                                                                                                            • Opcode Fuzzy Hash: 6a312e6fbd74165001cae1e160309c472b042daceb9bd397a66e3884e5872fdf
                                                                                                            • Instruction Fuzzy Hash: 072124307042515FCB0AAB3DA0946AE7BA2EFC6214F1449AAD049CB35ADF298C46C795
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D792F Relevance: .6, Instructions: 550COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7ae684422df7adb140f8d3c68aeb46422fac4ea5743fbdaf2cb051512e911ffc
                                                                                                            • Instruction ID: 2d143ac37f5a0532a7cea9742aaabee5862710216429008ae58eb8fa4687000c
                                                                                                            • Opcode Fuzzy Hash: 7ae684422df7adb140f8d3c68aeb46422fac4ea5743fbdaf2cb051512e911ffc
                                                                                                            • Instruction Fuzzy Hash: EB125E307106028FDB5AAB3CE49422DB2A2FBC5219B204E3DD115CB7E9DF75EC869785
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D96F8 Relevance: .4, Instructions: 357COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7b97aad5aa0643d8a134ba8a91686b7cdc719199a8bcbc4df9ed8ee9f72b80b9
                                                                                                            • Instruction ID: ae7275ff832c652600d723d5a9b84646361c4cbf3bcfee95c9e5627ff474517b
                                                                                                            • Opcode Fuzzy Hash: 7b97aad5aa0643d8a134ba8a91686b7cdc719199a8bcbc4df9ed8ee9f72b80b9
                                                                                                            • Instruction Fuzzy Hash: FFC19F75A002098FDB18DFACD9807AEBBB5FF88318F10856AE509EB395D770D845CB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D937C Relevance: .3, Instructions: 294COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 44017b21dd060bd05c30ca1a5a26f93142dae2de45b1a1d81f514558e80f9ef3
                                                                                                            • Instruction ID: 333651f8cdc2eb46a7dc22b5c1d5239d3890e0f928ecd29721a8a036013d57c0
                                                                                                            • Opcode Fuzzy Hash: 44017b21dd060bd05c30ca1a5a26f93142dae2de45b1a1d81f514558e80f9ef3
                                                                                                            • Instruction Fuzzy Hash: 1FB18F35A002088FDB09DF68D594AADBBB2FF88314F148469E906E73A5DB31EC46CB50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D4A97 Relevance: .3, Instructions: 258COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3c812acbacca1c20645d70fad364548ef18f90cebe72decceb17811914f51b47
                                                                                                            • Instruction ID: bfd4d3746e3f4901db452db119206685053626ac60771d959c9e362cf822fa1b
                                                                                                            • Opcode Fuzzy Hash: 3c812acbacca1c20645d70fad364548ef18f90cebe72decceb17811914f51b47
                                                                                                            • Instruction Fuzzy Hash: 3DA18D70E006098FDF18CFA8D8957EDBBF1AF58314F148129E858EBA54EB749885CB81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D6CE8 Relevance: .1, Instructions: 132COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0727d357b1da8daeaf547d23cc719926cf9675a73462d1598dce62bc3431f8e1
                                                                                                            • Instruction ID: deac2ab440cbd442c92ca94f6e1988730f69161d3f71a8bbf2d50b84021d58d2
                                                                                                            • Opcode Fuzzy Hash: 0727d357b1da8daeaf547d23cc719926cf9675a73462d1598dce62bc3431f8e1
                                                                                                            • Instruction Fuzzy Hash: F6513571E002288FDB18CFA9C884B9DBBB1BF48314F14811AE859BB355D774A841CF96
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D6CE7 Relevance: .1, Instructions: 131COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 98f0700fc4d1e8c05b3f8f77491272be24035cff9ad329e9a8bc062e0914e1f4
                                                                                                            • Instruction ID: 4aad9a9a1348c1260f9e2aebbde66cb5d4a6e3d3de16ee97dc2c92b94feb07c3
                                                                                                            • Opcode Fuzzy Hash: 98f0700fc4d1e8c05b3f8f77491272be24035cff9ad329e9a8bc062e0914e1f4
                                                                                                            • Instruction Fuzzy Hash: CC510471E002288FDB18CFA9D888BDDBBB1BF48314F14812AE859BB355D774A845CF95
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D112B Relevance: .1, Instructions: 119COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f284c1ae0ac7f174d8e428e48ba9f1f39088e867accfbfb42e00c4d67a2b2245
                                                                                                            • Instruction ID: 897e17b5ae607a0cc01f9c053dfde7506c85fd2f5b421a42e17d4e3eb8c264b9
                                                                                                            • Opcode Fuzzy Hash: f284c1ae0ac7f174d8e428e48ba9f1f39088e867accfbfb42e00c4d67a2b2245
                                                                                                            • Instruction Fuzzy Hash: 70511A39605A628FCB1AEB6EF990A447FB1F7967053008B79D1005B73EEB20798DDB50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D1138 Relevance: .1, Instructions: 112COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b247ba952083d8464fd38b5b1c0935c0d5c158b4fa91bb3e6b494a4c83e903cb
                                                                                                            • Instruction ID: 734aae478764bd50ef017a8cc02a39832d4c08610e44d72867e30d1cf55afbdc
                                                                                                            • Opcode Fuzzy Hash: b247ba952083d8464fd38b5b1c0935c0d5c158b4fa91bb3e6b494a4c83e903cb
                                                                                                            • Instruction Fuzzy Hash: 5351FC38605A628FCB1AFB6EF9909457BB1F7967053004B78D1005B73DEB20798DDB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011DF288 Relevance: .1, Instructions: 98COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b6acc62710a4f04d7b71b0118c0802cc5ade21f9f8523464da4d93c93ebec9cc
                                                                                                            • Instruction ID: 10484e88114dacf00aae7d4798fa92151a765aac59cc0984439c81bd736e5345
                                                                                                            • Opcode Fuzzy Hash: b6acc62710a4f04d7b71b0118c0802cc5ade21f9f8523464da4d93c93ebec9cc
                                                                                                            • Instruction Fuzzy Hash: 8A319E35E10606ABDB09CFA9D89469EB7F2BF89300F148519E80AEB344DF70E947CB50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D5098 Relevance: .1, Instructions: 92COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 925395682f579138558498e176f187f8125a83ed5bbac6a3b2081d958b62c51e
                                                                                                            • Instruction ID: 2e96016869b800aa1e0321289eb63a5dc731555e284b79aa577d2cad514a06aa
                                                                                                            • Opcode Fuzzy Hash: 925395682f579138558498e176f187f8125a83ed5bbac6a3b2081d958b62c51e
                                                                                                            • Instruction Fuzzy Hash: D2317C30700256CFDB6DEB78C5506ED77B2AF4A244F200568D901EB395DB36AD0ACB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011DF298 Relevance: .1, Instructions: 91COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 319b14a07ed31da849a727c5f45d6f24acc20263da2de447892cf59253cb7da0
                                                                                                            • Instruction ID: 6c27c15b769df3e4e1f2b3465f59107aea8f65f3af7bed312939e1099cd58585
                                                                                                            • Opcode Fuzzy Hash: 319b14a07ed31da849a727c5f45d6f24acc20263da2de447892cf59253cb7da0
                                                                                                            • Instruction Fuzzy Hash: AD318035E1060AABDB19CFA9D49469EB7B2FF89300F148519E80AE7344DF70AD47CB50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D26E8 Relevance: .1, Instructions: 90COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4aacb9ec36fbefedaeb302c3198489e7e85a515c11580f3b4de0bcf92207accd
                                                                                                            • Instruction ID: 0d0ea3b8ab6127369d9d571b765c04c8b71f8c62e97422ba25156a9e7cba0cea
                                                                                                            • Opcode Fuzzy Hash: 4aacb9ec36fbefedaeb302c3198489e7e85a515c11580f3b4de0bcf92207accd
                                                                                                            • Instruction Fuzzy Hash: 6841EDB0D002499FDB14DFA9C584ADEBFF5FF48310F24842AE819AB254DB75A945CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D26E7 Relevance: .1, Instructions: 90COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: dcb15b809fbd28e052af61b81b327e1ffe4a6153d01a7773d835fe0b6488343f
                                                                                                            • Instruction ID: 5bbe2a8899be0a4d954f523947ddb048706c849b63613798bc963dc45382c8be
                                                                                                            • Opcode Fuzzy Hash: dcb15b809fbd28e052af61b81b327e1ffe4a6153d01a7773d835fe0b6488343f
                                                                                                            • Instruction Fuzzy Hash: AD41EEB0D002499FDB14CFA9C584ADEBFF5FF48310F24842AE819AB254DB759946CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D50A8 Relevance: .1, Instructions: 89COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 08b7592665cca1cae627aedcf6f9035d00951c8eefeacab243520078edb8141b
                                                                                                            • Instruction ID: 71a31b0bd7cb6799a2684e2a1f3a2ca3104e307f319c24b539c587c37115a91b
                                                                                                            • Opcode Fuzzy Hash: 08b7592665cca1cae627aedcf6f9035d00951c8eefeacab243520078edb8141b
                                                                                                            • Instruction Fuzzy Hash: 03316B30B00216CFDB5DEB79C5506AE77F2AF89244F200568D901EB3A5DB36EC45CB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D9269 Relevance: .1, Instructions: 82COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 62035fcd0dc4a992b0328a4fad5e4a172675706f42fa6c76e9bd60b2a7abdad5
                                                                                                            • Instruction ID: aed511a29bb884c9d47208781b93bcdfc06c8ec0a2e8d9406b68ed344326833a
                                                                                                            • Opcode Fuzzy Hash: 62035fcd0dc4a992b0328a4fad5e4a172675706f42fa6c76e9bd60b2a7abdad5
                                                                                                            • Instruction Fuzzy Hash: 6231D931E0064A9BDF09CFA9D48069EF7B2FF85304F148619E405EB385DB709845CB50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D9278 Relevance: .1, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 33d58fa70e51bb3aa2d2f75462c8707d2d25186e65d035ba6824e1befcbee2ac
                                                                                                            • Instruction ID: 263f3fc7ad31f00962832b8763040eb1ced48e067a5329097e38da2c52066729
                                                                                                            • Opcode Fuzzy Hash: 33d58fa70e51bb3aa2d2f75462c8707d2d25186e65d035ba6824e1befcbee2ac
                                                                                                            • Instruction Fuzzy Hash: CD21A331E0064A9BDF09CFA9D48469EF7B2FF89304F148619E805EB385DB70E846CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D16A3 Relevance: .1, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c8411f7fb07a65bc61524325e2a696263e833ef1d404dcfa9a187d98c653fb0a
                                                                                                            • Instruction ID: 649a8c36f0f3827f55fd5c35b34fdefc8fff3d7e6e041b5ab36107069a4724f8
                                                                                                            • Opcode Fuzzy Hash: c8411f7fb07a65bc61524325e2a696263e833ef1d404dcfa9a187d98c653fb0a
                                                                                                            • Instruction Fuzzy Hash: EE21F8386005116FDF1BEB2CE9847697762EB45304F010B31D105C736AEB64E885CB81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D17C0 Relevance: .1, Instructions: 76COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8a0d634d92c33ceeaf7e0d4107a3618d1ab3ccb8fced907117e157e6c84d2daa
                                                                                                            • Instruction ID: 4078bcc88cf0b5bcfcae056dbfb0454a8d604e84e6ea9c37dc0d0df213691174
                                                                                                            • Opcode Fuzzy Hash: 8a0d634d92c33ceeaf7e0d4107a3618d1ab3ccb8fced907117e157e6c84d2daa
                                                                                                            • Instruction Fuzzy Hash: 68215B32F04B52AFCF13AB78980869E7FB1AB46120F150A66DA45D7342EB348845C791
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D9169 Relevance: .1, Instructions: 74COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 15e24a9b1141910513ad8abe1f942263f0a9278d6b786d15f740b9b57fa5bc66
                                                                                                            • Instruction ID: 0b54414664fc0754cb3547272efc8d606e8363cf06b66169b927be9ce1ac7eee
                                                                                                            • Opcode Fuzzy Hash: 15e24a9b1141910513ad8abe1f942263f0a9278d6b786d15f740b9b57fa5bc66
                                                                                                            • Instruction Fuzzy Hash: A421A131E002099BDB1DCFA8D85469EFBB2BF89314F14861AEC15BB341DB70E846CB51
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0114D01C Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878620013.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_114d000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c3960eb2be26654d5f9e1358f2440c8148cd1ea90cba48a41692507475637813
                                                                                                            • Instruction ID: c37788a01cc7751d2f6273b454a60d68bca90301cac5c00b2fbcdbf0823910c4
                                                                                                            • Opcode Fuzzy Hash: c3960eb2be26654d5f9e1358f2440c8148cd1ea90cba48a41692507475637813
                                                                                                            • Instruction Fuzzy Hash: D7212271604200DFCF19DF98E984B26BFA5EB94B14F20C5ADD80A4B256C33AD447CA62
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D1878 Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 387ca15dc11c764f0633a52b1e94039597a32a7b60fc699c4fabf516a78c339e
                                                                                                            • Instruction ID: b599c2818e3dcbaf83557c5d9539ef69b41c615887e7583a25865f4fa9e3a48b
                                                                                                            • Opcode Fuzzy Hash: 387ca15dc11c764f0633a52b1e94039597a32a7b60fc699c4fabf516a78c339e
                                                                                                            • Instruction Fuzzy Hash: F3218C30B00256DFEF1DEB78C5157AE77B2AF4A204F2004ACD505EB695EB359D40CB61
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D4F89 Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 688fc62cb993504d578b2883d4a002a203e6bf557ca5cf4f6f9bc18388792b55
                                                                                                            • Instruction ID: 57b977adc7372d81740af6d2f12f9b8101d78cc4bb2b3dd4a9be85c0af306421
                                                                                                            • Opcode Fuzzy Hash: 688fc62cb993504d578b2883d4a002a203e6bf557ca5cf4f6f9bc18388792b55
                                                                                                            • Instruction Fuzzy Hash: FA217A30700205CFCB68EB78C558AAD7BF2AF8D344B2005A8E506EB7A5DB369D01CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D9178 Relevance: .1, Instructions: 70COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d1da7bf674036e2043c1ef2ff04665474b8f7b06cb03aaeae1f9421c4e65111e
                                                                                                            • Instruction ID: 89e0d913f462b146ad7c18e64f32703b96b2cfd34c8ffe3c88511cecfaefb724
                                                                                                            • Opcode Fuzzy Hash: d1da7bf674036e2043c1ef2ff04665474b8f7b06cb03aaeae1f9421c4e65111e
                                                                                                            • Instruction Fuzzy Hash: 86215031E0060A9BCB1DCFA8C45459EF7B6BF89314F10851AEC15BB341DB70E846CB51
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D1888 Relevance: .1, Instructions: 70COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 085bb55d2c30269e1f9b5df5270386346d8ce24291395c7586bd21f24f700b76
                                                                                                            • Instruction ID: b457eb450c9fdb452409f737b8d714ad44e643f04063661abc516cb9fb4213e6
                                                                                                            • Opcode Fuzzy Hash: 085bb55d2c30269e1f9b5df5270386346d8ce24291395c7586bd21f24f700b76
                                                                                                            • Instruction Fuzzy Hash: E1215730B00216DFDB1CEB79C5157AE77F2AB89205F200468D506EB3A5EB36DD40CBA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D16B0 Relevance: .1, Instructions: 69COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 194bca47a03cc1aa8983aec1f77869a5987214ec1b7798a145b67b01ff42f385
                                                                                                            • Instruction ID: 328bb010c8ca6c4f1740ef28c1e7d45fba91c76adf5fedac8756345ab83dd5a2
                                                                                                            • Opcode Fuzzy Hash: 194bca47a03cc1aa8983aec1f77869a5987214ec1b7798a145b67b01ff42f385
                                                                                                            • Instruction Fuzzy Hash: 0321DF386009116FDF2AEB2DE9847597766EB45304F014B35D10ACB3AAEB60E8898B81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D4F98 Relevance: .1, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: eac5d787b167208fe2c45ddcedb5cb9009eebbaeeb91e20c1b284e341e8665a5
                                                                                                            • Instruction ID: b5c4dc15103371baf7ff2ada89d7d815c2577ef08632995027602c7b7bc5da97
                                                                                                            • Opcode Fuzzy Hash: eac5d787b167208fe2c45ddcedb5cb9009eebbaeeb91e20c1b284e341e8665a5
                                                                                                            • Instruction Fuzzy Hash: 85211A30700215CFDB58EB79C558AAE7BF2AF8D344F204468E506EB3A5DB36AD40CB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D138F Relevance: .1, Instructions: 66COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b67c3de6b04a5e138565b78efbf364f92b72880454c6affb96ec0d82b10d3bc9
                                                                                                            • Instruction ID: df4e8ab3227b2d06fc6fdab488fccd5e9f851eb17802ea3a3cf784c48dcff7e5
                                                                                                            • Opcode Fuzzy Hash: b67c3de6b04a5e138565b78efbf364f92b72880454c6affb96ec0d82b10d3bc9
                                                                                                            • Instruction Fuzzy Hash: 0F219074A44250AFEF7A673CE48436C7661E741325F100A2AD60BCB785DB288C89C741
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0114D006 Relevance: .1, Instructions: 63COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878620013.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_114d000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 17b4918c435dcbe34b85352626e34210730f554533ff580960d0ffbd01f16abc
                                                                                                            • Instruction ID: cddce4609e38f615e84248b48a1170e9eae514333594512efa133c72df558454
                                                                                                            • Opcode Fuzzy Hash: 17b4918c435dcbe34b85352626e34210730f554533ff580960d0ffbd01f16abc
                                                                                                            • Instruction Fuzzy Hash: 5E219F755083809FCF07CF64D994B11BF71EB56614F28C5EAD8498F2A7C33A980ACB62
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D0838 Relevance: .1, Instructions: 63COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e867d77262609a1ea5f04773e34e1e492c97553e8a9401a4a8244e4b60ad22c0
                                                                                                            • Instruction ID: 46fe09cb249db8fb4ae786d14728cc861d26960be36778f854c5943d94823333
                                                                                                            • Opcode Fuzzy Hash: e867d77262609a1ea5f04773e34e1e492c97553e8a9401a4a8244e4b60ad22c0
                                                                                                            • Instruction Fuzzy Hash: 7E11C130E042049FEF2E567D984136D7BA5EB4A210F114A7AE046DB282DB65DC818BD2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D0848 Relevance: .1, Instructions: 62COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 40e829a99892477b273d275db75ec5cb5a51bb77855b0ba98a6f406a9066807f
                                                                                                            • Instruction ID: c13c911a85fd9413305871f899ad1696dfd766f622a5ec49ed12ccaff70db48b
                                                                                                            • Opcode Fuzzy Hash: 40e829a99892477b273d275db75ec5cb5a51bb77855b0ba98a6f406a9066807f
                                                                                                            • Instruction Fuzzy Hash: 2A118F30F002148FDF5DAA7DD44532E76A5EB89214F218A3AE106CB356DB61DC858BD1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D1498 Relevance: .1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4e31c0a2ee729cefd364c36ef9400d829caec63407851fe5df8c9068ec1c41c0
                                                                                                            • Instruction ID: 73cd46fd438a09254c9951c942beeefacc32731625f869367c1d6aaa03fd7d55
                                                                                                            • Opcode Fuzzy Hash: 4e31c0a2ee729cefd364c36ef9400d829caec63407851fe5df8c9068ec1c41c0
                                                                                                            • Instruction Fuzzy Hash: 9F015231A012159FCF29EFBC84541AEBBF5EF49214F2504BAE805E7301E735E9418BA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D1497 Relevance: .1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 492e187403673059ddb5dbc51474da4649e1c4d9bae05e06cbf543328701056b
                                                                                                            • Instruction ID: 490f4d106a7abcf8f90a5b2a71ca5dd0fc7025ae608f4c8bad1453005549da26
                                                                                                            • Opcode Fuzzy Hash: 492e187403673059ddb5dbc51474da4649e1c4d9bae05e06cbf543328701056b
                                                                                                            • Instruction Fuzzy Hash: 1D118031A002159FCF29EFB884901ADBBF1EF48214F2404BAE805E7301E736D842CB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D7090 Relevance: .0, Instructions: 38COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d23adc482169cc6c13f156333d55ceb4e564f551e69add97bed20d01b0b7fb8a
                                                                                                            • Instruction ID: 3927b70854e19027e9dd8788560b29ee54cce53d91505842a82dbc6f8823e94f
                                                                                                            • Opcode Fuzzy Hash: d23adc482169cc6c13f156333d55ceb4e564f551e69add97bed20d01b0b7fb8a
                                                                                                            • Instruction Fuzzy Hash: E7014B39B40214CFD719DB74D458B6C37B2EF88319F1045A8E606CB3A4CB35AC42CB41
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D1524 Relevance: .0, Instructions: 36COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a531fd2b37e394b9795b1a26b0681d6dedffb082e3314d67aaacb39f34b331ff
                                                                                                            • Instruction ID: aec13cf9e16cc89582eab711467f396b74407bbcbb9bae8f2d57b97f572fdbd6
                                                                                                            • Opcode Fuzzy Hash: a531fd2b37e394b9795b1a26b0681d6dedffb082e3314d67aaacb39f34b331ff
                                                                                                            • Instruction Fuzzy Hash: A1F05037A04210EFD72A8BE894901ADBF71EE6911175D00D7D406DB311D735E482C712
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D8118 Relevance: .0, Instructions: 33COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 30e25c04491a59bb9165f024135d1aee78df41ba44997233e96ddc884cdbea71
                                                                                                            • Instruction ID: 6a48839f670049982674074ec470b8624120ac2000f7ad0f9cf9ef2fec811412
                                                                                                            • Opcode Fuzzy Hash: 30e25c04491a59bb9165f024135d1aee78df41ba44997233e96ddc884cdbea71
                                                                                                            • Instruction Fuzzy Hash: 60F03C34910209AFCF05FBACE98199DBBB5EB80304F504679C0099B258EF317E498B82
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D8117 Relevance: .0, Instructions: 33COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 65a72df69cfc1aa1da3df8903d64f242f65073ab31fe10de2592efefcbe8be32
                                                                                                            • Instruction ID: 79d3b79d3f7649229b2dc3944c1bffa728545807a5cefeee55b46a6647248dd2
                                                                                                            • Opcode Fuzzy Hash: 65a72df69cfc1aa1da3df8903d64f242f65073ab31fe10de2592efefcbe8be32
                                                                                                            • Instruction Fuzzy Hash: 88F03C34910109AFCF05EBBCE98199CBBB1EB80304F504679C0099B258EF316E4A8B81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 011D1487 Relevance: .0, Instructions: 19COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2878889114.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_11d0000_Quote.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6d2d08603c65e7bc4a90138e497a307a158e117d4019f2e94d090544d3ace48b
                                                                                                            • Instruction ID: 7462d7a0386891cc38ef29af6625fd3a47eb23ddd7f200db32c71d856606e7b0
                                                                                                            • Opcode Fuzzy Hash: 6d2d08603c65e7bc4a90138e497a307a158e117d4019f2e94d090544d3ace48b
                                                                                                            • Instruction Fuzzy Hash: 72E0C22060C7C067EB375638E4553A9BB509B82130F0448AADCC5CA942DB048841C382
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%