Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
New Quote 50029741830.exe

Overview

General Information

Sample name:New Quote 50029741830.exe
Analysis ID:1436614
MD5:34ebe5ec1252d01fa9233a6b8054a7c4
SHA1:52c7ad0d6b19440b60dde938fb9b1dead88f067e
SHA256:2fcce723ca9ab8e66de8249c6a5b3ef78a4f87dfa128299e097ad8a20bd47c50
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • New Quote 50029741830.exe (PID: 7536 cmdline: "C:\Users\user\Desktop\New Quote 50029741830.exe" MD5: 34EBE5EC1252D01FA9233A6B8054A7C4)
    • powershell.exe (PID: 7712 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Quote 50029741830.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7760 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7212 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7784 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqlOaUZZYhEp" /XML "C:\Users\user\AppData\Local\Temp\tmpD371.tmp" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • New Quote 50029741830.exe (PID: 7948 cmdline: "C:\Users\user\Desktop\New Quote 50029741830.exe" MD5: 34EBE5EC1252D01FA9233A6B8054A7C4)
      • WerFault.exe (PID: 8048 cmdline: C:\Windows\system32\WerFault.exe -u -p 7948 -s 12 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • yqlOaUZZYhEp.exe (PID: 8040 cmdline: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe MD5: 34EBE5EC1252D01FA9233A6B8054A7C4)
    • schtasks.exe (PID: 2256 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqlOaUZZYhEp" /XML "C:\Users\user\AppData\Local\Temp\tmpEA93.tmp" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 2196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • yqlOaUZZYhEp.exe (PID: 7200 cmdline: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe MD5: 34EBE5EC1252D01FA9233A6B8054A7C4)
      • WerFault.exe (PID: 7196 cmdline: C:\Windows\system32\WerFault.exe -u -p 7200 -s 12 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.kawajun.com.my", "Username": "admin@kawajun.com.my", "Password": "kawajun1974"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1657346209.0000000015C73000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.1657346209.0000000015C73000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000B.00000002.1721226968.000000001D384000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000B.00000002.1721226968.000000001D384000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.1657346209.00000000142E9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.New Quote 50029741830.exe.1437c2e8.8.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.New Quote 50029741830.exe.1437c2e8.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.New Quote 50029741830.exe.1437c2e8.8.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x31bdc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x31c4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x31cd8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31d6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x31dd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31e46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x31edc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31f6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.New Quote 50029741830.exe.143b7328.6.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.New Quote 50029741830.exe.143b7328.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 9 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Quote 50029741830.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Quote 50029741830.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\New Quote 50029741830.exe", ParentImage: C:\Users\user\Desktop\New Quote 50029741830.exe, ParentProcessId: 7536, ParentProcessName: New Quote 50029741830.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Quote 50029741830.exe", ProcessId: 7712, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Quote 50029741830.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Quote 50029741830.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\New Quote 50029741830.exe", ParentImage: C:\Users\user\Desktop\New Quote 50029741830.exe, ParentProcessId: 7536, ParentProcessName: New Quote 50029741830.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Quote 50029741830.exe", ProcessId: 7712, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqlOaUZZYhEp" /XML "C:\Users\user\AppData\Local\Temp\tmpEA93.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqlOaUZZYhEp" /XML "C:\Users\user\AppData\Local\Temp\tmpEA93.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe, ParentImage: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe, ParentProcessId: 8040, ParentProcessName: yqlOaUZZYhEp.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqlOaUZZYhEp" /XML "C:\Users\user\AppData\Local\Temp\tmpEA93.tmp", ProcessId: 2256, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqlOaUZZYhEp" /XML "C:\Users\user\AppData\Local\Temp\tmpD371.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqlOaUZZYhEp" /XML "C:\Users\user\AppData\Local\Temp\tmpD371.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\New Quote 50029741830.exe", ParentImage: C:\Users\user\Desktop\New Quote 50029741830.exe, ParentProcessId: 7536, ParentProcessName: New Quote 50029741830.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqlOaUZZYhEp" /XML "C:\Users\user\AppData\Local\Temp\tmpD371.tmp", ProcessId: 7784, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Quote 50029741830.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Quote 50029741830.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\New Quote 50029741830.exe", ParentImage: C:\Users\user\Desktop\New Quote 50029741830.exe, ParentProcessId: 7536, ParentProcessName: New Quote 50029741830.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Quote 50029741830.exe", ProcessId: 7712, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqlOaUZZYhEp" /XML "C:\Users\user\AppData\Local\Temp\tmpD371.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqlOaUZZYhEp" /XML "C:\Users\user\AppData\Local\Temp\tmpD371.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\New Quote 50029741830.exe", ParentImage: C:\Users\user\Desktop\New Quote 50029741830.exe, ParentProcessId: 7536, ParentProcessName: New Quote 50029741830.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqlOaUZZYhEp" /XML "C:\Users\user\AppData\Local\Temp\tmpD371.tmp", ProcessId: 7784, ProcessName: schtasks.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: New Quote 50029741830.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeAvira: detection malicious, Label: HEUR/AGEN.1323350
                    Found malware configuration
                    Source: 0.2.New Quote 50029741830.exe.1437c2e8.8.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.kawajun.com.my", "Username": "admin@kawajun.com.my", "Password": "kawajun1974"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeReversingLabs: Detection: 42%
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeVirustotal: Detection: 51%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: New Quote 50029741830.exeVirustotal: Detection: 51%Perma Link
                    Source: New Quote 50029741830.exeReversingLabs: Detection: 42%
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: New Quote 50029741830.exeJoe Sandbox ML: detected
                    Source: New Quote 50029741830.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.New Quote 50029741830.exe.143b7328.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.New Quote 50029741830.exe.1437c2e8.8.raw.unpack, type: UNPACKEDPE
                    Source: New Quote 50029741830.exe, 00000000.00000002.1647637093.000000000409B000.00000004.00000800.00020000.00000000.sdmp, yqlOaUZZYhEp.exe, 0000000B.00000002.1716983836.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: New Quote 50029741830.exe, 00000000.00000002.1657346209.00000000142E9000.00000004.00000800.00020000.00000000.sdmp, New Quote 50029741830.exe, 00000000.00000002.1657346209.0000000015C73000.00000004.00000800.00020000.00000000.sdmp, yqlOaUZZYhEp.exe, 0000000B.00000002.1721226968.000000001D384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: New Quote 50029741830.exe, 00000000.00000002.1657346209.00000000142E9000.00000004.00000800.00020000.00000000.sdmp, New Quote 50029741830.exe, 00000000.00000002.1657346209.0000000015C73000.00000004.00000800.00020000.00000000.sdmp, yqlOaUZZYhEp.exe, 0000000B.00000002.1721226968.000000001D384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.New Quote 50029741830.exe.1437c2e8.8.raw.unpack, FaJzHLniypp.cs.Net Code: gQYDiI
                    Source: 0.2.New Quote 50029741830.exe.143b7328.6.raw.unpack, FaJzHLniypp.cs.Net Code: gQYDiI

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.New Quote 50029741830.exe.1437c2e8.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.New Quote 50029741830.exe.143b7328.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.New Quote 50029741830.exe.143b7328.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.New Quote 50029741830.exe.1437c2e8.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeCode function: 0_2_00007FFD9B8913280_2_00007FFD9B891328
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeCode function: 0_2_00007FFD9B89CA600_2_00007FFD9B89CA60
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeCode function: 0_2_00007FFD9B8942AF0_2_00007FFD9B8942AF
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeCode function: 0_2_00007FFD9B8912380_2_00007FFD9B891238
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeCode function: 0_2_00007FFD9B8914980_2_00007FFD9B891498
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeCode function: 0_2_00007FFD9B89F4350_2_00007FFD9B89F435
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeCode function: 0_2_00007FFD9B8919800_2_00007FFD9B891980
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeCode function: 0_2_00007FFD9B89191D0_2_00007FFD9B89191D
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeCode function: 0_2_00007FFD9B89F45D0_2_00007FFD9B89F45D
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeCode function: 11_2_00007FFD9B8A132811_2_00007FFD9B8A1328
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeCode function: 11_2_00007FFD9B8ACA6011_2_00007FFD9B8ACA60
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeCode function: 11_2_00007FFD9B8A42AF11_2_00007FFD9B8A42AF
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeCode function: 11_2_00007FFD9B8A123811_2_00007FFD9B8A1238
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeCode function: 11_2_00007FFD9B8A149811_2_00007FFD9B8A1498
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeCode function: 11_2_00007FFD9B8AF43511_2_00007FFD9B8AF435
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeCode function: 11_2_00007FFD9B8A198011_2_00007FFD9B8A1980
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeCode function: 11_2_00007FFD9B8A191D11_2_00007FFD9B8A191D
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeCode function: 11_2_00007FFD9B8AF45D11_2_00007FFD9B8AF45D
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7948 -s 12
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663062584.000000001E160000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameReactionDiffusion.dll0 vs New Quote 50029741830.exe
                    Source: New Quote 50029741830.exe, 00000000.00000002.1657346209.0000000014011000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAxiom.dll@ vs New Quote 50029741830.exe
                    Source: New Quote 50029741830.exe, 00000000.00000002.1657346209.00000000142E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename1be30337-a8af-4608-bc1e-a0f5815dfd84.exe4 vs New Quote 50029741830.exe
                    Source: New Quote 50029741830.exe, 00000000.00000002.1657346209.00000000142E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs New Quote 50029741830.exe
                    Source: New Quote 50029741830.exe, 00000000.00000002.1664378638.000000001EA2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs New Quote 50029741830.exe
                    Source: New Quote 50029741830.exe, 00000000.00000002.1664378638.000000001EA2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs New Quote 50029741830.exe
                    Source: New Quote 50029741830.exe, 00000000.00000002.1647637093.0000000004001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameReactionDiffusion.dll0 vs New Quote 50029741830.exe
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663012211.000000001E140000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAxiom.dll@ vs New Quote 50029741830.exe
                    Source: New Quote 50029741830.exe, 00000000.00000000.1597171655.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamellJi.exe4 vs New Quote 50029741830.exe
                    Source: New Quote 50029741830.exe, 00000000.00000002.1663981620.000000001E970000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs New Quote 50029741830.exe
                    Source: New Quote 50029741830.exe, 00000000.00000002.1647637093.000000000409B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename1be30337-a8af-4608-bc1e-a0f5815dfd84.exe4 vs New Quote 50029741830.exe
                    Source: New Quote 50029741830.exe, 00000000.00000002.1647637093.00000000044E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameReactionDiffusion.dll0 vs New Quote 50029741830.exe
                    Source: New Quote 50029741830.exeBinary or memory string: OriginalFilenamellJi.exe4 vs New Quote 50029741830.exe
                    Source: 0.2.New Quote 50029741830.exe.1437c2e8.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.New Quote 50029741830.exe.143b7328.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.New Quote 50029741830.exe.143b7328.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.New Quote 50029741830.exe.1437c2e8.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: New Quote 50029741830.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: yqlOaUZZYhEp.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.New Quote 50029741830.exe.1437c2e8.8.raw.unpack, Tk7F6W0v.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.New Quote 50029741830.exe.1437c2e8.8.raw.unpack, Tk7F6W0v.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.New Quote 50029741830.exe.1437c2e8.8.raw.unpack, Tk7F6W0v.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.New Quote 50029741830.exe.1437c2e8.8.raw.unpack, Tk7F6W0v.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.New Quote 50029741830.exe.1437c2e8.8.raw.unpack, ivMw3WGb8.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.New Quote 50029741830.exe.1437c2e8.8.raw.unpack, ivMw3WGb8.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.New Quote 50029741830.exe.1437c2e8.8.raw.unpack, cdw.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.New Quote 50029741830.exe.1437c2e8.8.raw.unpack, cdw.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/15@0/0
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeFile created: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7720:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeMutant created: NULL
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7200
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeMutant created: \Sessions\1\BaseNamedObjects\nscIPDIXkDUQWyc
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7948
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2196:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7776:120:WilError_03
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD371.tmpJump to behavior
                    Source: New Quote 50029741830.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: New Quote 50029741830.exeVirustotal: Detection: 51%
                    Source: New Quote 50029741830.exeReversingLabs: Detection: 42%
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeFile read: C:\Users\user\Desktop\New Quote 50029741830.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\New Quote 50029741830.exe "C:\Users\user\Desktop\New Quote 50029741830.exe"
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Quote 50029741830.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqlOaUZZYhEp" /XML "C:\Users\user\AppData\Local\Temp\tmpD371.tmp"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess created: C:\Users\user\Desktop\New Quote 50029741830.exe "C:\Users\user\Desktop\New Quote 50029741830.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7948 -s 12
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqlOaUZZYhEp" /XML "C:\Users\user\AppData\Local\Temp\tmpEA93.tmp"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess created: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7200 -s 12
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Quote 50029741830.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqlOaUZZYhEp" /XML "C:\Users\user\AppData\Local\Temp\tmpD371.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess created: C:\Users\user\Desktop\New Quote 50029741830.exe "C:\Users\user\Desktop\New Quote 50029741830.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqlOaUZZYhEp" /XML "C:\Users\user\AppData\Local\Temp\tmpEA93.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess created: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: New Quote 50029741830.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: New Quote 50029741830.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: New Quote 50029741830.exeStatic PE information: section name: .text entropy: 7.956847379360724
                    Source: yqlOaUZZYhEp.exe.0.drStatic PE information: section name: .text entropy: 7.956847379360724
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeFile created: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqlOaUZZYhEp" /XML "C:\Users\user\AppData\Local\Temp\tmpD371.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeMemory allocated: 1540000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeMemory allocated: 1C000000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeMemory allocated: 910000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeMemory allocated: 1AFB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5964Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 374Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8198Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 692Jump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exe TID: 7560Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7924Thread sleep count: 5964 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7936Thread sleep count: 374 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8104Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8060Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8108Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8032Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe TID: 8096Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Quote 50029741830.exe"
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe"
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Quote 50029741830.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe"Jump to behavior
                    Modifies the context of a thread in another process (thread injection)
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeThread register set: target process: 7948Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeThread register set: target process: 7200Jump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Quote 50029741830.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqlOaUZZYhEp" /XML "C:\Users\user\AppData\Local\Temp\tmpD371.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeProcess created: C:\Users\user\Desktop\New Quote 50029741830.exe "C:\Users\user\Desktop\New Quote 50029741830.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqlOaUZZYhEp" /XML "C:\Users\user\AppData\Local\Temp\tmpEA93.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeProcess created: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Users\user\Desktop\New Quote 50029741830.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exeQueries volume information: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\New Quote 50029741830.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.New Quote 50029741830.exe.1437c2e8.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.New Quote 50029741830.exe.143b7328.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.New Quote 50029741830.exe.143b7328.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.New Quote 50029741830.exe.1437c2e8.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1657346209.0000000015C73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1721226968.000000001D384000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1657346209.00000000142E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: New Quote 50029741830.exe PID: 7536, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: yqlOaUZZYhEp.exe PID: 8040, type: MEMORYSTR
                    Source: Yara matchFile source: 0.2.New Quote 50029741830.exe.1437c2e8.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.New Quote 50029741830.exe.143b7328.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.New Quote 50029741830.exe.143b7328.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.New Quote 50029741830.exe.1437c2e8.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1657346209.0000000015C73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1721226968.000000001D384000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1657346209.00000000142E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: New Quote 50029741830.exe PID: 7536, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: yqlOaUZZYhEp.exe PID: 8040, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.New Quote 50029741830.exe.1437c2e8.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.New Quote 50029741830.exe.143b7328.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.New Quote 50029741830.exe.143b7328.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.New Quote 50029741830.exe.1437c2e8.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1657346209.0000000015C73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1721226968.000000001D384000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1657346209.00000000142E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: New Quote 50029741830.exe PID: 7536, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: yqlOaUZZYhEp.exe PID: 8040, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		1
                    Masquerading                    		1
                    Input Capture                    		11
                    Security Software Discovery                    		Remote Services1
                    Input Capture                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol11
                    Archive Collected Data                    		Junk DataExfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		41
                    Virtualization/Sandbox Evasion                    		Security Account Manager41
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Obfuscated Files or Information                    		Cached Domain Credentials12
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Software Packing                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1436614 Sample: New Quote 50029741830.exe Startdate: 06/05/2024 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 9 other signatures 2->50 7 New Quote 50029741830.exe 7 2->7         started        11 yqlOaUZZYhEp.exe 5 2->11         started        process3 file4 40 C:\Users\user\AppData\...\yqlOaUZZYhEp.exe, PE32+ 7->40 dropped 42 C:\Users\user\AppData\Local\...\tmpD371.tmp, XML 7->42 dropped 52 Modifies the context of a thread in another process (thread injection) 7->52 54 Adds a directory exclusion to Windows Defender 7->54 13 powershell.exe 23 7->13         started        16 powershell.exe 23 7->16         started        18 schtasks.exe 1 7->18         started        20 New Quote 50029741830.exe 7->20         started        56 Antivirus detection for dropped file 11->56 58 Multi AV Scanner detection for dropped file 11->58 60 Machine Learning detection for dropped file 11->60 22 schtasks.exe 1 11->22         started        24 yqlOaUZZYhEp.exe 11->24         started        signatures5 process6 signatures7 62 Loading BitLocker PowerShell Module 13->62 26 WmiPrvSE.exe 13->26         started        28 conhost.exe 13->28         started        30 conhost.exe 16->30         started        32 conhost.exe 18->32         started        34 WerFault.exe 2 20->34         started        36 conhost.exe 22->36         started        38 WerFault.exe 24->38         started        process8

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    New Quote 50029741830.exe51%VirustotalBrowse
                    New Quote 50029741830.exe42%ReversingLabsByteCode-MSIL.Trojan.Generic
                    New Quote 50029741830.exe100%AviraHEUR/AGEN.1323350
                    New Quote 50029741830.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe100%AviraHEUR/AGEN.1323350
                    C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe42%ReversingLabsWin32.Trojan.Generic
                    C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe51%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
                    http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn0%VirustotalBrowse
                    http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
                    http://www.founder.com.cn/cn/bThe0%VirustotalBrowse
                    http://www.zhongyicts.com.cn1%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.apache.org/licenses/LICENSE-2.0New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.comNew Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGNew Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheNew Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://account.dyn.com/New Quote 50029741830.exe, 00000000.00000002.1657346209.00000000142E9000.00000004.00000800.00020000.00000000.sdmp, New Quote 50029741830.exe, 00000000.00000002.1657346209.0000000015C73000.00000004.00000800.00020000.00000000.sdmp, yqlOaUZZYhEp.exe, 0000000B.00000002.1721226968.000000001D384000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers?New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.tiro.comNew Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersNew Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krNew Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comlNew Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comNew Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDNew Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNNew Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cTheNew Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 0%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmNew Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.ipify.orgNew Quote 50029741830.exe, 00000000.00000002.1657346209.00000000142E9000.00000004.00000800.00020000.00000000.sdmp, New Quote 50029741830.exe, 00000000.00000002.1657346209.0000000015C73000.00000004.00000800.00020000.00000000.sdmp, yqlOaUZZYhEp.exe, 0000000B.00000002.1721226968.000000001D384000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cnNew Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 0%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-user.htmlNew Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleaseNew Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8New Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fonts.comNew Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krNew Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPleaseNew Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnNew Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • 1%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNew Quote 50029741830.exe, 00000000.00000002.1647637093.000000000409B000.00000004.00000800.00020000.00000000.sdmp, yqlOaUZZYhEp.exe, 0000000B.00000002.1716983836.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.sakkal.comNew Quote 50029741830.exe, 00000000.00000002.1663180067.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              No contacted IP infos

                                              General Information

                                              Joe Sandbox version:40.0.0 Tourmaline
                                              Analysis ID:1436614
                                              Start date and time:2024-05-06 08:36:05 +02:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 5m 37s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:24
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:New Quote 50029741830.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@21/15@0/0
                                              EGA Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 57%
                                              • Number of executed functions: 151
                                              • Number of non-executed functions: 2
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target New Quote 50029741830.exe, PID 7536 because it is empty
                                              • Execution Graph export aborted for target yqlOaUZZYhEp.exe, PID 8040 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              07:36:51Task SchedulerRun new task: yqlOaUZZYhEp path: C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe
                                              08:36:50API Interceptor1x Sleep call for process: New Quote 50029741830.exe modified
                                              08:36:52API Interceptor43x Sleep call for process: powershell.exe modified
                                              08:36:56API Interceptor1x Sleep call for process: yqlOaUZZYhEp.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASNs

                                              No context

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\New Quote 50029741830.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\New Quote 50029741830.exe
                                              File Type:CSV text
                                              Category:dropped
                                              Size (bytes):1510
                                              Entropy (8bit):5.380493107040482
                                              Encrypted:false
                                              SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNl+84xp3/VclT:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAA
                                              MD5:3C7E5782E6C100B90932CBDED08ADE42
                                              SHA1:D498EE0833BB8C85592FB3B1E482267362DB3F74
                                              SHA-256:361A6FF160343A2400F7D3FA4A009EA20C994B9788C190EB9D53E544BB376490
                                              SHA-512:3A90D61631F4DC920860AEA31FDB5E56A102206311705D5D084E809D364F680B4E95F19CE9849D3F9CB3C2C273393FD2F2C67720BAAA885125EE358D59462B0A
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\yqlOaUZZYhEp.exe.log

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe
                                              File Type:CSV text
                                              Category:dropped
                                              Size (bytes):1510
                                              Entropy (8bit):5.380493107040482
                                              Encrypted:false
                                              SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNl+84xp3/VclT:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAA
                                              MD5:3C7E5782E6C100B90932CBDED08ADE42
                                              SHA1:D498EE0833BB8C85592FB3B1E482267362DB3F74
                                              SHA-256:361A6FF160343A2400F7D3FA4A009EA20C994B9788C190EB9D53E544BB376490
                                              SHA-512:3A90D61631F4DC920860AEA31FDB5E56A102206311705D5D084E809D364F680B4E95F19CE9849D3F9CB3C2C273393FD2F2C67720BAAA885125EE358D59462B0A
                                              Malicious:false
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):1.1940658735648508
                                              Encrypted:false
                                              SSDEEP:3:NlllulJnp/p:NllU
                                              MD5:BC6DB77EB243BF62DC31267706650173
                                              SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                              SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                              SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                              Malicious:false
                                              Preview:@...e.................................X..............@..........

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ovwtzm5.kok.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4i33nfam.oo3.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ev5kicve.sg5.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fk2kyu3e.mmv.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jmovjg2h.lmt.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nt5gvfwt.si1.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_un41lb2p.0a5.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yoiqw0fr.vqx.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\tmpD371.tmp

                                              Download File
                                              Process:C:\Users\user\Desktop\New Quote 50029741830.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1578
                                              Entropy (8bit):5.122493056622582
                                              Encrypted:false
                                              SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtawxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTVv
                                              MD5:1D08A3D3BA71BE036F98722C208F6323
                                              SHA1:B1686F0BC4254626BCB87599E5C881F71A27A597
                                              SHA-256:16FB1250DD3DCF63C822606FD7DE87E4B58DED3857E9472012D4E35D94B17E98
                                              SHA-512:85FBF9EFA4F300855B32F70D059CB967A96A7CC98C60F91686561BAA5327AB0AF3F80AB0B8C45F5D77D455266181B6C1B84FB4427C97A293396490D2DAFBB69D
                                              Malicious:true
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                              C:\Users\user\AppData\Local\Temp\tmpEA93.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1578
                                              Entropy (8bit):5.122493056622582
                                              Encrypted:false
                                              SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtawxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTVv
                                              MD5:1D08A3D3BA71BE036F98722C208F6323
                                              SHA1:B1686F0BC4254626BCB87599E5C881F71A27A597
                                              SHA-256:16FB1250DD3DCF63C822606FD7DE87E4B58DED3857E9472012D4E35D94B17E98
                                              SHA-512:85FBF9EFA4F300855B32F70D059CB967A96A7CC98C60F91686561BAA5327AB0AF3F80AB0B8C45F5D77D455266181B6C1B84FB4427C97A293396490D2DAFBB69D
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                              C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\New Quote 50029741830.exe
                                              File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):731648
                                              Entropy (8bit):7.952935012647608
                                              Encrypted:false
                                              SSDEEP:12288:yjWJm6CfoZ2X4ciGfd2iFl+vnk3yHf4EyG9957CrfH50FyjfG/gMGOXb6s8qCVXS:yokoci8x3KQJG9bOVFMGOWs8qCVXS
                                              MD5:34EBE5EC1252D01FA9233A6B8054A7C4
                                              SHA1:52C7AD0D6B19440B60DDE938FB9B1DEAD88F067E
                                              SHA-256:2FCCE723CA9AB8E66DE8249C6A5B3EF78A4F87DFA128299E097AD8A20BD47C50
                                              SHA-512:B807767B1CC1D118196C65E735B27A2A69CCC64D86E86D851A4D76FD6F1DB064D962200EBB3B799F5100C0C82C7DEA202BDDF71C8C6652366E3034A3B8673FF3
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 42%
                                              • Antivirus: Virustotal, Detection: 51%, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...1Q8f.....................@......>.... ....@...... ....................................@...@......@............... ..........................W.... ..p<...................`....................................................... ............... ..H............text...J.... ...................... ..`.rsrc...p<... ...>..................@..@.reloc.......`.......(..............@..B .......H.......H....I...............2..........................................z.(......}.....(....o....}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.|.{....Xa}......}.....{....o....:q....(....+..(........}.........(......*................n..}.....{....,..{....o....*..{....*.s..

                                              C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\New Quote 50029741830.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:false
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              Static File Info

                                              General

                                              File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.952935012647608
                                              TrID:
                                              • Win64 Executable GUI (202006/5) 84.33%
                                              • Win64 Executable (generic) Net Framework (21505/4) 8.98%
                                              • Win64 Executable (generic) (12005/4) 5.01%
                                              • Generic Win/DOS Executable (2004/3) 0.84%
                                              • DOS Executable Generic (2002/1) 0.84%
                                              File name:New Quote 50029741830.exe
                                              File size:731'648 bytes
                                              MD5:34ebe5ec1252d01fa9233a6b8054a7c4
                                              SHA1:52c7ad0d6b19440b60dde938fb9b1dead88f067e
                                              SHA256:2fcce723ca9ab8e66de8249c6a5b3ef78a4f87dfa128299e097ad8a20bd47c50
                                              SHA512:b807767b1cc1d118196c65e735b27a2a69ccc64d86e86d851a4d76fd6f1db064d962200ebb3b799f5100c0c82c7dea202bddf71c8c6652366e3034a3b8673ff3
                                              SSDEEP:12288:yjWJm6CfoZ2X4ciGfd2iFl+vnk3yHf4EyG9957CrfH50FyjfG/gMGOXb6s8qCVXS:yokoci8x3KQJG9bOVFMGOWs8qCVXS
                                              TLSH:C4F41232AB8C8937D63E98F8244296191BB9490B75D1F3C4FD8C86BB7A813DD86147D3
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...1Q8f.....................@......>.... ....@...... ....................................@...@......@............... .....

                                              File Icon

                                              Icon Hash:f8bcd76926924906

                                              Static PE Info

                                              General

                                              Entrypoint:0x4b073e
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x66385131 [Mon May 6 03:40:33 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              dec eax
                                              mov eax, dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              jmp eax
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb06e40x57.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xb20000x3c70.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xb60000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xae74a0xae80055a7edb4557c0eab1c3f8761890060c5False0.9556783331840975data7.956847379360724IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0xb20000x3c700x3e002a04f18b0cbea547fe2c67eafcf4bad0False0.9392641129032258data7.866109764522584IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xb60000xc0x200c2800845cc3214e171e7b25985a1c685False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0xb21300x373aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced1.0007780449851464
                                              RT_GROUP_ICON0xb586c0x14data1.05
                                              RT_VERSION0xb58800x23cdata0.46853146853146854
                                              RT_MANIFEST0xb5abc0x1b4XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators0.5642201834862385

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              No network behavior found

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:08:36:48
                                              Start date:06/05/2024
                                              Path:C:\Users\user\Desktop\New Quote 50029741830.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\Desktop\New Quote 50029741830.exe"
                                              Imagebase:0xc40000
                                              File size:731'648 bytes
                                              MD5 hash:34EBE5EC1252D01FA9233A6B8054A7C4
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1657346209.0000000015C73000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1657346209.0000000015C73000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1657346209.00000000142E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1657346209.00000000142E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:08:36:50
                                              Start date:06/05/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Quote 50029741830.exe"
                                              Imagebase:0x7ff788560000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:08:36:50
                                              Start date:06/05/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:08:36:50
                                              Start date:06/05/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe"
                                              Imagebase:0x7ff788560000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:08:36:51
                                              Start date:06/05/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:08:36:51
                                              Start date:06/05/2024
                                              Path:C:\Windows\System32\schtasks.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqlOaUZZYhEp" /XML "C:\Users\user\AppData\Local\Temp\tmpD371.tmp"
                                              Imagebase:0x7ff76f990000
                                              File size:235'008 bytes
                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:08:36:51
                                              Start date:06/05/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:08:36:51
                                              Start date:06/05/2024
                                              Path:C:\Users\user\Desktop\New Quote 50029741830.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\Desktop\New Quote 50029741830.exe"
                                              Imagebase:0xcd0000
                                              File size:731'648 bytes
                                              MD5 hash:34EBE5EC1252D01FA9233A6B8054A7C4
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:false

                                              General

                                              Target ID:11
                                              Start time:08:36:51
                                              Start date:06/05/2024
                                              Path:C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe
                                              Imagebase:0x20000
                                              File size:731'648 bytes
                                              MD5 hash:34EBE5EC1252D01FA9233A6B8054A7C4
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1721226968.000000001D384000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.1721226968.000000001D384000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 42%, ReversingLabs
                                              • Detection: 51%, Virustotal, Browse
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:08:36:51
                                              Start date:06/05/2024
                                              Path:C:\Windows\System32\WerFault.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\WerFault.exe -u -p 7948 -s 12
                                              Imagebase:0x7ff711c10000
                                              File size:570'736 bytes
                                              MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:08:36:56
                                              Start date:06/05/2024
                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                              Imagebase:0x7ff693ab0000
                                              File size:496'640 bytes
                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                              Has elevated privileges:true
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:14
                                              Start time:08:36:57
                                              Start date:06/05/2024
                                              Path:C:\Windows\System32\schtasks.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqlOaUZZYhEp" /XML "C:\Users\user\AppData\Local\Temp\tmpEA93.tmp"
                                              Imagebase:0x7ff76f990000
                                              File size:235'008 bytes
                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:15
                                              Start time:08:36:58
                                              Start date:06/05/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:16
                                              Start time:08:36:58
                                              Start date:06/05/2024
                                              Path:C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Users\user\AppData\Roaming\yqlOaUZZYhEp.exe
                                              Imagebase:0x350000
                                              File size:731'648 bytes
                                              MD5 hash:34EBE5EC1252D01FA9233A6B8054A7C4
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:18
                                              Start time:08:36:59
                                              Start date:06/05/2024
                                              Path:C:\Windows\System32\WerFault.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\WerFault.exe -u -p 7200 -s 12
                                              Imagebase:0x7ff711c10000
                                              File size:570'736 bytes
                                              MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Executed Functions

                                                Function 00007FFD9B89CA60 Relevance: 1.8, Strings: 1, Instructions: 546COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: L
                                                • API String ID: 0-2909332022
                                                • Opcode ID: 5390b69b669cd6dc4e9b92643dc143186d1a7685420ec432bb01e70a076ebdf4
                                                • Instruction ID: be703f90cf585dd96951bac82beeaf319fcd196823b172ceb25a5af5a895938d
                                                • Opcode Fuzzy Hash: 5390b69b669cd6dc4e9b92643dc143186d1a7685420ec432bb01e70a076ebdf4
                                                • Instruction Fuzzy Hash: 1702127190E3C94FE7268B6488655657FB0EF5B310F1A01FFE0CAC71A3DA286906C792
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B891238 Relevance: 1.0, Instructions: 1039COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cfe9a1bf518557aa2b87d78e1c53c8b2b19fcfc23bc4c17f3ff39ae84def5c0a
                                                • Instruction ID: 7d6c0cd118e3e5cfd184e4bb06e4bbf13d6def40de34e8572de881b16caa9aa1
                                                • Opcode Fuzzy Hash: cfe9a1bf518557aa2b87d78e1c53c8b2b19fcfc23bc4c17f3ff39ae84def5c0a
                                                • Instruction Fuzzy Hash: 75620331F1DA1A4BEB6CEFA884A567977E1FF88304F51417DD45AC32D6DE38A8428780
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8942AF Relevance: 1.0, Instructions: 999COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 62fc1fc79316732dc0a76f5c691f1e22242bf628228732265682bc079447d4d9
                                                • Instruction ID: 9c7c65a4a33b4c00a8f3318892e78f54e83af06e4ae53174e153533d03e2a86c
                                                • Opcode Fuzzy Hash: 62fc1fc79316732dc0a76f5c691f1e22242bf628228732265682bc079447d4d9
                                                • Instruction Fuzzy Hash: 1662E570B19A498FEB6CEB688865AB577D1FF58300F0541BDE05EC72A7DE24AD428740
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89191D Relevance: .5, Instructions: 512COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e6e25ee3fe0fc235d0b2312af44fed0e2d82f29f8b4b21138a9d50f5d97dc4e2
                                                • Instruction ID: b5bea68cf5db112d64abd2a1d17cb01d5ca42be0bc4c11507dd93e2901d7769a
                                                • Opcode Fuzzy Hash: e6e25ee3fe0fc235d0b2312af44fed0e2d82f29f8b4b21138a9d50f5d97dc4e2
                                                • Instruction Fuzzy Hash: 5CF1D431F1DA0D4BEBA8EF6888656B97BE1FF98304F410179D05AC72D6DF68A8428741
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B891980 Relevance: .5, Instructions: 485COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b705c3fa712b41fc46ff5f90e16c6a30d3c8979d3b4e5a1e7dd505e5c94242fe
                                                • Instruction ID: eda176c91312df9b41969cb296d7bb6d22180259f0cbc36e7771af9f072a9498
                                                • Opcode Fuzzy Hash: b705c3fa712b41fc46ff5f90e16c6a30d3c8979d3b4e5a1e7dd505e5c94242fe
                                                • Instruction Fuzzy Hash: EDF1B031F1DA0D8BEBA8EF6884656BD77E2FF98304F410179D41AC32D6DE68A8428741
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B891328 Relevance: .5, Instructions: 473COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b21f21ac524dd70d4bf70ccd250e0a293d6e6d8b159219490fd42f7736fae68c
                                                • Instruction ID: 0561347cfcf1ddf667e12e5d7f615aaa9950a3e5de5556eab392771036e8929d
                                                • Opcode Fuzzy Hash: b21f21ac524dd70d4bf70ccd250e0a293d6e6d8b159219490fd42f7736fae68c
                                                • Instruction Fuzzy Hash: E5E18831B1991D8FEFA8EFA8D864AB977E2FF98310B150179D40ED72E5CE25AC418740
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B891498 Relevance: .4, Instructions: 390COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f99d0be20e7a10f2bf15838f919170c270469be06518446e0ae009f86f2db450
                                                • Instruction ID: ee0117ce4c4614fb01b656fd2d9df27ba4d47b7cf83ab918d2fbad5bdb4cb73d
                                                • Opcode Fuzzy Hash: f99d0be20e7a10f2bf15838f919170c270469be06518446e0ae009f86f2db450
                                                • Instruction Fuzzy Hash: 31D17278E0855E9FEF58EBA8D4A5ABDBBB1FF58310F01116AD00AE7291DF34A541CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89B6B3 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 7
                                                • API String ID: 0-1790921346
                                                • Opcode ID: 06f57dcb43621b41db0ca114a1988eb23a7f317813170258cb0350bc05f9f72a
                                                • Instruction ID: 7f75f43bd84138a362745e08d2d71914eb3e3843d3b04dddeef4815ec9dea78d
                                                • Opcode Fuzzy Hash: 06f57dcb43621b41db0ca114a1988eb23a7f317813170258cb0350bc05f9f72a
                                                • Instruction Fuzzy Hash: DE119E34B2851D4BEB2CAA6C84724BC77E6EB89710B24843DD59BC22E2DD38F9464640
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89B728 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ^
                                                • API String ID: 0-1590793086
                                                • Opcode ID: f87d560f20a45ef20f9651936539b8b53e47ad43d98ae0bc94f33c7b61068983
                                                • Instruction ID: adc870f7d25667f5eee8d5b5e97780386135c25b2b0cec701490dbb016a18ba7
                                                • Opcode Fuzzy Hash: f87d560f20a45ef20f9651936539b8b53e47ad43d98ae0bc94f33c7b61068983
                                                • Instruction Fuzzy Hash: 7411A330B1D65A8AEB3D9BA8C0711BC7BE5EB49301F21503DE4DBC21D1DD38FA425600
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89B699 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 7
                                                • API String ID: 0-1790921346
                                                • Opcode ID: 0eae55a78b32d2084bfc8a66e36c8b9f3b44d0fa37d7d852136203e6e16e9846
                                                • Instruction ID: 56fb4a186bc774ce9b50a3f18fddc7ec9b3a0b1b64635575621bcb6d4cca91ba
                                                • Opcode Fuzzy Hash: 0eae55a78b32d2084bfc8a66e36c8b9f3b44d0fa37d7d852136203e6e16e9846
                                                • Instruction Fuzzy Hash: 7001D630B2D51D4AEB3D9B68C4714BC77E5EB49701F21843DD49BC21D2DE38FA464640
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89697E Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: o+
                                                • API String ID: 0-251698391
                                                • Opcode ID: b660a5b6231ab76350265d75873dae6818ccddf8a0c4624177a358072d323278
                                                • Instruction ID: 2c9a07d865f65c63954349d7ca8cf7c714dee6cd2723ff6a9a050bdb459954f4
                                                • Opcode Fuzzy Hash: b660a5b6231ab76350265d75873dae6818ccddf8a0c4624177a358072d323278
                                                • Instruction Fuzzy Hash: 12F03C74A0A95C8FDB69DF54C4A4AA87BB1FB59300F1401EAD00ED72A2CA346E80CB01
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B896A66 Relevance: .6, Instructions: 630COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ae413c969013648add31bd26212b7196d53010595ff7794642e46ef2aeaae84f
                                                • Instruction ID: 72155f4a049262351e7f7ba924e28f51bad613e5954c5330b76fa6a2ca0f16f4
                                                • Opcode Fuzzy Hash: ae413c969013648add31bd26212b7196d53010595ff7794642e46ef2aeaae84f
                                                • Instruction Fuzzy Hash: 5A32BE70A1995D8FDFA8EF58C8A5BA8B7B1FB68301F1441E9900DE7291DE356D81CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B896A15 Relevance: .5, Instructions: 451COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 883c2acf9a7e46b31de07a52ad0c51cf00f509c4d1e02eea8ad8f8f539c79512
                                                • Instruction ID: bde383cb1d773c725631b135186846132326f66bd3a1c46c4d58fadd92af2361
                                                • Opcode Fuzzy Hash: 883c2acf9a7e46b31de07a52ad0c51cf00f509c4d1e02eea8ad8f8f539c79512
                                                • Instruction Fuzzy Hash: 8CF1CE70A1995D8FDFA8EB58C8A5BE8B7B1FB68301F1501E9900DE3291DE356E81CF41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B897C39 Relevance: .4, Instructions: 400COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 18719bb0e4ace6937d3242b6ee470df1ecf6f5e0832ffe57dae9410fe3cf4ede
                                                • Instruction ID: e1f117ab00c41f5a52def86983d002e66e67eac049e1394533c7eb814b634218
                                                • Opcode Fuzzy Hash: 18719bb0e4ace6937d3242b6ee470df1ecf6f5e0832ffe57dae9410fe3cf4ede
                                                • Instruction Fuzzy Hash: B1E1B934A0995E8FEFB8DB48C865BA877A1FF98311F1101F8D40DD3695DB396E868B40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B899723 Relevance: .3, Instructions: 308COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ea14d7ab764a1604c66e0480572c163cb35df52a272980a435bf8748e41704ec
                                                • Instruction ID: 081184f2691e12e1023d9f14a855f50dc6be2f2f086575e5d8e11735c2171e1d
                                                • Opcode Fuzzy Hash: ea14d7ab764a1604c66e0480572c163cb35df52a272980a435bf8748e41704ec
                                                • Instruction Fuzzy Hash: 07C10A70E08A1D8FDF98DF58C495AA9BBB2FFA8310F1485A9D41DE7255DB30A981CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89E1AE Relevance: .3, Instructions: 279COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f7dd87c452eaaf187164d98f19abb1d683a0bfa81eb833d642b3d00261f26e1b
                                                • Instruction ID: 7505b97de5da651067ed51da6c5989bcd92f04afad6a080faf3aedebea5f2a08
                                                • Opcode Fuzzy Hash: f7dd87c452eaaf187164d98f19abb1d683a0bfa81eb833d642b3d00261f26e1b
                                                • Instruction Fuzzy Hash: 12913E70A15A1DCFDB59DB48C8A1BE9B7B2FB99305F2001BDC44AD3695CE356D82CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B892D2D Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4e9152da5d22eed0130a66c7d341ab100dea74042698665ca715730097ee94db
                                                • Instruction ID: 78171efa04f2fb6e6ed68bbe8fcaf0a3258272de6351f8ff277d93ad4444bd73
                                                • Opcode Fuzzy Hash: 4e9152da5d22eed0130a66c7d341ab100dea74042698665ca715730097ee94db
                                                • Instruction Fuzzy Hash: 31717D22B1E6890FDB6D9BFC58A45753FD0DF8A22471A41FED48AC71A7DD189C438381
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B891300 Relevance: .3, Instructions: 253COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0537e29f1143f5bf18d9f748932ac3fdcd2446fbcd995372bdd90bd7675f3929
                                                • Instruction ID: 09187cd3a339fd89923c56320cfa48eb2a86932379d630008256648836df9e4d
                                                • Opcode Fuzzy Hash: 0537e29f1143f5bf18d9f748932ac3fdcd2446fbcd995372bdd90bd7675f3929
                                                • Instruction Fuzzy Hash: 6B617D21F0E99E0FEBB896BC58765753BD1EF99210B0901BFD05DC31E6DD18AD468381
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89AF37 Relevance: .2, Instructions: 248COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 90cc0797d401a45fa22f23e8896f8602ff40038575ad1f15a141ed44466c1e35
                                                • Instruction ID: e0634939d68153016d81ac3e91c1598d5d807f3397ebceca4f695c86d8ca0275
                                                • Opcode Fuzzy Hash: 90cc0797d401a45fa22f23e8896f8602ff40038575ad1f15a141ed44466c1e35
                                                • Instruction Fuzzy Hash: 92812920A0E2C54FD7269B648C65A653FB1EF97310F1A41FBD089C71E7D92CA906C751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8983A9 Relevance: .2, Instructions: 247COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5f9746da094129ae1bd48fb4607485cbc45e0b399d15b2dd7a9ec866448efa4f
                                                • Instruction ID: d6861cec11806d40fe47f75cad74fc74aee620a00f40267e61c97b6894cf2042
                                                • Opcode Fuzzy Hash: 5f9746da094129ae1bd48fb4607485cbc45e0b399d15b2dd7a9ec866448efa4f
                                                • Instruction Fuzzy Hash: FC816D70E0965E8FEFA4DB988860BE87BB1FF59340F1141BAD00DE7191DB359986CB00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8983DD Relevance: .2, Instructions: 231COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 97875de4cfbc08540707e05ff78a7ab383f6ddd36251491dd7eff4448ec8f961
                                                • Instruction ID: 5b065bb4ddfa2ffb7471ec6ac0e27a48fb803049923ad413bf1b29114ca4179c
                                                • Opcode Fuzzy Hash: 97875de4cfbc08540707e05ff78a7ab383f6ddd36251491dd7eff4448ec8f961
                                                • Instruction Fuzzy Hash: C8717D70E0D65E8FEFA5DB988860BE87BB1FF59340F1541BAD00DE71A2DA345986CB00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8908CD Relevance: .2, Instructions: 210COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9aa1fc219bd9049c634b56933890b2d2fc1743962acbe587d718be8a44caee72
                                                • Instruction ID: c923d7c5e86ea46b97bbd16b96da5840fad7aec98e4f220808fc8c9bf9cf1220
                                                • Opcode Fuzzy Hash: 9aa1fc219bd9049c634b56933890b2d2fc1743962acbe587d718be8a44caee72
                                                • Instruction Fuzzy Hash: 01615A62B2DD8A0BEBACE72884A1AB1B7D1FF68740F0505B9D05EC31D7ED24B9468341
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89B334 Relevance: .2, Instructions: 207COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 33313e47558ab109dd132357dc13c64d065e1df13a24372caae5a1160dec03b6
                                                • Instruction ID: 34d0488b39ea4b1dafabfc3608b658c87a9c8183d3526e8ec0bc9b669b58045c
                                                • Opcode Fuzzy Hash: 33313e47558ab109dd132357dc13c64d065e1df13a24372caae5a1160dec03b6
                                                • Instruction Fuzzy Hash: 89610730A0D3894FDB2ADB6488A55753FB5EF57300B1641EEC48ACB1E3D928E946C792
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B893435 Relevance: .2, Instructions: 206COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f83e1a7f805992b62b42d16a551e17d17fe3774a56fa9f53c66916e73178e873
                                                • Instruction ID: 50bb5362f2a3e4fd06e71ee698a53a5e08c183dae02e09b03163a60e19cc1045
                                                • Opcode Fuzzy Hash: f83e1a7f805992b62b42d16a551e17d17fe3774a56fa9f53c66916e73178e873
                                                • Instruction Fuzzy Hash: 2C618F71609B8E8FDFA9CF58D8606A53BA1FF5D304F1506ADD46AC72E2CA35E902C740
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89B3B3 Relevance: .2, Instructions: 192COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 894f1e8738d938b5b15cba3aa55500eea0bea0dd41c2c986679c39e86b02e26c
                                                • Instruction ID: dcace1c3698e8c5ac8c129df0e46846527911d9dc094db073ac16a86a4cd9ae1
                                                • Opcode Fuzzy Hash: 894f1e8738d938b5b15cba3aa55500eea0bea0dd41c2c986679c39e86b02e26c
                                                • Instruction Fuzzy Hash: F451E831A0D6854FDB1ACB64C8A59653FB5EF67310B1641EAC08ACB1F3D928EC47C792
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89D81C Relevance: .2, Instructions: 183COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5df8f532a662cfc711217e8c52e93ef6f8373bc3c7fc246eb24b789fcf4411cc
                                                • Instruction ID: 478193e3c469b96f8a5c616dc760114260e06665e0a6dcc53d317ed645f4c8dc
                                                • Opcode Fuzzy Hash: 5df8f532a662cfc711217e8c52e93ef6f8373bc3c7fc246eb24b789fcf4411cc
                                                • Instruction Fuzzy Hash: 59518034A1A91E9FEB58DF48D450BE9B7B2FB6D300F2401B8D449D7795CA35AD81CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B892700 Relevance: .2, Instructions: 173COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 08c4ed1591d2484f289e3b9c578be90f778637e264804a8a5c4a42aac0c6b04b
                                                • Instruction ID: 096c1a64a596f95ce6d93abd3c0bd4c883eaee7a13919cd115312d78583d7a35
                                                • Opcode Fuzzy Hash: 08c4ed1591d2484f289e3b9c578be90f778637e264804a8a5c4a42aac0c6b04b
                                                • Instruction Fuzzy Hash: B041A032B6D2460FEB2C8FE8A8855B13BD1EF9932971A457DC49BC7163E928A4434781
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8960AF Relevance: .2, Instructions: 158COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: abbb89e99d32aa505d479ab8a5e6edc8ad344ed4f73ad92725335e977c55420a
                                                • Instruction ID: d339ad4edcd4eaf5080cbee0cf9af85eb403a31d7a8829201dd531c46c34c773
                                                • Opcode Fuzzy Hash: abbb89e99d32aa505d479ab8a5e6edc8ad344ed4f73ad92725335e977c55420a
                                                • Instruction Fuzzy Hash: 00417B71A0EA5D8FEFA4EB98D8A4AEDBBB0FF58310F05057AD04DD7292DA24A541C740
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89CB4B Relevance: .2, Instructions: 156COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 28b46d5b277c8bfd49c3ea666d417805a996f6fcc0dd9b5abf3f7f65e84b7c81
                                                • Instruction ID: f317dbaed6a59daca6b0b455cc31f284e6b1813b702b38210be1f28ff9e58bd5
                                                • Opcode Fuzzy Hash: 28b46d5b277c8bfd49c3ea666d417805a996f6fcc0dd9b5abf3f7f65e84b7c81
                                                • Instruction Fuzzy Hash: 9D413621A0E3C94FE72697348C691683FE1EF5B314F1A42BBD099CB1E3E92D5A06C751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89CAFB Relevance: .2, Instructions: 151COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 875097480fbce346cdb9d2d0dffb59e105e7dbdc6a89584bf7c48a686681ac2e
                                                • Instruction ID: 545eea12986d5528621958cd4cba5bb30ce57842395247f1e6b4f23f4b00ca9e
                                                • Opcode Fuzzy Hash: 875097480fbce346cdb9d2d0dffb59e105e7dbdc6a89584bf7c48a686681ac2e
                                                • Instruction Fuzzy Hash: 4A412321A0E3C94FE726973488685683FE1EF5B314F1A02BFD099C71E3D92D5A06C752
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89CB89 Relevance: .1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f7a3a5ab5adbb56c07529c8a0a59677cd2971cd131aa49dc34c6e9885d53ae38
                                                • Instruction ID: 91b31044b98e9692d493068b803bba44ac0cc41397346fdc10f40b141da92d97
                                                • Opcode Fuzzy Hash: f7a3a5ab5adbb56c07529c8a0a59677cd2971cd131aa49dc34c6e9885d53ae38
                                                • Instruction Fuzzy Hash: C741E261A0E3C94FE727973448691683FA0AF5B318F1A01FFD099C71E3E929590AC752
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89CBA2 Relevance: .1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dcf28e1c12f3e3a71d54c4c85ce2d1da033699f9c3cdd71235c110e173067142
                                                • Instruction ID: d7ff89389c2d1faea3e373492ad32cf896a917ed8832a6977d522441695d405f
                                                • Opcode Fuzzy Hash: dcf28e1c12f3e3a71d54c4c85ce2d1da033699f9c3cdd71235c110e173067142
                                                • Instruction Fuzzy Hash: FF41EF61A0E3C94FE727977488691643FA0AF5B318F1A01FFD099CB1E3E929590AC752
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B899490 Relevance: .1, Instructions: 127COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a983a02c2145cf9ec13ad2c1a02c50d91abf2a8fba3e33c37619900eacabd179
                                                • Instruction ID: 913943ec3556b090f568f0d31e18782d8a340b3189d21e232b7a4016b8e292a9
                                                • Opcode Fuzzy Hash: a983a02c2145cf9ec13ad2c1a02c50d91abf2a8fba3e33c37619900eacabd179
                                                • Instruction Fuzzy Hash: DB519574E1A61ECBDF68CF94D4685FEBBB1BF48301F11043AD41AA7390DA34AA40DB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89B485 Relevance: .1, Instructions: 126COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e78d0ecd16b1506a0f8bef6a357852d38275adfcf9b1170b9d20c7f5289cda0d
                                                • Instruction ID: dfc6cff5f4de54454f34e8cda162881e4f394c51b6ef78b8abfab7ec46917e9f
                                                • Opcode Fuzzy Hash: e78d0ecd16b1506a0f8bef6a357852d38275adfcf9b1170b9d20c7f5289cda0d
                                                • Instruction Fuzzy Hash: D841DE2190E3C94FD7238BB488655A53FB4EF57310B1A41EFD0CACB1A3E958AC46C362
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89B4CF Relevance: .1, Instructions: 125COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 65cfd2be846ad9c3335e788685711deb6d172e614514e0a8c5e8bf3743174fa3
                                                • Instruction ID: 67bf6a504043b83abc7fe6854d122f49b592498e83a000868320ca4c79f290a2
                                                • Opcode Fuzzy Hash: 65cfd2be846ad9c3335e788685711deb6d172e614514e0a8c5e8bf3743174fa3
                                                • Instruction Fuzzy Hash: 6841C22190E3C54FDB239BB488655A53FB4EF57310B1A41EBD48ACB1A3E9586846C362
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89B4AF Relevance: .1, Instructions: 124COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d6334d565df7b8e89ee866041ae53761d2e600162c9d06d9c679231eb16ceec3
                                                • Instruction ID: 86d4dc2ecf53ae94daed8ff0b1f26835bf87cd69e5cece3b997f2ce7424b87f4
                                                • Opcode Fuzzy Hash: d6334d565df7b8e89ee866041ae53761d2e600162c9d06d9c679231eb16ceec3
                                                • Instruction Fuzzy Hash: 0841CB6190E3C54FD7278B748C665A13FB4EF57210B1A81EFD4CACB1A3E9686847C362
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B899E65 Relevance: .1, Instructions: 113COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 64f5e32e41679f6b21dfffeaf20bab22679aca8434d04a849f68dfd18d6e3ad9
                                                • Instruction ID: f3dcbbcb997c2a55808803ad63127fce58b2025a6a390c3a5e1b180f2bb0e6ab
                                                • Opcode Fuzzy Hash: 64f5e32e41679f6b21dfffeaf20bab22679aca8434d04a849f68dfd18d6e3ad9
                                                • Instruction Fuzzy Hash: 3131F370E09A5D8FDFA4DF98D4A4AEDBBB1FF68300F11056AD00EE7291DA75A941CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B899475 Relevance: .1, Instructions: 111COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 42aca2c0ce264b6a92f8bd4d49211741a9cf130f91b8d3356da7150697736daf
                                                • Instruction ID: 08f244ed6f53fca47d9cebdfccf3d95beee507280bfa3e1249f18f107eea50f1
                                                • Opcode Fuzzy Hash: 42aca2c0ce264b6a92f8bd4d49211741a9cf130f91b8d3356da7150697736daf
                                                • Instruction Fuzzy Hash: 49418674E1A21E9BDF68CF94D4A85FEBBB1BF48311F11443ED41AA7390DA34AA40CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B893079 Relevance: .1, Instructions: 106COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f9b2e6e63afe597cb6dd9bd567ee37502c80403e31c6f0f37c468e84a37d33a
                                                • Instruction ID: 334adb50263a4ac2dcecb8450a63fa8851ff7025e17249a9c71fb7cb8bdeffaf
                                                • Opcode Fuzzy Hash: 4f9b2e6e63afe597cb6dd9bd567ee37502c80403e31c6f0f37c468e84a37d33a
                                                • Instruction Fuzzy Hash: 0B216522B0A50A0FEFA4E7BC64655BD2BD2DF9D25171601B6E409CB2BBED189D424341
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89B518 Relevance: .1, Instructions: 105COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6b6297ec3e2bf28e954026904cf176d9d89113ba10b5af1e68c20a7a79097c30
                                                • Instruction ID: 814cbd8265640f8be3416ea702b7c761d5c74d80479ab774a2720837c7b03fe3
                                                • Opcode Fuzzy Hash: 6b6297ec3e2bf28e954026904cf176d9d89113ba10b5af1e68c20a7a79097c30
                                                • Instruction Fuzzy Hash: 8331CE7180E3C54FD7238B748CA55A13FB4EF57310B0A42EFC485CB1A3E9586846C3A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8907E5 Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 54db40a62613b647150f50792178c81eced2ed66d1d094b9d99f2272b7329a62
                                                • Instruction ID: 2ed5d685d22ab7d4bc5adf2494b331bba80ea2f4a2567c7846e8f2f33378a240
                                                • Opcode Fuzzy Hash: 54db40a62613b647150f50792178c81eced2ed66d1d094b9d99f2272b7329a62
                                                • Instruction Fuzzy Hash: DB310553F1FAC61FEB6613B80C350E47FA1AF6265070A01FBC4A89A4E7DD086D098382
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89C865 Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 35748a4b53bc6a4db500768a43bea51a90ffd7c52dd53a214904b21311643594
                                                • Instruction ID: ee605cea51635f83eac03c9b4af344d1e0128558ac80a641f6b3b1aaf18f9d1d
                                                • Opcode Fuzzy Hash: 35748a4b53bc6a4db500768a43bea51a90ffd7c52dd53a214904b21311643594
                                                • Instruction Fuzzy Hash: F1214C62B0E64D4FEBA49BA888A91793BD1EB99350B06027FD44EC32E2DD196D418741
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8960A8 Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 94ba986531fcec6f0848cd0ab8cde861772a91b26e63b92561bde650a2ba0451
                                                • Instruction ID: afee33abf65b5b2c4d0c5752ed6a060200bf8ec723ede24b632df31c21683c01
                                                • Opcode Fuzzy Hash: 94ba986531fcec6f0848cd0ab8cde861772a91b26e63b92561bde650a2ba0451
                                                • Instruction Fuzzy Hash: F131D470E19A5D8FDFA4EB98D4A4AEDBBB5FB58300F11043AD00EE7290DA75A940CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B892FA8 Relevance: .1, Instructions: 101COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b11dae6f984c0d9ed484ec911e4bf8e8d7449ba063eddcc581dfd29766a165ab
                                                • Instruction ID: 4d5c452a215f2d0b87997ce17b74bb8701618023c97bcf7e31afd24c7d9961e5
                                                • Opcode Fuzzy Hash: b11dae6f984c0d9ed484ec911e4bf8e8d7449ba063eddcc581dfd29766a165ab
                                                • Instruction Fuzzy Hash: 3E21AD72B0B9494FEFA4E7AC946957437D2EFDC25130601B6E409C73B7ED14AD428700
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B892871 Relevance: .1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3531a2f00c424021a2634567ca0afbe8a609926a9c4ba38512482ae512290a76
                                                • Instruction ID: 990c4607f6d1cfd6cc42022ccac81d4f3003e20c98d32144723b0065236e569e
                                                • Opcode Fuzzy Hash: 3531a2f00c424021a2634567ca0afbe8a609926a9c4ba38512482ae512290a76
                                                • Instruction Fuzzy Hash: 03219131B1AA5E4FEBBDDFAC84645757BE0EF58310B4605BED04BC76A1CE25E9428340
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B893B8E Relevance: .1, Instructions: 94COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 15c02c083b127239ee6397cd6ef2d6c51e97fa76cfa2983efa33da5dc28a3297
                                                • Instruction ID: 557ff5032faa998ae938277f77f3389c8f28c6ed6dd5c03df1eab890f350a922
                                                • Opcode Fuzzy Hash: 15c02c083b127239ee6397cd6ef2d6c51e97fa76cfa2983efa33da5dc28a3297
                                                • Instruction Fuzzy Hash: C1314E71719A4D8BDF98CF58D8716A537A1FF5C318B250599E42EC72D2CA32E912CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B891250 Relevance: .1, Instructions: 88COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a4024e4be2e7d98bc09d1cae08a4f034d565c53cdd113335f06a6266ae409a47
                                                • Instruction ID: 848b6e6d0bc4046c409105ffb5dc4f8129ac15ddf626729c0d8c2984448befcf
                                                • Opcode Fuzzy Hash: a4024e4be2e7d98bc09d1cae08a4f034d565c53cdd113335f06a6266ae409a47
                                                • Instruction Fuzzy Hash: F2212711B0F6E61EEB66F7B94C281747F90AF56214B0842FBC0D9CB4D7EC489A858381
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B891490 Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 74a0e69b7676c542026fb2a6f9e4398ccef7deee356dd22f511faa1452f5c64b
                                                • Instruction ID: 2c84bf2055a81af6de3ca810f8c8794c8b9add4800a38bf72519c1b51ba87dba
                                                • Opcode Fuzzy Hash: 74a0e69b7676c542026fb2a6f9e4398ccef7deee356dd22f511faa1452f5c64b
                                                • Instruction Fuzzy Hash: 9F210121E0D6994FDB1AF7A8AC745EDBFB0EF46218B0901F7D05DCB0A3ED2464468381
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89CC29 Relevance: .1, Instructions: 81COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fc6c0bd3aeac3c2870a172581137b074b0dacb2bcd116a865b68045fb9169d7c
                                                • Instruction ID: e249c9fe2fdbe9985ae6badb854cc86d31579ee7fb280ec5ead45272bc3f05c1
                                                • Opcode Fuzzy Hash: fc6c0bd3aeac3c2870a172581137b074b0dacb2bcd116a865b68045fb9169d7c
                                                • Instruction Fuzzy Hash: 9E216D30B0D6D84FE765A76888585793FE1EF89348F15017EE49DC72E3DE396A068341
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8981B4 Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1bb7661d0b6e15e4ff6154c371a944fae6ecda54ca743211c9d417b54bf8cb38
                                                • Instruction ID: 7315caab3f44d316a9aa119226c2fbae24b51f4e94db07e7800784647310e962
                                                • Opcode Fuzzy Hash: 1bb7661d0b6e15e4ff6154c371a944fae6ecda54ca743211c9d417b54bf8cb38
                                                • Instruction Fuzzy Hash: CE21DE30A0991DCFDFA8DB58D8A4AA873B1FF99305F1111E9D00ED72A1CB35AE81CB00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B891862 Relevance: .1, Instructions: 64COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4b4dbfd18401ce065b225ffe5b9733e5cdbadbe80c14a15b541ad974ef62e025
                                                • Instruction ID: 08205c72575502bd02cc33ff8af29ecc80b24d52fb08c3ec645bf19071cc132d
                                                • Opcode Fuzzy Hash: 4b4dbfd18401ce065b225ffe5b9733e5cdbadbe80c14a15b541ad974ef62e025
                                                • Instruction Fuzzy Hash: FE118F30E19A5E8FDF95FBA488655FDBBF1FF59300F41007AC418E32A1DA7959818780
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B892F59 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 946be1ae53e2a24e6df6e526a8af7e3112e2a685efb6000f3f98f9f1995829ad
                                                • Instruction ID: 7d92f968710021f5bc17c8ed8e947ecd6773db9d7c8fc46758ee1c44f542bfbd
                                                • Opcode Fuzzy Hash: 946be1ae53e2a24e6df6e526a8af7e3112e2a685efb6000f3f98f9f1995829ad
                                                • Instruction Fuzzy Hash: 3301C421B0E5494FDB69EBBC98349A93BD2DF8D24074641F6E409C72B7DD18AE034340
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8926C5 Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb528371951cd4987f2dc57ba9c9ae490dcfeb2fbbe45d92ffbb3893a27744ea
                                                • Instruction ID: 04269965c35664506d8f9261854ae95e47a3c84ced6e4d4265b8d740383e95aa
                                                • Opcode Fuzzy Hash: fb528371951cd4987f2dc57ba9c9ae490dcfeb2fbbe45d92ffbb3893a27744ea
                                                • Instruction Fuzzy Hash: 66014961D0E6CD1FEB669FA4886C4D97FE0EF5A240F4A40FBC848CB4B3DD2859428341
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B892494 Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1571e8c9146f27d14d92a7fed1b41e48e01d431ea42775ffeda959485d906f25
                                                • Instruction ID: 176b7c18ff93fca102ce084d454a0d776ac85778c9c9ac6688407f190fd2e19c
                                                • Opcode Fuzzy Hash: 1571e8c9146f27d14d92a7fed1b41e48e01d431ea42775ffeda959485d906f25
                                                • Instruction Fuzzy Hash: C211E520E0E6D60FE76AD7B848716707FE19F47250F0902EAC094CB5E7D95CE8868361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8973F1 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5fdd263cc393d903b8815dcf30c9f0391275cc42004634d201006099eed7cebf
                                                • Instruction ID: 7c6b28c1682ca098e14fc8ca63434b387683d1a1b0aa129e491d2d9b601ee978
                                                • Opcode Fuzzy Hash: 5fdd263cc393d903b8815dcf30c9f0391275cc42004634d201006099eed7cebf
                                                • Instruction Fuzzy Hash: 1F115E6598F2C95FDB2347A05C225E53FB49F07214F0A41E7E0888A4F3CA5D2656C362
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89B6FB Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9f10baba608c857b7b31d702746ba3156074645fbf775f4d46f2263253184d92
                                                • Instruction ID: 30a120891e94c589172cdf8c1b059fb18fe4fd148fff0444fa93c5b1acb50301
                                                • Opcode Fuzzy Hash: 9f10baba608c857b7b31d702746ba3156074645fbf775f4d46f2263253184d92
                                                • Instruction Fuzzy Hash: BB017530B1954A4BEB3D9B68C4715F837E6EB49305F20903ED59BC71E2DE38FA465640
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B893659 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 545a4f076b888e09b59024c17fa7fa133ce909646f45fcba90c3a6f4b8c7265a
                                                • Instruction ID: 39c46f7b828545aebbd93e84ed2ad6322805a8248a8525cf6a148308152c055a
                                                • Opcode Fuzzy Hash: 545a4f076b888e09b59024c17fa7fa133ce909646f45fcba90c3a6f4b8c7265a
                                                • Instruction Fuzzy Hash: BB01F772D4E6950EEB3317B47C224E67FA0DF0621470A01F7D059CA5A2C90D26868391
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B892440 Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b20c41fffb15a19c7a526b76f9ce57365172f42fa8ad41fa35adf4bb45688317
                                                • Instruction ID: 0f1ae06b05dc256905b266f3de4ffab586d874021a3caf17bff8fad73a820492
                                                • Opcode Fuzzy Hash: b20c41fffb15a19c7a526b76f9ce57365172f42fa8ad41fa35adf4bb45688317
                                                • Instruction Fuzzy Hash: BAF0E9B250D64C5EFB1C9E48AC5BAFA3BA8DB47334F00001EE58D82062F1527553C295
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B892659 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c03b62083d5df5f35b0f12f5cdcf58eb83950378f396bad66e1a020175f41efc
                                                • Instruction ID: df1e2141387e500ca6ea9179c976481dd3024a44b4c2985ed07f8e49dd176be4
                                                • Opcode Fuzzy Hash: c03b62083d5df5f35b0f12f5cdcf58eb83950378f396bad66e1a020175f41efc
                                                • Instruction Fuzzy Hash: D101243180E2C95FD746DFA4C8695E9BFF0EF5A200B0A80EBD488CB4A3DA2895468750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89B65D Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6996d215e8469b4f28959e77500b658dc6a97563e85f6353e38a77e00c424ab0
                                                • Instruction ID: 16e3c4cf58b438e7e062ceda677823c32d8b8f751521f12672ee2a62b778e083
                                                • Opcode Fuzzy Hash: 6996d215e8469b4f28959e77500b658dc6a97563e85f6353e38a77e00c424ab0
                                                • Instruction Fuzzy Hash: 8A01A230B2954D8BEB399B68C4B65F837D6EB49305F20413ED4ABC21E2DE38F6464640
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89F08D Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ae92d6c5723e1f5714dc26c9ab71934e8fe0d12e426005dcb946c46a12fa4217
                                                • Instruction ID: 39e04be0fc0299be5c770212464763e440f0383859179e3b3ab47bc9797ca0f0
                                                • Opcode Fuzzy Hash: ae92d6c5723e1f5714dc26c9ab71934e8fe0d12e426005dcb946c46a12fa4217
                                                • Instruction Fuzzy Hash: 60013970A0892C8FDFA9DF58C895BA8BBB1FB69301F5041DAC04DE7251CB71AA85CF41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8912D8 Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2ce20cc87d05dc455848d25c79e1cc6b41bbb111e7055bd1f0987fd76c045cb3
                                                • Instruction ID: a7135181db26b92a44bb99643ef8ee72105ae1afd4f137353bd39f8af554093b
                                                • Opcode Fuzzy Hash: 2ce20cc87d05dc455848d25c79e1cc6b41bbb111e7055bd1f0987fd76c045cb3
                                                • Instruction Fuzzy Hash: ED01D120E0E6AA0FE7AAD7A444752757FE1AF4A300F0640EBD058CB5E7D918ED898391
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89D3AA Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e6364fa4c7c8d8be0996aacc52aae41300c365d61cce50c07466cf792668abd5
                                                • Instruction ID: 7bbb3b8fa2be54c5f0c5d59c74977fe20a81f86007b6e25c27971827eddd14e9
                                                • Opcode Fuzzy Hash: e6364fa4c7c8d8be0996aacc52aae41300c365d61cce50c07466cf792668abd5
                                                • Instruction Fuzzy Hash: 0D01BE7091992D8FDFA9EB08C894BE9B7B1FB68301F1041E9900DE7660DA71AEC1DF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B898DF7 Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 94473f8c7d5f93276c6174761df5bed634801b232dec2c29861c3f6ba473074d
                                                • Instruction ID: 3237af601753d4ab045601d015cab82965b5a9f8ad7d026dcc6b2c6ba2b56db2
                                                • Opcode Fuzzy Hash: 94473f8c7d5f93276c6174761df5bed634801b232dec2c29861c3f6ba473074d
                                                • Instruction Fuzzy Hash: 9B014070A0892C8FDFA8EF18C894BA9B7B1FB69301F5040D9804DE3251CA31AE84CF01
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89EFA7 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 193cbaeadb29429845123337703b06c8496a871ec4d0a0cf31c00ab996e30371
                                                • Instruction ID: 8a1ae602ade32b0d9b47fd0fe3f3d56ec79014e90b75878b084505dc81aa602a
                                                • Opcode Fuzzy Hash: 193cbaeadb29429845123337703b06c8496a871ec4d0a0cf31c00ab996e30371
                                                • Instruction Fuzzy Hash: 4001FB7094995D9FCF55EBA8C864EA9BBB4FF19300F1400A9D00AD75A5DB34A981CB00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A0270 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0db4a8850860fc7d9e187dfc3b69a471a61e9cd0f9c949e880025101d849d87b
                                                • Instruction ID: f4a6e35671a9cba44924eaf3f4dc06f5044f7bb87375dff4030c5295842af2fa
                                                • Opcode Fuzzy Hash: 0db4a8850860fc7d9e187dfc3b69a471a61e9cd0f9c949e880025101d849d87b
                                                • Instruction Fuzzy Hash: 0FF0B234908A4E8FDB94EF58C944AEA77E0FF58300F0105A5F829C72A4C734EA64DB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89A6B5 Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f1affb9c9734a2b4acb4f2f737d01f2bfaf64bf65f4b3998647152b930fbd16e
                                                • Instruction ID: 65b815f5516c82d04cb9aa781ffb660b6bf7cb3d8be61e5aee0cf923670fe85b
                                                • Opcode Fuzzy Hash: f1affb9c9734a2b4acb4f2f737d01f2bfaf64bf65f4b3998647152b930fbd16e
                                                • Instruction Fuzzy Hash: A8E01A2684F3CC5FDB139B608C655A5BF70AF47100F0E82EBE5988B0A3D62D5618C792
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A02B0 Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cb1246b02e89c76499340887fe6ba679fd4cb4207a6ed5f3a94478d41b8e3058
                                                • Instruction ID: d3a077da18b55cc69619dc76f6e5681a046bfc488cbd1bfbc8aa72925b6ff331
                                                • Opcode Fuzzy Hash: cb1246b02e89c76499340887fe6ba679fd4cb4207a6ed5f3a94478d41b8e3058
                                                • Instruction Fuzzy Hash: 24E0653091920E8FEB64EFA485006F973A0FB04304F8004AAF819C21E1CA38A764DB21
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89E90C Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4b76b8b9104fb3d6adf0cb65be71c8c691cd772548070f8781af6bd4ca1468e8
                                                • Instruction ID: 94c3ebc6b50d5e8c15706a6eb5561d96e967f5a1e6bb9416d049cfe6744dcba4
                                                • Opcode Fuzzy Hash: 4b76b8b9104fb3d6adf0cb65be71c8c691cd772548070f8781af6bd4ca1468e8
                                                • Instruction Fuzzy Hash: 2BE0867160C78D8FCBA4CF9CD090666BBD2EB88305F51453DE04AC7A51D670A8474741
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89AF98 Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bbb248375b8bb789385e3fd51fc67cfdb2ad5644a162b64b9645356db38461df
                                                • Instruction ID: 5ac6c6ee320f816399486767c12171d5c8bb1058c4297f5ea5d41d3c10feef89
                                                • Opcode Fuzzy Hash: bbb248375b8bb789385e3fd51fc67cfdb2ad5644a162b64b9645356db38461df
                                                • Instruction Fuzzy Hash: 07C02B1378A50C09D9905A4C7C410A4B340DB4413078001B7D808C010AC82B09440780
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B898A04 Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 89a7a80d33ef7f3bc893218a3eb6379ef33d9532b48a71f1864894e79773d94d
                                                • Instruction ID: 1533b0a0efe24af9dcc51b109833cf2d2ae96e1a75a3b0ecb9e6ad5656dc9bff
                                                • Opcode Fuzzy Hash: 89a7a80d33ef7f3bc893218a3eb6379ef33d9532b48a71f1864894e79773d94d
                                                • Instruction Fuzzy Hash: E1D092B0E0950ECEDFA4DFC594645BCBBB0EF58341F550039C00AE22A1CA3825428F01
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B894234 Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 08816e89fd97a912990a2ef36819bb84b09c1da8a9ed8bbb1b48201a6e19e53c
                                                • Instruction ID: 0006b3b96e4bdc9513ff9784c507ef13472b5a598ea52976006a5ed979569508
                                                • Opcode Fuzzy Hash: 08816e89fd97a912990a2ef36819bb84b09c1da8a9ed8bbb1b48201a6e19e53c
                                                • Instruction Fuzzy Hash: 15C08081F25C4B35D76C576408B51F19291FF58304F41007CA05FC20C7ED1479054100
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8969B7 Relevance: .0, Instructions: 9COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e37c92dfa5beb11c98f3ff38f4824b21166f3cfc9a7be88a12e4f937bd2ef790
                                                • Instruction ID: cc48d89a4f5318d23dd5e097d74e10a820669432f65cef8666b630bb3ed9ac35
                                                • Opcode Fuzzy Hash: e37c92dfa5beb11c98f3ff38f4824b21166f3cfc9a7be88a12e4f937bd2ef790
                                                • Instruction Fuzzy Hash: F3C00274F1961E8DEF74DB94445477D6960AF5A741F5100F9904EE2151DE3416809B41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B892850 Relevance: .0, Instructions: 3COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 22e642ab1ce693d423bf96c6870a8322d48b2fadf33e28e300ed9c9d88e67d9a
                                                • Instruction ID: 91dce43dbe1cbcc45b6c5d548a9ded9ecba92a38e8a3ffab69d03c28d30e6e01
                                                • Opcode Fuzzy Hash: 22e642ab1ce693d423bf96c6870a8322d48b2fadf33e28e300ed9c9d88e67d9a
                                                • Instruction Fuzzy Hash:
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 00007FFD9B89F435 Relevance: 4.5, Strings: 3, Instructions: 707COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LM_^$^$_
                                                • API String ID: 0-125387242
                                                • Opcode ID: bc2aa298a452d60fa6c44442c4479ba0167cbae1b6b3d32ecdc27956beeed2eb
                                                • Instruction ID: e013a1735e319930baaba7572944af012c11713a1148b50da1f521faebfefb6e
                                                • Opcode Fuzzy Hash: bc2aa298a452d60fa6c44442c4479ba0167cbae1b6b3d32ecdc27956beeed2eb
                                                • Instruction Fuzzy Hash: 6112173770957A8AD31ABBACFC654F87750EF8223A70843F7D1998E0D3ED19604A8694
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B89F45D Relevance: 4.4, Strings: 3, Instructions: 662COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1667149030.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b890000_New Quote 50029741830.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LM_^$^$_
                                                • API String ID: 0-125387242
                                                • Opcode ID: 2fd7faaa527f885d85ded661576eb2a03a276c946cbb25faa63b0e2122bbfbec
                                                • Instruction ID: 9fa5fc7bf4a83cb1c1ee9b7dca75d449acfcfd9eaecab1c6c0867ec811dc5984
                                                • Opcode Fuzzy Hash: 2fd7faaa527f885d85ded661576eb2a03a276c946cbb25faa63b0e2122bbfbec
                                                • Instruction Fuzzy Hash: BC02182770967A8AD30ABBBCFCA54E87750DF8123A70843F7D1998E0D7ED19604B86D4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Executed Functions

                                                Function 00007FFD9B8ACA60 Relevance: 1.8, Strings: 1, Instructions: 546COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: L
                                                • API String ID: 0-2909332022
                                                • Opcode ID: 70bc60a3dd65913fa465fb060c41ed0155de6aa543ad8afc301f51c16da0c156
                                                • Instruction ID: 82b843dcc85d0474952fd1704491b69846255e153f4b9fa3c517250593963157
                                                • Opcode Fuzzy Hash: 70bc60a3dd65913fa465fb060c41ed0155de6aa543ad8afc301f51c16da0c156
                                                • Instruction Fuzzy Hash: DA02017190E3C94FE3669B648C655657FF0EF5B310F0A01EFE48AC71A3DA286906C762
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A1238 Relevance: 1.0, Instructions: 1039COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2fd7109b6a2f0e04da2a780e2dc05cb18c16406872b245dff23c1589bb16c24b
                                                • Instruction ID: 3ad9f47c5af019cb297e99b4c1630e2dcc8b0524326144fe91b7dcbba400f0dc
                                                • Opcode Fuzzy Hash: 2fd7109b6a2f0e04da2a780e2dc05cb18c16406872b245dff23c1589bb16c24b
                                                • Instruction Fuzzy Hash: CC622230F19A1E4BE76CEFA884A567973E1FF89300F55417DD45AC32E6DE28A842C790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A42AF Relevance: 1.0, Instructions: 1000COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c5ce3a1908f09fc17924c1b4595948f071352b27b8e68778c3919b009faf24d9
                                                • Instruction ID: ab38e87bd6870fabf45da701b146263c4b506b65d4aa8e115ad6da55105d8f45
                                                • Opcode Fuzzy Hash: c5ce3a1908f09fc17924c1b4595948f071352b27b8e68778c3919b009faf24d9
                                                • Instruction Fuzzy Hash: A362E531B19A498FEB6CEB688865AB5B3D1FF5C300F0541BDE05EC72E7DE24A9428741
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A191D Relevance: .5, Instructions: 512COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e13fea4566b3f07979e755868df6e2c4658c1fe8e30dca82576ee8ed00b71a00
                                                • Instruction ID: 9a9c27eda4fee4a0721f808a5119a1405fc2a3e65c85021a7099c6138031f603
                                                • Opcode Fuzzy Hash: e13fea4566b3f07979e755868df6e2c4658c1fe8e30dca82576ee8ed00b71a00
                                                • Instruction Fuzzy Hash: 0FF1F231F19A0D4BEBA8EF6888656B977E2FF99300F450179D40EC72D6DF68A802C741
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A1980 Relevance: .5, Instructions: 485COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 42359a4ba68a0f80d7359ee2aad40c36048b4ad93cde4fffd8df8963501aabdf
                                                • Instruction ID: 06d2016d55e3f12dc5902c6ba7d2bb636e987812761128454ba2771a2e618539
                                                • Opcode Fuzzy Hash: 42359a4ba68a0f80d7359ee2aad40c36048b4ad93cde4fffd8df8963501aabdf
                                                • Instruction Fuzzy Hash: B5F1C131F19A0D4BEBA8EF6884A56B977E2FF99304F414179D40EC72D6DF68A802C741
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A1328 Relevance: .5, Instructions: 472COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 57251733310df4be4ac7f416a64ad6e7823e86513264baf6c83cffbb8aa8c19b
                                                • Instruction ID: 00fb0846000506b2d22413fc6b6052bb4313caed303eabb88b5e07dda8452f1a
                                                • Opcode Fuzzy Hash: 57251733310df4be4ac7f416a64ad6e7823e86513264baf6c83cffbb8aa8c19b
                                                • Instruction Fuzzy Hash: 42E19731B1991D4FEBA4EFA8D8A4AB973E2FF98311B150179E00DD72E5CE29AC41C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A1498 Relevance: .4, Instructions: 390COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fc2312e0d28d6ae4c86c2d4f8b6e4611284dcfed3784d4ec60581c9734ff907d
                                                • Instruction ID: e0219798d9b71d299e4b7e9b366437a1c0f4af3e03596ab59f7659b4f921ca66
                                                • Opcode Fuzzy Hash: fc2312e0d28d6ae4c86c2d4f8b6e4611284dcfed3784d4ec60581c9734ff907d
                                                • Instruction Fuzzy Hash: 5CD17378E0950E8FEF58DBA8D465ABDBBB1FF59310F01116AD00AEB291DE34A541CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A0753 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: M_^
                                                • API String ID: 0-921959145
                                                • Opcode ID: eb2f51a6c978c4909977df665f69ab1922d365f9c796a47017ba33c0c9f82f38
                                                • Instruction ID: 5e3d445e5d20f31e85f609aea4919a91990e169ab357e7d4e1e4a816fdd07dcf
                                                • Opcode Fuzzy Hash: eb2f51a6c978c4909977df665f69ab1922d365f9c796a47017ba33c0c9f82f38
                                                • Instruction Fuzzy Hash: 3B51F952E1FAC64FF76657F80C391A47F50AF6265070E02BBC4BC8A0E7DD196A198391
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8B01FA Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: BL_^
                                                • API String ID: 0-3626567270
                                                • Opcode ID: 5b13e05d25dae50d8dfe8797291d5aa3ea524c6c1894cb49d71c6abb121cdf1c
                                                • Instruction ID: 2b6eb4641136ff6366cce621223ebc9074c3521025c1114fdbcacc275f05b0ee
                                                • Opcode Fuzzy Hash: 5b13e05d25dae50d8dfe8797291d5aa3ea524c6c1894cb49d71c6abb121cdf1c
                                                • Instruction Fuzzy Hash: 4F21BF31E0E62E8AEB66ABE998695FC7BB0EF4D310F011076D00DD21E2DE2825048B90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8AB6B3 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 7
                                                • API String ID: 0-1790921346
                                                • Opcode ID: c65cb63ab6ef94107c6e229a9a16720f79c1eafe605f75825d7af84da63d842c
                                                • Instruction ID: f559bfc6b45a8234153a3f68a94348803da37276f3208a9eabc7e0eda39e8ad5
                                                • Opcode Fuzzy Hash: c65cb63ab6ef94107c6e229a9a16720f79c1eafe605f75825d7af84da63d842c
                                                • Instruction Fuzzy Hash: 84119E30B2851D4BD72CAA6C84724BD73E6EB89B10F24843DD59BC32E6DD38E9464640
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8AB728 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ^
                                                • API String ID: 0-1590793086
                                                • Opcode ID: 8b38e8db6560ba5b147cdce8aafeb7186785485d77c934c5996866f0852a3e79
                                                • Instruction ID: 62e021b7db29c7dc79e1c2975ae53c03a20c55aeb5c8a1e4e204ef29cda07b6c
                                                • Opcode Fuzzy Hash: 8b38e8db6560ba5b147cdce8aafeb7186785485d77c934c5996866f0852a3e79
                                                • Instruction Fuzzy Hash: 7B11A330B1D65A8AE73C9BA8C0705BD73E5EB49701F21503DE4DBC31D1DD78EA425610
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8AB699 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 7
                                                • API String ID: 0-1790921346
                                                • Opcode ID: 614127b9c1147893a6bfbcdad242617d7291354d2c09e99f8c2ba524444f68ed
                                                • Instruction ID: b7ab5d1f90766d8cd49b83a597344da939fbbd0b0d88916bec1ec079978f444b
                                                • Opcode Fuzzy Hash: 614127b9c1147893a6bfbcdad242617d7291354d2c09e99f8c2ba524444f68ed
                                                • Instruction Fuzzy Hash: 6F01D630B2D51D4AE73C9B68C4714BD73E5EB49701F21443DD49BC31D2DE39EA464640
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A697E Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: o+
                                                • API String ID: 0-251698391
                                                • Opcode ID: ba3cfa3bbe30ece1faa0f4b7062a1686586c58924dc58b69376409eeca1cda9f
                                                • Instruction ID: faaffcec0168a135be0443235109f8184c003abfb9d9b3e4bc3f744de977f51a
                                                • Opcode Fuzzy Hash: ba3cfa3bbe30ece1faa0f4b7062a1686586c58924dc58b69376409eeca1cda9f
                                                • Instruction Fuzzy Hash: EEF03C70A0A95C8FDB59DF14C8E4AA8B7B1FB59300F1401EAD00ED72A2CA346E85CB00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A6A66 Relevance: .6, Instructions: 630COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 44338c6cf80d434107dff4563b03334374e5d864e9c4ed7aad91dcefb7d36a77
                                                • Instruction ID: c401fc57fe2b382c2a3353b8fb67a09851d5dafcfc3fa78d7b1369ca28558bd0
                                                • Opcode Fuzzy Hash: 44338c6cf80d434107dff4563b03334374e5d864e9c4ed7aad91dcefb7d36a77
                                                • Instruction Fuzzy Hash: C132BC70A1995D8FDFA8DB58C8A5BA8B7F1FB68301F1441E9900DE72A1DE35AD81CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A6A15 Relevance: .5, Instructions: 451COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ead5cf1d1da88db58a667387d4fb3c600d684283fe1f8b97cadc8bf890bc9f84
                                                • Instruction ID: e9adbd2bdb4b2b091a62db482be303ea7188e8f28ed88a72250c0051fa780bbe
                                                • Opcode Fuzzy Hash: ead5cf1d1da88db58a667387d4fb3c600d684283fe1f8b97cadc8bf890bc9f84
                                                • Instruction Fuzzy Hash: 29F1DE71A1995D8FDFA8EB58C8A5BE8B7B1FB68301F1141EA900DE3291DE316D81CF41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A7C39 Relevance: .4, Instructions: 386COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a480717a42661aff699bbde73e7e2478703a318508822d5128b7a4dc7ae3235b
                                                • Instruction ID: 9b6637f1f2a2ca49b9f3e1ee17f4d2d5c1fb7fb7dec3e9b2640d4f5490198f6a
                                                • Opcode Fuzzy Hash: a480717a42661aff699bbde73e7e2478703a318508822d5128b7a4dc7ae3235b
                                                • Instruction Fuzzy Hash: 16D1F734A0995E8FEBB8DB48C865BB877A1FF98310F5101F8D40DC3695DA396E86CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A9723 Relevance: .3, Instructions: 308COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ed5c47d8e7787b1e8ebef17ba4837dd6278ac00ccc22021752bd468a819c5583
                                                • Instruction ID: fe18709372a85257496f819a498dc60a4597a2f6a782fe8ca5721d9a75f6b2c7
                                                • Opcode Fuzzy Hash: ed5c47d8e7787b1e8ebef17ba4837dd6278ac00ccc22021752bd468a819c5583
                                                • Instruction Fuzzy Hash: 1EC1F970E08A1D8FDF98DF58C895AA9B7F2FFA8300F1485A9D41DE7255DA30A981CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8AE1AE Relevance: .3, Instructions: 280COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fe89f737b49990a13665b7933a4bf8552c2f70e40c6d35dda5576ebb029575a9
                                                • Instruction ID: 764184d62079f168a3690d2e2e4a9dde0eb94064e4a34c161102f742c753bd0b
                                                • Opcode Fuzzy Hash: fe89f737b49990a13665b7933a4bf8552c2f70e40c6d35dda5576ebb029575a9
                                                • Instruction Fuzzy Hash: B2914F30A65A1DCFDB59DF48C8A1BE9B3B2FB69305F2001ADC44AD3691CA756D82CF41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A2D2D Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4680f749596bf14992efee30873e146426df53d5a08c4a847ef9781192940ee1
                                                • Instruction ID: e9c25bffb6d15e46f345bf19823642b98d2e2b745d822bc60a6cae6819761383
                                                • Opcode Fuzzy Hash: 4680f749596bf14992efee30873e146426df53d5a08c4a847ef9781192940ee1
                                                • Instruction Fuzzy Hash: 2F717D21B1E6890FD77D9BFC98645B13BD0DF8A21570A41FED48AC71A7ED189C438391
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A1300 Relevance: .3, Instructions: 254COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 45e6879c79b035662a75594c0e29c49804034478cd2dc488803a17792d7a4d3d
                                                • Instruction ID: a233b1202d9e348c8b682bbc231cfb9ab7f293b7a8f9c9751b97381c46aeb61b
                                                • Opcode Fuzzy Hash: 45e6879c79b035662a75594c0e29c49804034478cd2dc488803a17792d7a4d3d
                                                • Instruction Fuzzy Hash: 43617B21F0E94E0FEBB9967C58761757BD1DF99210B0A01BFD05DC31E6ED18AD468390
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8AAF37 Relevance: .2, Instructions: 247COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f52840b23bca6299ecf8a27fc923ca628f5d408def1c579733eeb0d8297fab55
                                                • Instruction ID: 3b0460a70e2431fa14291ed4b50da9f89b6cbfa94a3ee1918070146125ab1c95
                                                • Opcode Fuzzy Hash: f52840b23bca6299ecf8a27fc923ca628f5d408def1c579733eeb0d8297fab55
                                                • Instruction Fuzzy Hash: E3810921A0D2C94FD326DB648CA56657FB1FF96310F1A41FBD089C71E7D92CA905C361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A83A9 Relevance: .2, Instructions: 246COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e63f498855079479dca1ad6fe6b328467afa0a77f6f0b316e2c4575b16b9e43c
                                                • Instruction ID: 436b563e89285d5a24b8874b08a24c8bc463bacc9a60daf41880b7d8504298e1
                                                • Opcode Fuzzy Hash: e63f498855079479dca1ad6fe6b328467afa0a77f6f0b316e2c4575b16b9e43c
                                                • Instruction Fuzzy Hash: 9B816070E0E65D8FDBA4DB988860BE87BB5FF59300F5141BAD00DE7151DB359A42CB10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A83DD Relevance: .2, Instructions: 230COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7f4947e6de51348df4b3b9a24061932a0314183df9c5d2504618f686e9bbcbee
                                                • Instruction ID: f58385e95bc335db9eda5a16f343e87aaaf7d57fdcede8450d8f4ac96b495642
                                                • Opcode Fuzzy Hash: 7f4947e6de51348df4b3b9a24061932a0314183df9c5d2504618f686e9bbcbee
                                                • Instruction Fuzzy Hash: 5D717070E0E65E8FEBA5DB988864BE87BB1FF59300F5541BAD00DE71A1DA345942CB20
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A08CD Relevance: .2, Instructions: 210COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3b600e749108f4cda54d872ba620e469f6a90981f2168c990a32504faf6e166d
                                                • Instruction ID: 401076a3935a6ce25e274149eea3d9377b18632c831300a037c19519177744ae
                                                • Opcode Fuzzy Hash: 3b600e749108f4cda54d872ba620e469f6a90981f2168c990a32504faf6e166d
                                                • Instruction Fuzzy Hash: B9613962B2DD8A0FE79CEB2884B5AB5B391FF68740F0506B9D05EC71D7ED24B9068341
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A3435 Relevance: .2, Instructions: 206COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 71ea8bb5cbff91cff2af4ffb16db9c684b7fd14ba62262698b14b91cf05f5874
                                                • Instruction ID: 11cf27aff1d71226e35baf19bce702ad15d1ef7becfa7556ef15ab7be6f18b3c
                                                • Opcode Fuzzy Hash: 71ea8bb5cbff91cff2af4ffb16db9c684b7fd14ba62262698b14b91cf05f5874
                                                • Instruction Fuzzy Hash: 5E618071A09B8E8FDBA9CF58C8606A537A1FF59304F1506ADE46DC72E2CB35E902C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8AB334 Relevance: .2, Instructions: 206COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8874593f70161b8b1c741d0c8a2ccc9e72acce76f745590cf596d086ea1e0923
                                                • Instruction ID: 275afe95c2fea4aafbebf71d7fc1b01d4fb88836e9ee042989f97f32e91b30d2
                                                • Opcode Fuzzy Hash: 8874593f70161b8b1c741d0c8a2ccc9e72acce76f745590cf596d086ea1e0923
                                                • Instruction Fuzzy Hash: BC61E730A0E3C94FD72ADB6488655753FB5EF57300B1641EEC48ACB1E3D928E946C762
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8AB3B3 Relevance: .2, Instructions: 191COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ffa8f61df158429a5e3b4b94ec74e9b8b4cdbf1075a0ca59917b947c792e5494
                                                • Instruction ID: 54038a79611b6e8448d3df7622c7b691a3e5853510af4628c5c675acdc8a42bd
                                                • Opcode Fuzzy Hash: ffa8f61df158429a5e3b4b94ec74e9b8b4cdbf1075a0ca59917b947c792e5494
                                                • Instruction Fuzzy Hash: CD51193160E7854FD71ADB64CCA59653FB5EF57310B1A41EAC08ACB1B3D928EC06C762
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8AD81C Relevance: .2, Instructions: 184COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 587655c60d2cbdb428f1d93667b21d8f3936d86d4817df9d2a6929f0faa117b5
                                                • Instruction ID: 0cab792d1bdc14cbddd42a8cc013efbda3b548dd12970ff105a8bd289dfd4f7d
                                                • Opcode Fuzzy Hash: 587655c60d2cbdb428f1d93667b21d8f3936d86d4817df9d2a6929f0faa117b5
                                                • Instruction Fuzzy Hash: 89518F34A2A91E9FEB58DF48D4A0BE9B7B2FB6D300F2401B8D449D7755CA35AD81CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A2700 Relevance: .2, Instructions: 174COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0e07b3a814d028a6f0c1f240ff30868d476418e5d86cb48124b43be55ec81c98
                                                • Instruction ID: d3ba2867151cb65be846dfdb742f61461452f1facdd15b6d7cc7df86170af45a
                                                • Opcode Fuzzy Hash: 0e07b3a814d028a6f0c1f240ff30868d476418e5d86cb48124b43be55ec81c98
                                                • Instruction Fuzzy Hash: B441C032B692460FE73C8FE8A8C54B177C1EF8A32571A417DD09BC7163E928E4434781
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A60AF Relevance: .2, Instructions: 163COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 73ee6d25e3e27679f87ffb2fd3bc33710ab8e6ff20c0a8469fc80fb3aac07526
                                                • Instruction ID: 21b98eb5ef9baa7a40c33e006b55e8e01831f938d1950eb7e38b56b3f15a9e12
                                                • Opcode Fuzzy Hash: 73ee6d25e3e27679f87ffb2fd3bc33710ab8e6ff20c0a8469fc80fb3aac07526
                                                • Instruction Fuzzy Hash: B551AD71E0EA5E8FDF64EB98D8A4AFC7BB0FF58310F05053AD04DE7192DA64A5818760
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8AFAFA Relevance: .2, Instructions: 162COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 546396cef791a4a0b6f517f194e6e5af8b58de01304110d7347d34b3d7fdaedf
                                                • Instruction ID: c92427aeb9e7fcd09040534275d7dbbc8ad027b41709e3b69eafe596be53fa3a
                                                • Opcode Fuzzy Hash: 546396cef791a4a0b6f517f194e6e5af8b58de01304110d7347d34b3d7fdaedf
                                                • Instruction Fuzzy Hash: C4411823B0E2A54BE316B7BCBC764F93B50DF42229B0840F7D1988B0E3ED19544786D6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8ACB4B Relevance: .2, Instructions: 156COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9211216fc440a4fd3ae8f0e52a368cdf84f89d78a2d852708bfcc62a168c8ec9
                                                • Instruction ID: efb1743d3b610eea746af309dc7235312cf5708cc29bfcb24ad32ad96031e451
                                                • Opcode Fuzzy Hash: 9211216fc440a4fd3ae8f0e52a368cdf84f89d78a2d852708bfcc62a168c8ec9
                                                • Instruction Fuzzy Hash: 45412621A0E7C90FE32697748C691643FE5EF5B314F1A42BBD489CB1E3E92C59068761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8ACAFB Relevance: .2, Instructions: 151COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 30d13210f6fa14f008b0913db0601fbdcc0517cb5ccba461f44815d8f318b79b
                                                • Instruction ID: 39a3258639198f925f2202db58624c4edd86406ceb23e3065b24925bc914f57b
                                                • Opcode Fuzzy Hash: 30d13210f6fa14f008b0913db0601fbdcc0517cb5ccba461f44815d8f318b79b
                                                • Instruction Fuzzy Hash: 7D410321A0E7C94FE32697348C695693FE1EF5B314F1A01BFD489C71E3D92C59068762
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8ACB89 Relevance: .1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3c467606cc9dfde0d21c836e0bc5a8885cf5c9a90de0746e533ddc143c531f64
                                                • Instruction ID: 369e79026b6d5413064ae896e3e564a878beea8fabce89caecb4447b4abc9cfa
                                                • Opcode Fuzzy Hash: 3c467606cc9dfde0d21c836e0bc5a8885cf5c9a90de0746e533ddc143c531f64
                                                • Instruction Fuzzy Hash: 3441E161A0E7C90FE32797344C691683FA0AF1B314F1A01FFD089C71E3D928590AC762
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8ACBA2 Relevance: .1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 55e57a9919d495c511735b9615322904cbe1fae05346f83b5f12c48faf6fc12d
                                                • Instruction ID: aaf5c1063fd9f2571bbef59b7dcb1e9ebbcc2e76a8ed5e78c225aefa778dc968
                                                • Opcode Fuzzy Hash: 55e57a9919d495c511735b9615322904cbe1fae05346f83b5f12c48faf6fc12d
                                                • Instruction Fuzzy Hash: 8A41CD61A0E7C94FE36797748C691643FA0AF1B314F1A01FFD089CB1E3D928590AC762
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A9490 Relevance: .1, Instructions: 127COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3a2b25c2c0460c7dd579d39aeff3630c3beb60c1857911f00877f42e66b7677f
                                                • Instruction ID: 0616c5a37d6e0776fa0f2ec8ceada810e05c9b6c2bafb7388406eb89950b7812
                                                • Opcode Fuzzy Hash: 3a2b25c2c0460c7dd579d39aeff3630c3beb60c1857911f00877f42e66b7677f
                                                • Instruction Fuzzy Hash: 15519274E1E61E8BDF68CF94D4699FDB7B5BF48300F11043AE41AA7390DA34AA40DB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8AB485 Relevance: .1, Instructions: 125COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6f2da3e1d4131509d09a8374fe61c2fb5544d1b1ed67d9ed350e677c4fa20d2d
                                                • Instruction ID: ae447fdd011b7b75b3717984872ef26bad0e083915b0e059563f8aaacd8f34f5
                                                • Opcode Fuzzy Hash: 6f2da3e1d4131509d09a8374fe61c2fb5544d1b1ed67d9ed350e677c4fa20d2d
                                                • Instruction Fuzzy Hash: CE41DF2190E3C94FD7239BB48C651A57FB4EF17310B1A41EFD48ACB5A3E958A846C362
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8AB4CF Relevance: .1, Instructions: 124COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a2b73f3ea07c92125da09cd1c34cb4225c8167c35d7c78816ecf21912ea1bf51
                                                • Instruction ID: c447b2fa57c024cd475190d93342434c626bea48d2003ac9e25c52c6de96ad3d
                                                • Opcode Fuzzy Hash: a2b73f3ea07c92125da09cd1c34cb4225c8167c35d7c78816ecf21912ea1bf51
                                                • Instruction Fuzzy Hash: AE41C03190E3C94FD7239BB48C655A53FB4EF17310F1A41EBD48ACB1A3E9685946C362
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8AB4AF Relevance: .1, Instructions: 123COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fcd3bc8d593bcc14f94e8908576dcf4c1729b2c4188d0dc77e8520695027b105
                                                • Instruction ID: b18aa21c85cef21bdc6333df7c9915c932374f0154d9482db4a95b3c34563bf0
                                                • Opcode Fuzzy Hash: fcd3bc8d593bcc14f94e8908576dcf4c1729b2c4188d0dc77e8520695027b105
                                                • Instruction Fuzzy Hash: 9541EE3180E3C94FD7239B748C661A57FB4EF57210B0A41EFD4CACB1A3E9686846C362
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A9E65 Relevance: .1, Instructions: 113COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f72a55818f7c3416af22aa30db7ffc334875eff4a011b589e9d6da08fe99329a
                                                • Instruction ID: 8cee2c7ee647e55fa9f57e499604b96fc31c88a87a60d20e05045aa2329d56cd
                                                • Opcode Fuzzy Hash: f72a55818f7c3416af22aa30db7ffc334875eff4a011b589e9d6da08fe99329a
                                                • Instruction Fuzzy Hash: 4131F370A0DA5D8FDFA4DF98D4A4AECBBB1FF68300F11056AD00EE7291DA74A941CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A9475 Relevance: .1, Instructions: 110COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 56035179f8b3d750be88348c39f097115e5aee32d0465a049429a5b354b68345
                                                • Instruction ID: 6ef0bace70a4df30cb46f76e1b9dcd111c773113bc1ed1bb0481d2cbd5f69e49
                                                • Opcode Fuzzy Hash: 56035179f8b3d750be88348c39f097115e5aee32d0465a049429a5b354b68345
                                                • Instruction Fuzzy Hash: CF419574E1E21E8BDF68CF94D4696FDB7B1BF48300F11443AD41AA7290DA34AA40CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A3079 Relevance: .1, Instructions: 105COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8be3287c6722630b8a53d2a16e518d1e7b205182a8916186c850c908a240674c
                                                • Instruction ID: f22fd541adb1dd0123d7130e2f271407a9b39c617b5a27f8acf018914db98f00
                                                • Opcode Fuzzy Hash: 8be3287c6722630b8a53d2a16e518d1e7b205182a8916186c850c908a240674c
                                                • Instruction Fuzzy Hash: 2C21BA22B0BA4A0FDBA0F7BCA4655B937D2DFCE25170601B5E409CB2B7ED185D428361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8AB518 Relevance: .1, Instructions: 104COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aac9ccb988b64d741e9f3cdff28caf3a2141e85d49efdfcc6d453595d86f21a4
                                                • Instruction ID: 947e7db0a89dcb3f0ff5a90746d432da8a6308fd70f8f4a022979472ae7792dd
                                                • Opcode Fuzzy Hash: aac9ccb988b64d741e9f3cdff28caf3a2141e85d49efdfcc6d453595d86f21a4
                                                • Instruction Fuzzy Hash: 8B31CF7144E3C84FD7239B748C655A17FB4EF57310B0A42EFD485CB5A3EA585846C362
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8AC865 Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d7c8bea2e21d53a72949edda22add6ede91e41c61985a99ae3d7ca50cd565181
                                                • Instruction ID: ee62f098343303d3f04b669ff80702b521f98a602be02ed658a31da630e0e490
                                                • Opcode Fuzzy Hash: d7c8bea2e21d53a72949edda22add6ede91e41c61985a99ae3d7ca50cd565181
                                                • Instruction Fuzzy Hash: A4217C62B0E74D0FE7A49BA88CA913977D5FB99310F05027FD44EC32E2DD1868014791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A60A8 Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 13b3b07e1380e443ec8d932467ab58bce6e53513a4626ef596fac6ee57b63237
                                                • Instruction ID: ec417cc246d4cba087753945ddaab39771db2014e833480de2455568561d4f35
                                                • Opcode Fuzzy Hash: 13b3b07e1380e443ec8d932467ab58bce6e53513a4626ef596fac6ee57b63237
                                                • Instruction Fuzzy Hash: 0C31D270A1DA5D8FDFA4DB98D4A4AEDBBB1FB6C300F11042AD00EE7291DA75A950CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A2FA8 Relevance: .1, Instructions: 101COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 81ff502512cbd5597255f0e1c014afb23d257275676cc4fd47eec4946c941e53
                                                • Instruction ID: 0a80c040be751db7977e161a1d3712d9621f0291c6353f6981feb377d8745c52
                                                • Opcode Fuzzy Hash: 81ff502512cbd5597255f0e1c014afb23d257275676cc4fd47eec4946c941e53
                                                • Instruction Fuzzy Hash: 7421DA6270A9494FE7B4E7AC946967823D2EFDD25130700BAF009C73B6ED14AC424310
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A2871 Relevance: .1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c67e0d2c25c7eb02dd2aeabd8cd2406ed9d29151f24d111021e0b95a685f1383
                                                • Instruction ID: 4e2b2b07bf9407f147e2578efc3207a9a424bb11b4dbafd777f9d3078a1c9b68
                                                • Opcode Fuzzy Hash: c67e0d2c25c7eb02dd2aeabd8cd2406ed9d29151f24d111021e0b95a685f1383
                                                • Instruction Fuzzy Hash: 93219131B09A5E4FE7B9DFAD8564575B7E0EF58300B0A05BED04FC76A1CE29E9428350
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A3B8E Relevance: .1, Instructions: 94COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d2e9e8409ddd0e390c015bd9caf26689a27c9cadc052d5af346d3ae9b71f648d
                                                • Instruction ID: 8a03009948db3532c3a4d4e67c67f11ff4518cc0daede76f9f6282ad3e2197b3
                                                • Opcode Fuzzy Hash: d2e9e8409ddd0e390c015bd9caf26689a27c9cadc052d5af346d3ae9b71f648d
                                                • Instruction Fuzzy Hash: 23316171609A4D8FDB98CF58C8706A537A2FF5C314B25069DE42EC72D2DA31E912CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A1250 Relevance: .1, Instructions: 88COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7ddd5983813ff97265a16b4394f86f6c829a5fc9a0863fe2bc23de3893ff238e
                                                • Instruction ID: c9ad0abd1665f0180e8088437d81c240693823c641e1ffea28d992fce19b31b6
                                                • Opcode Fuzzy Hash: 7ddd5983813ff97265a16b4394f86f6c829a5fc9a0863fe2bc23de3893ff238e
                                                • Instruction Fuzzy Hash: 1421F711A0F6E64EE772EBB848785787F91AF16214B4942FFC0D8CB4D7EC48D9858391
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A1490 Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bfbea51aeebdbb49ee8d0ae80a75d1afde9582cf026eb380bd1dcf9c0a2b2839
                                                • Instruction ID: ff578f68dbef4feaebe1778c6c72169a96ace0d0aaa8923afba28a6875f5a1b8
                                                • Opcode Fuzzy Hash: bfbea51aeebdbb49ee8d0ae80a75d1afde9582cf026eb380bd1dcf9c0a2b2839
                                                • Instruction Fuzzy Hash: 9121F021E0E69D4EDB1AF768AC645E9BFB0EF46218B0802FBD05DCB0E3ED2454468391
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8ACC29 Relevance: .1, Instructions: 81COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f448fddd31362ae3eb65e30052288f905cea4d3fcaa6e416c88bf73031a7660a
                                                • Instruction ID: b95ede6e4d61af70a603a14becdfc203684d3c6606187fbdb7d8c653f82861f5
                                                • Opcode Fuzzy Hash: f448fddd31362ae3eb65e30052288f905cea4d3fcaa6e416c88bf73031a7660a
                                                • Instruction Fuzzy Hash: D7216A30B0E6CC4FE365AB688C681793BE5EF4A304F15017EE48DC72E3DA386A068751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A81B4 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8f82103bd233f740d462c9ce24f0cff5cde6eec33d5126b0c7c87f794e94efcc
                                                • Instruction ID: 024cf6a1cd39cb88c29549e23ce0ccf5461698d7dbe681bcf283caa131ecbc1f
                                                • Opcode Fuzzy Hash: 8f82103bd233f740d462c9ce24f0cff5cde6eec33d5126b0c7c87f794e94efcc
                                                • Instruction Fuzzy Hash: 37210E30A0991D8FDFA8DB58D8A5AA8B3B1FF59301F5111E9D00DD7251CB35AE81CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A2F59 Relevance: .1, Instructions: 64COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 898e9886e8358c1884664fdccd614dd3a1a1c7aef52b15f549dd73162beb9da1
                                                • Instruction ID: 2941314c38d892ddb0e46f4ac82ef60ae9e22630666f98f1d1655184142fac9b
                                                • Opcode Fuzzy Hash: 898e9886e8358c1884664fdccd614dd3a1a1c7aef52b15f549dd73162beb9da1
                                                • Instruction Fuzzy Hash: 7D01F921B0B4594FD774EBBCD8289B937D6DFCE25134641B5E409C72B6DE189E438360
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A1862 Relevance: .1, Instructions: 64COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c0539a6373b5afd90b37bbf783010d006f9161a102f13a76be30c32eb47fcf15
                                                • Instruction ID: 1ee461ac834e23c9c2c5bc7f108141428ecb5cf70b1a9f50895b481ab985eacb
                                                • Opcode Fuzzy Hash: c0539a6373b5afd90b37bbf783010d006f9161a102f13a76be30c32eb47fcf15
                                                • Instruction Fuzzy Hash: C4119D30E19A5E8FDF84FBA488655EDBBF1EF5A300F00006AC418D32A1DA785941C790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A2494 Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cec52a6c7dbbcf1162fd2d75de63ca764ac866f7df92922e8598fda1b547b22e
                                                • Instruction ID: 8fef49b899ae8f4611a21266e86ca986aaa0b122eb7eddc19a40963f79e1f828
                                                • Opcode Fuzzy Hash: cec52a6c7dbbcf1162fd2d75de63ca764ac866f7df92922e8598fda1b547b22e
                                                • Instruction Fuzzy Hash: 13118220E0E6D60FE37A97B848716647FE1AF47251F0902E6C095CB5E7D95CE886C361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A73F1 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5996af45c21643feed210942125428dd1bd8b5302ca250f7f7a4cde4abf61117
                                                • Instruction ID: 2cb77ab6da2f5fcaa2ad90cfddb5df612389ec316c5dc08bb9b0867c67ae43e2
                                                • Opcode Fuzzy Hash: 5996af45c21643feed210942125428dd1bd8b5302ca250f7f7a4cde4abf61117
                                                • Instruction Fuzzy Hash: FF118E6598F2C95FD72347A05C225E53FB89F07214F0A41E7E0988A4E3C91D265AD362
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A26C5 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e9713c0e40f60877c1b992aa0b1e8feb53f531bad09e48a9d2d958b74c1b7993
                                                • Instruction ID: 5bf4f2bfa2ec7c764465760e53f4730485db799568c8a49957bcaf3c300213cd
                                                • Opcode Fuzzy Hash: e9713c0e40f60877c1b992aa0b1e8feb53f531bad09e48a9d2d958b74c1b7993
                                                • Instruction Fuzzy Hash: 6A01F961A4FACD1FD7669FB4886D5E87FA0EF5A200F4A41FBC488CB0B3DD1859468351
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8AB6FB Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8c27828c4bda868dbe710856b35a0aa605b73b6248d59e1811667607dd0ac87a
                                                • Instruction ID: e1dc77c44715ad9f5fef121b1fde201aeda31001a17ec5a4ba78992fef6094d6
                                                • Opcode Fuzzy Hash: 8c27828c4bda868dbe710856b35a0aa605b73b6248d59e1811667607dd0ac87a
                                                • Instruction Fuzzy Hash: B3017530B1954A4BD73C9B68C4715FC33E6EB49705F20903ED59BC71E6DE38EA465640
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A7C6A Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b80f868f4aca306beb5baf48718726de73ab07dd21f7106f926f26f58c800409
                                                • Instruction ID: fe3da9980672438198266b481b0e1f8e1494586028cf855e2012aaf1044e1ec7
                                                • Opcode Fuzzy Hash: b80f868f4aca306beb5baf48718726de73ab07dd21f7106f926f26f58c800409
                                                • Instruction Fuzzy Hash: BC11C874E1991D8FDBA9EF18C8A5BA8B3B1FB58304F5001F9E00DE3295CA756A81CF41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A2440 Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bb82e78e01bcb5ed79f6bfe4b34b6b2e8768d12603872649c3577049f549b4fc
                                                • Instruction ID: 815133bbb942e94a069252c8b21e24380495fa0019e1b183674fbcc4ddce0775
                                                • Opcode Fuzzy Hash: bb82e78e01bcb5ed79f6bfe4b34b6b2e8768d12603872649c3577049f549b4fc
                                                • Instruction Fuzzy Hash: 53F0E9B250E64C5EEB289E48AC5BAFA3BA8DB47334F00011EE58D82062E1527553C255
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A3659 Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4e271e1e3d4c7de7ad894e01c779d56f1234a4f6b75634dcc22c8f6e6f95b669
                                                • Instruction ID: 399b8ac95288a0bccf8fa271b2f8cd6c1a42b2681e68703a49ffed62525f1dbb
                                                • Opcode Fuzzy Hash: 4e271e1e3d4c7de7ad894e01c779d56f1234a4f6b75634dcc22c8f6e6f95b669
                                                • Instruction Fuzzy Hash: 01012672D4E6850BE3365BB47C238E67FA0DF0661070A01F7D058CA6A3D90D268683E2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A2659 Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b7083010f56d759b253eaf4ac5b05cc0d686259b6ae220b83fd0e7df477b6efe
                                                • Instruction ID: 6acce021c438b10b1be748c03718db90bb6f5eb0302ceec9581a768d76fb4504
                                                • Opcode Fuzzy Hash: b7083010f56d759b253eaf4ac5b05cc0d686259b6ae220b83fd0e7df477b6efe
                                                • Instruction Fuzzy Hash: 5F01243180E6C95FD712DFA4CC695E9BFF0EF5A200B0981EBD088CB0B2DA285946C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8AB65D Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 39bc72348deeaf638a42c3a7b1dc3ec70ee6662abaf7656b11f189d204ba4340
                                                • Instruction ID: 5278dacea655233209c033f1e969eb4cab173aa02c602e0b1b1a6fea9a20fc5f
                                                • Opcode Fuzzy Hash: 39bc72348deeaf638a42c3a7b1dc3ec70ee6662abaf7656b11f189d204ba4340
                                                • Instruction Fuzzy Hash: 7C01A230B2954D8BE7389B68C4B55FC33D6EB49705F20413ED4ABC21E2DE38E6464640
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8AF08D Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ae92d6c5723e1f5714dc26c9ab71934e8fe0d12e426005dcb946c46a12fa4217
                                                • Instruction ID: eea6a3441b5b2275fbc1a84e7ebe78c1536017bc34649b584dece9665064b381
                                                • Opcode Fuzzy Hash: ae92d6c5723e1f5714dc26c9ab71934e8fe0d12e426005dcb946c46a12fa4217
                                                • Instruction Fuzzy Hash: D3013970A0892C8FDFA9DF58C895BA8BBB1FB69301F1041DAC04DE7651CB71AA85CF01
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A12D8 Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 95473b82c5692b0e577dc69f802dc80b86fa4f2d0c49ee577dd9c540ab81d032
                                                • Instruction ID: a0ab9bfbe8a497540deaad94fde0824ddbe70be58feed9a9dacd8c28ab90cd8a
                                                • Opcode Fuzzy Hash: 95473b82c5692b0e577dc69f802dc80b86fa4f2d0c49ee577dd9c540ab81d032
                                                • Instruction Fuzzy Hash: DF018120E1E6AA0FE3B6E7A444752757BE1AF4A300F0644EBD058CB5E7D918DD8983A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8AFBD3 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2097748777b1d768136f53fbc220202e74f4c81e0fa4f0a0b0d41aabfbfed28f
                                                • Instruction ID: 1d41f71883ffbde56b6ac78a4000c2f9d4410a038791171c6c59162b67b9fab0
                                                • Opcode Fuzzy Hash: 2097748777b1d768136f53fbc220202e74f4c81e0fa4f0a0b0d41aabfbfed28f
                                                • Instruction Fuzzy Hash: F6F05936B0926E46D319BBB5BC266FE3B00EF84278F000073E1AC460D29E382295C2C2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8AD3AA Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e6364fa4c7c8d8be0996aacc52aae41300c365d61cce50c07466cf792668abd5
                                                • Instruction ID: 1aa4a838fb6c0745295bc06d80176a98c9a9accd0f19ef7416ae28177953e455
                                                • Opcode Fuzzy Hash: e6364fa4c7c8d8be0996aacc52aae41300c365d61cce50c07466cf792668abd5
                                                • Instruction Fuzzy Hash: AA01B27091992D8FDFA9EB08C894BE9B7B1FB68301F1041D9900DE7660DA71AEC1CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A8DF7 Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9ff341e6a1dd8a3762ccb6b8cd287a4e9784e03313de13f1027970e6863c5205
                                                • Instruction ID: 6fa55038be176c6a61cf27498f5654868c51c16be622982999d2ff669f60593c
                                                • Opcode Fuzzy Hash: 9ff341e6a1dd8a3762ccb6b8cd287a4e9784e03313de13f1027970e6863c5205
                                                • Instruction Fuzzy Hash: B2010074A4892C8FDFA8EF18C895BA9B7B1FB69705F5041D9804DE3251DA31AE85CF01
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8AEFA7 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b796121b973cff3c1c2d1cdb7fdb920ef5c739a5de68bef609db4590201b05e0
                                                • Instruction ID: e6015dd7137d48f1bcf4f137c6fedef0c6f0b45dbbcba3feb7e3c94b22a7fcc2
                                                • Opcode Fuzzy Hash: b796121b973cff3c1c2d1cdb7fdb920ef5c739a5de68bef609db4590201b05e0
                                                • Instruction Fuzzy Hash: 45011D70D4995D9FCB55EBA8C864FADBBB0FF19300F1400A9D00ED75A5DB34A981CB00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8B0270 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 21c10a720bfb77daeff59fd1a2b6ad8a33aa7619e31248bb3bc42c91a1059a5e
                                                • Instruction ID: 7a316d38ce12cbb20259f7ffd1480a99adc355d5676569bfba9ba42dd087d9e6
                                                • Opcode Fuzzy Hash: 21c10a720bfb77daeff59fd1a2b6ad8a33aa7619e31248bb3bc42c91a1059a5e
                                                • Instruction Fuzzy Hash: A7F0F834904A4ECFDB94EF58C944AEA77E0FF59300F1105AAF829C72A5C734EA64DB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8AA6B5 Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4bd6eb9e6e58383b5696f896a1d3f761cda42a680b22089478ce198705b61c26
                                                • Instruction ID: 7683320c919b2d914aa722084a4594d47babf1650bd4e1fc2cb1e3e5fcea3825
                                                • Opcode Fuzzy Hash: 4bd6eb9e6e58383b5696f896a1d3f761cda42a680b22089478ce198705b61c26
                                                • Instruction Fuzzy Hash: A2E01A2284F3CC5FD7139B608C655A5BF70BF47114F0E42EBE5888B4A3D62D5628C792
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8AE90C Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48646d4aaffe97c12c890580cc6c9e11d809bd688299ef80d3ab85f2bf48cbee
                                                • Instruction ID: 8e44c96bb74f39e67a202f5039647e7dd3aa3486b1d332840fb0b798b0e52f87
                                                • Opcode Fuzzy Hash: 48646d4aaffe97c12c890580cc6c9e11d809bd688299ef80d3ab85f2bf48cbee
                                                • Instruction Fuzzy Hash: 0EE08C7160C78E8FC7A4CF9CD0A0666B3D2EB88304F51893DE08AC7A61DAB0A8438700
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8AAF98 Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bbb248375b8bb789385e3fd51fc67cfdb2ad5644a162b64b9645356db38461df
                                                • Instruction ID: ab9aff5f23aa1d744415f38b0d1e3e0abd875d5e0e718b3e6332d4cdbc3728a5
                                                • Opcode Fuzzy Hash: bbb248375b8bb789385e3fd51fc67cfdb2ad5644a162b64b9645356db38461df
                                                • Instruction Fuzzy Hash: E6C09B1378A51D49D5945A5C7C511B4B340DB45131B8111B7D909C555AD86B49454781
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A8A04 Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 89a7a80d33ef7f3bc893218a3eb6379ef33d9532b48a71f1864894e79773d94d
                                                • Instruction ID: b8def182b4863b1be4d7534a0b867f66c720e187b639de7df44d0909560134e8
                                                • Opcode Fuzzy Hash: 89a7a80d33ef7f3bc893218a3eb6379ef33d9532b48a71f1864894e79773d94d
                                                • Instruction Fuzzy Hash: 8CD092B0E4950E8EDBA4DFC594645BCBBB0AF48301F91003AC01AE22A1DA3825528F21
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A4234 Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 54917442d206e0f22a556ecca4352a9ad59b3ec935c0429407c7606556052a04
                                                • Instruction ID: 1c04417b6f53656d0484d7d62b32409e91a3897d704cd5dccd521a8e4ad85c61
                                                • Opcode Fuzzy Hash: 54917442d206e0f22a556ecca4352a9ad59b3ec935c0429407c7606556052a04
                                                • Instruction Fuzzy Hash: 41C08081F25C4B35D75C576408B51F19291EF58300F41007C905F820C7EE1875054100
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A69B7 Relevance: .0, Instructions: 9COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e37c92dfa5beb11c98f3ff38f4824b21166f3cfc9a7be88a12e4f937bd2ef790
                                                • Instruction ID: 907303b6c93a149455b80909f649d2bb6eed67cd56bb7823aa075e799a089e44
                                                • Opcode Fuzzy Hash: e37c92dfa5beb11c98f3ff38f4824b21166f3cfc9a7be88a12e4f937bd2ef790
                                                • Instruction Fuzzy Hash: 18C01270F0961E8DD770DB44446037C6160AF09300F5100F9804EE2151CE3416809B51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8A2850 Relevance: .0, Instructions: 3COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1722354683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_7ffd9b8a0000_yqlOaUZZYhEp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 22e642ab1ce693d423bf96c6870a8322d48b2fadf33e28e300ed9c9d88e67d9a
                                                • Instruction ID: 3a12d829d07ca23414d42cfa82098c0ff76aadd08b5bd1dd82fc35bbd20e841c
                                                • Opcode Fuzzy Hash: 22e642ab1ce693d423bf96c6870a8322d48b2fadf33e28e300ed9c9d88e67d9a
                                                • Instruction Fuzzy Hash:
                                                Uniqueness

                                                Uniqueness Score: -1.00%