Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ#1047.exe

Overview

General Information

Sample name:RFQ#1047.exe
Analysis ID:1426825
MD5:6846f1fb78fad5224b98b0137e7a862d
SHA1:f40fa249d6464ef5c1f9e39748162fd5d70e7aaa
SHA256:66a0cfa14afdb23dec776fa355b9f89551405989b9838db6398c77ee6c73c084
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Yara detected AgentTesla
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RFQ#1047.exe (PID: 2488 cmdline: "C:\Users\user\Desktop\RFQ#1047.exe" MD5: 6846F1FB78FAD5224B98B0137E7A862D)
    • MSBuild.exe (PID: 6440 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.xpl.co.nz", "Username": "martin@xpl.co.nz", "Password": "martin123"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4571683281.00000000028C9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.4564658212.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.4564658212.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.4571683281.0000000002851000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000002.4571683281.0000000002851000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.RFQ#1047.exe.389e128.8.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.RFQ#1047.exe.389e128.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.RFQ#1047.exe.389e128.8.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316f5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x31767:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317f1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31883:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318ed:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3195f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319f5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a85:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.RFQ#1047.exe.38d8b48.9.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.RFQ#1047.exe.38d8b48.9.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 12 entries

                    Sigma Signatures

                    Networking

                    barindex
                    Sigma detected: MSBuild connects to smtp port
                    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 203.170.87.105, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 6440, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49712

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.RFQ#1047.exe.38d8b48.9.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.xpl.co.nz", "Username": "martin@xpl.co.nz", "Password": "martin123"}
                    Multi AV Scanner detection for submitted file
                    Source: RFQ#1047.exeVirustotal: Detection: 32%Perma Link
                    Source: RFQ#1047.exeReversingLabs: Detection: 26%
                    Machine Learning detection for sample
                    Source: RFQ#1047.exeJoe Sandbox ML: detected
                    Source: RFQ#1047.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49722 version: TLS 1.0
                    Source: RFQ#1047.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: Gqwv.pdbSHA256>5 source: RFQ#1047.exe
                    Source: Binary string: Gqwv.pdb source: RFQ#1047.exe
                    Source: C:\Users\user\Desktop\RFQ#1047.exeCode function: 4x nop then jmp 02541327h0_2_02540A17

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.RFQ#1047.exe.38d8b48.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ#1047.exe.389e128.8.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.6:49712 -> 203.170.87.105:587
                    Source: Joe Sandbox ViewASN Name: DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU
                    Source: Joe Sandbox ViewJA3 fingerprint: 1138de370e523e824bbca92d049a3777
                    Source: global trafficTCP traffic: 192.168.2.6:49712 -> 203.170.87.105:587
                    Source: unknownHTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49722 version: TLS 1.0
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.47.204.65
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.47.204.65
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownDNS traffic detected: queries for: mail.xpl.co.nz
                    Source: MSBuild.exe, 00000003.00000002.4571683281.0000000002851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.xpl.co.nz
                    Source: MSBuild.exe, 00000003.00000002.4575146951.0000000005B11000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4571683281.0000000002851000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4567897518.0000000000A24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                    Source: MSBuild.exe, 00000003.00000002.4575146951.0000000005B11000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4571683281.0000000002851000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4567897518.0000000000A24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                    Source: MSBuild.exe, 00000003.00000002.4567897518.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4575146951.0000000005B11000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4571683281.0000000002851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: MSBuild.exe, 00000003.00000002.4567897518.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4575146951.0000000005B11000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4571683281.0000000002851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: RFQ#1047.exe, 00000000.00000002.2135311417.000000000389E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4564658212.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.RFQ#1047.exe.38d8b48.9.raw.unpack, hxAF.cs.Net Code: glYnN5
                    Source: 0.2.RFQ#1047.exe.389e128.8.raw.unpack, hxAF.cs.Net Code: glYnN5
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.RFQ#1047.exe.389e128.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.RFQ#1047.exe.38d8b48.9.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.RFQ#1047.exe.38d8b48.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.RFQ#1047.exe.389e128.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 0.2.RFQ#1047.exe.26836dc.0.raw.unpack, SQL.csLarge array initialization: : array initializer size 13797
                    Source: 0.2.RFQ#1047.exe.4cd0000.11.raw.unpack, SQL.csLarge array initialization: : array initializer size 13797
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: RFQ#1047.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\RFQ#1047.exeCode function: 0_2_009FDCD40_2_009FDCD4
                    Source: C:\Users\user\Desktop\RFQ#1047.exeCode function: 0_2_02542B880_2_02542B88
                    Source: C:\Users\user\Desktop\RFQ#1047.exeCode function: 0_2_06CC0A980_2_06CC0A98
                    Source: C:\Users\user\Desktop\RFQ#1047.exeCode function: 0_2_06CC37890_2_06CC3789
                    Source: C:\Users\user\Desktop\RFQ#1047.exeCode function: 0_2_06CC37980_2_06CC3798
                    Source: C:\Users\user\Desktop\RFQ#1047.exeCode function: 0_2_06CCC4480_2_06CCC448
                    Source: C:\Users\user\Desktop\RFQ#1047.exeCode function: 0_2_06CCC4370_2_06CCC437
                    Source: C:\Users\user\Desktop\RFQ#1047.exeCode function: 0_2_06CCE0800_2_06CCE080
                    Source: C:\Users\user\Desktop\RFQ#1047.exeCode function: 0_2_06CCC0100_2_06CCC010
                    Source: C:\Users\user\Desktop\RFQ#1047.exeCode function: 0_2_06CCBFE00_2_06CCBFE0
                    Source: C:\Users\user\Desktop\RFQ#1047.exeCode function: 0_2_06CCEA300_2_06CCEA30
                    Source: C:\Users\user\Desktop\RFQ#1047.exeCode function: 0_2_06CCC8800_2_06CCC880
                    Source: C:\Users\user\Desktop\RFQ#1047.exeCode function: 0_2_06CCC8700_2_06CCC870
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_026AB2D73_2_026AB2D7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_026AD0653_2_026AD065
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_026A4A983_2_026A4A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_026A3E803_2_026A3E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_026A41C83_2_026A41C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0542E6603_2_0542E660
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_054215223_2_05421522
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_054215283_2_05421528
                    Source: RFQ#1047.exe, 00000000.00000002.2133925694.0000000000A3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ#1047.exe
                    Source: RFQ#1047.exe, 00000000.00000002.2138904413.0000000006D20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs RFQ#1047.exe
                    Source: RFQ#1047.exe, 00000000.00000002.2134593828.0000000002661000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs RFQ#1047.exe
                    Source: RFQ#1047.exe, 00000000.00000002.2134593828.00000000026FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename0514e01a-0008-46df-921e-cd27674422ca.exe4 vs RFQ#1047.exe
                    Source: RFQ#1047.exe, 00000000.00000002.2135311417.000000000389E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename0514e01a-0008-46df-921e-cd27674422ca.exe4 vs RFQ#1047.exe
                    Source: RFQ#1047.exe, 00000000.00000002.2135311417.000000000389E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs RFQ#1047.exe
                    Source: RFQ#1047.exe, 00000000.00000002.2138230748.0000000004CD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs RFQ#1047.exe
                    Source: RFQ#1047.exe, 00000000.00000000.2101808600.00000000002AE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameGqwv.exeX vs RFQ#1047.exe
                    Source: RFQ#1047.exeBinary or memory string: OriginalFilenameGqwv.exeX vs RFQ#1047.exe
                    Source: RFQ#1047.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.RFQ#1047.exe.389e128.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.RFQ#1047.exe.38d8b48.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.RFQ#1047.exe.38d8b48.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.RFQ#1047.exe.389e128.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: RFQ#1047.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.RFQ#1047.exe.38d8b48.9.raw.unpack, N43UVggPg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.RFQ#1047.exe.38d8b48.9.raw.unpack, N43UVggPg.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.RFQ#1047.exe.38d8b48.9.raw.unpack, Ow96S4wT.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.RFQ#1047.exe.38d8b48.9.raw.unpack, Ow96S4wT.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.RFQ#1047.exe.38d8b48.9.raw.unpack, Ow96S4wT.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.RFQ#1047.exe.38d8b48.9.raw.unpack, Ow96S4wT.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.RFQ#1047.exe.38d8b48.9.raw.unpack, MjzNdC.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.RFQ#1047.exe.38d8b48.9.raw.unpack, MjzNdC.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, YA7n3FZTdLntNid9Yp.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, YA7n3FZTdLntNid9Yp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, YA7n3FZTdLntNid9Yp.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, tXM2R9Mp9uJhtKSc3Q.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, YA7n3FZTdLntNid9Yp.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, YA7n3FZTdLntNid9Yp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, YA7n3FZTdLntNid9Yp.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, tXM2R9Mp9uJhtKSc3Q.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@3/1@1/1
                    Source: C:\Users\user\Desktop\RFQ#1047.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ#1047.exe.logJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\RFQ#1047.exeMutant created: \Sessions\1\BaseNamedObjects\JodxOYXzEQapGOsShdhFmV
                    Source: RFQ#1047.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: RFQ#1047.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: RFQ#1047.exeVirustotal: Detection: 32%
                    Source: RFQ#1047.exeReversingLabs: Detection: 26%
                    Source: C:\Users\user\Desktop\RFQ#1047.exeFile read: C:\Users\user\Desktop\RFQ#1047.exe:Zone.IdentifierJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\RFQ#1047.exe "C:\Users\user\Desktop\RFQ#1047.exe"
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: RFQ#1047.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: RFQ#1047.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: RFQ#1047.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: Gqwv.pdbSHA256>5 source: RFQ#1047.exe
                    Source: Binary string: Gqwv.pdb source: RFQ#1047.exe

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.RFQ#1047.exe.26836dc.0.raw.unpack, SQL.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, YA7n3FZTdLntNid9Yp.cs.Net Code: T8cgGe95JY System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, YA7n3FZTdLntNid9Yp.cs.Net Code: T8cgGe95JY System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.RFQ#1047.exe.4cd0000.11.raw.unpack, SQL.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: RFQ#1047.exeStatic PE information: 0xC237A2E0 [Mon Apr 3 06:21:20 2073 UTC]
                    Source: C:\Users\user\Desktop\RFQ#1047.exeCode function: 0_2_009FF1D0 push esp; iretd 0_2_009FF1D1
                    Source: C:\Users\user\Desktop\RFQ#1047.exeCode function: 0_2_06CC2563 pushad ; iretd 0_2_06CC256E
                    Source: C:\Users\user\Desktop\RFQ#1047.exeCode function: 0_2_06CC5017 pushfd ; ret 0_2_06CC501A
                    Source: C:\Users\user\Desktop\RFQ#1047.exeCode function: 0_2_06CC29A8 pushfd ; iretd 0_2_06CC29B1
                    Source: RFQ#1047.exeStatic PE information: section name: .text entropy: 7.976223626985366
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, EONHNxPdUdAdHmAIMv.csHigh entropy of concatenated method names: 'I7Ew9hvH3g', 'MH9we49t1j', 'rQMwVqiP1R', 'GhuwbbN9nR', 'tSFwsN4D4y', 'KCawdyAupD', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, znlXIrvTbwjF26P0g7.csHigh entropy of concatenated method names: 'aHbK3eW4bZ', 'KQEKfMBT4D', 'o3ow5ssCxs', 'HDswcEDAVg', 'enrKuEj874', 'bOZKDWvMb4', 'S0dKECwAGd', 'BVpKsFgAun', 'tnEKt5phen', 'pvEKyaIcQt'
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, t1BnRSccD4grCcFSLVy.csHigh entropy of concatenated method names: 'ToString', 'wRJYQymZVW', 'FhSYgsKxWk', 'EgtYI3kNmj', 'sCpYO10Vlg', 'U0nY6UNBuy', 'NnOYpsnHbl', 'LboYRGDMrA', 'kZFc3WEk4LEaULb4qmR', 'GtT1JCEpp7Mkw6iULe3'
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, rxBcAh3P57UAjmasZ7.csHigh entropy of concatenated method names: 'cRJwOemShs', 'Fmww6o7yoW', 'couwpMj1sV', 'GlUwRxL6x4', 'er3wJBcuNI', 'WL0w2AK8xX', 'op3wZiBoIa', 'jgfwWtoWHI', 'Fvaw8NFqtt', 'Lo8wmEi5fy'
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, o0vjU3yJZJkjb9yxRt.csHigh entropy of concatenated method names: 'ToString', 'nEhNul9rVd', 'QDNNeoiODx', 'chuNVXMNdU', 'B4fNbGiHg9', 'aUlNdWestV', 'B2ZNlZbm9P', 'No0NAlcld8', 'CUHN0emuyy', 'IhYNaubG75'
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, jdgOKQXoHOhb0JGGc1.csHigh entropy of concatenated method names: 'bnoRrpd6fX', 'f3RRF1iTFk', 'LLQpVxS3wC', 'dV7pbWSTTv', 'aQ9pdNdkWy', 'MUhplxEUa2', 'VI4pAt5Vi1', 'tlIp0CJRMb', 'jBapaoY1YA', 'rukpC1mHkH'
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, Ly2lpSaeIZ2hmuMgm4.csHigh entropy of concatenated method names: 'Kr82iOP1DT', 'U3n21xLNee', 'tbL2G0oThS', 'VFV2kb0HnG', 'UL92rjtLKL', 'O6S2S7bRlx', 'IkW2FRltOu', 'igo2MIpa93', 'Vtk2T5yPou', 'EQl2X1Xx9N'
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, DodQKgElKD3WcFM3b5.csHigh entropy of concatenated method names: 'D4KhMJhNbI', 'vOIhTNHimO', 'fMSh9rg3pu', 'SRUhe2jI9X', 'v3dhbZYse2', 'uajhd8ZTTs', 'LRPhAaLpd7', 'sOlh0gsKTJ', 'rRphCVnBeZ', 'EpohuArMri'
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, p7Da0a6RAbndVtqN8j.csHigh entropy of concatenated method names: 'Dispose', 'KVZcP7Ptby', 'JXxneaNOqN', 'yyxqqy51LF', 'fwxcfBcAhP', 'a7UczAjmas', 'ProcessDialogKey', 'k7Tn5ONHNx', 'JUdncAdHmA', 'eMvnnuRrVR'
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, LQWl9jgFqx9ed5Z0ac.csHigh entropy of concatenated method names: 'BrYc2XM2R9', 'g9ucZJhtKS', 'SuZc8c5KMZ', 'WR3cmc2dgO', 'iGGcLc1DAi', 'K9ocNHIXJq', 'W9UOsdiVlNaVvr6466', 'WaGV5Md3A46WRNP3Us', 'pOuccJCTY4', 'VR9cQMxN46'
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, IH4LNyTuZc5KMZHR3c.csHigh entropy of concatenated method names: 'YSnpknIZU9', 'YjFpSYvZp9', 'LyCpMBEL2L', 'k8qpTHLSPH', 'I5HpLgBJ7p', 'FUBpNTV5Bg', 'jR9pKW6xOo', 'Qyvpwl0Lag', 'XJNp4nvW9i', 'daApYpWUJc'
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, DICsZ8zaHKaTHria89.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'snl4h0XigF', 'iZU4L8veQP', 'bF14NMGTOc', 'cet4KjuT4k', 's4J4w9ZRAH', 'fb8441J556', 'RXN4YcPhHg'
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, dqkscgc5qRyKRlbcFQB.csHigh entropy of concatenated method names: 'UYp4itGvSC', 'm1m41vF867', 'H9M4GeS6Jl', 'V0p4krMkH3', 'zNr4rEUMqw', 'gyP4Sp2wnX', 'zky4FWV41q', 'mfv4M4keIK', 'hsX4TrbcFv', 'uEV4X8aCCh'
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, TH9snRn08Vg9b5CVEn.csHigh entropy of concatenated method names: 'KbNGJBFcW', 'jJmkaqW8d', 'EpWSIkWDi', 'qoTFFAscP', 'ThWTwMncY', 'Fy1XJL7OD', 'tbIZfBGZR3jKoyKxv0', 'dEtK6K1OrJtlnHvRg2', 'lCywIIGgM', 'DBlYhqS7W'
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, NRRM5XsUNoHCuGlSUC.csHigh entropy of concatenated method names: 'xwQLCGETA5', 'Q2RLDx1HOi', 'BD3Lsy6Vwv', 'NbNLtpRfOX', 'wg4LeD3jh4', 'wZaLVI9oWY', 'yPxLbfe7MN', 'MYLLdg8teU', 'c6XLl3Vke5', 'e6tLAxcqYB'
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, ORrVRmfgs7pNHjuU4H.csHigh entropy of concatenated method names: 'afI4cgk7jw', 'Xhd4QCGDrb', 'hXC4gFsWIl', 'CAG4Oatunq', 'p5K46R63qF', 'giE4RICerO', 'pSZ4JCC1Vb', 'a6UwHfV04r', 'CSdw3FA3YN', 'rjowP0JjoF'
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, tXM2R9Mp9uJhtKSc3Q.csHigh entropy of concatenated method names: 'hj06sBbnSK', 'UAZ6t0dV8J', 'xGa6yYolIY', 'yYD6UgpCHV', 'Ugy6xwDDRM', 'lF26vMwZMv', 'TbN6Hp5awH', 'TLH63s1n3k', 'kM46PVA2c5', 'YHZ6fkCUrE'
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, XUCb71cQCrnCYxpmfib.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Bo5Ysyhws8', 'P6bYtDLwB8', 'IqxYy6YlMn', 'fIdYUqRZTn', 'nn1YxJrrYi', 'MENYvfuCyI', 'LpwYHdJMWH'
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, uw0s4PcnXqDkf7IcS02.csHigh entropy of concatenated method names: 'tJYYiF9oeB', 'TDiY1sHcbq', 'CHuYGqMRa3', 'Icv7Z3Eeqq4hwvc9CWQ', 'OprQcSEINl4P9xHQijy', 'oPLYWAEil1yS3LYmQpI', 'nsf9uxEdXX9GIwmVNK8'
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, LuP0AvAVNu3WAkDN2Z.csHigh entropy of concatenated method names: 'Odr2O5NE9y', 'gF12prUkCf', 'Uux2JJxKZ2', 'g8MJf7iKuN', 'xBoJzgUasw', 'Gmu25yRccX', 'aFi2cs9xuu', 'GTf2nlLX2V', 'HuQ2QFfQdp', 'Nt82g666Ln'
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, PAil9o9HIXJqTnkAlF.csHigh entropy of concatenated method names: 'AeDJIHSXsk', 'EWIJ638T4Q', 'MfiJRxcBbb', 'OVRJ2JD8dX', 'QdmJZ5mapI', 'STiRxflhhh', 'YXyRvhdlnO', 'TOnRH0I76M', 'X1TR3JlDBm', 'SoARPF2Qxi'
                    Source: 0.2.RFQ#1047.exe.6d20000.14.raw.unpack, YA7n3FZTdLntNid9Yp.csHigh entropy of concatenated method names: 'AUoQI8gCqw', 'SH9QOy1Y1Q', 'otJQ6b2LYO', 'bHcQpYOVsf', 'wS5QRLLpSo', 'QcKQJ9NsfA', 'tEdQ2u7lSk', 'FwfQZR5EWL', 'WXUQWgwn4S', 'BiQQ8ZadHV'
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, EONHNxPdUdAdHmAIMv.csHigh entropy of concatenated method names: 'I7Ew9hvH3g', 'MH9we49t1j', 'rQMwVqiP1R', 'GhuwbbN9nR', 'tSFwsN4D4y', 'KCawdyAupD', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, znlXIrvTbwjF26P0g7.csHigh entropy of concatenated method names: 'aHbK3eW4bZ', 'KQEKfMBT4D', 'o3ow5ssCxs', 'HDswcEDAVg', 'enrKuEj874', 'bOZKDWvMb4', 'S0dKECwAGd', 'BVpKsFgAun', 'tnEKt5phen', 'pvEKyaIcQt'
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, t1BnRSccD4grCcFSLVy.csHigh entropy of concatenated method names: 'ToString', 'wRJYQymZVW', 'FhSYgsKxWk', 'EgtYI3kNmj', 'sCpYO10Vlg', 'U0nY6UNBuy', 'NnOYpsnHbl', 'LboYRGDMrA', 'kZFc3WEk4LEaULb4qmR', 'GtT1JCEpp7Mkw6iULe3'
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, rxBcAh3P57UAjmasZ7.csHigh entropy of concatenated method names: 'cRJwOemShs', 'Fmww6o7yoW', 'couwpMj1sV', 'GlUwRxL6x4', 'er3wJBcuNI', 'WL0w2AK8xX', 'op3wZiBoIa', 'jgfwWtoWHI', 'Fvaw8NFqtt', 'Lo8wmEi5fy'
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, o0vjU3yJZJkjb9yxRt.csHigh entropy of concatenated method names: 'ToString', 'nEhNul9rVd', 'QDNNeoiODx', 'chuNVXMNdU', 'B4fNbGiHg9', 'aUlNdWestV', 'B2ZNlZbm9P', 'No0NAlcld8', 'CUHN0emuyy', 'IhYNaubG75'
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, jdgOKQXoHOhb0JGGc1.csHigh entropy of concatenated method names: 'bnoRrpd6fX', 'f3RRF1iTFk', 'LLQpVxS3wC', 'dV7pbWSTTv', 'aQ9pdNdkWy', 'MUhplxEUa2', 'VI4pAt5Vi1', 'tlIp0CJRMb', 'jBapaoY1YA', 'rukpC1mHkH'
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, Ly2lpSaeIZ2hmuMgm4.csHigh entropy of concatenated method names: 'Kr82iOP1DT', 'U3n21xLNee', 'tbL2G0oThS', 'VFV2kb0HnG', 'UL92rjtLKL', 'O6S2S7bRlx', 'IkW2FRltOu', 'igo2MIpa93', 'Vtk2T5yPou', 'EQl2X1Xx9N'
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, DodQKgElKD3WcFM3b5.csHigh entropy of concatenated method names: 'D4KhMJhNbI', 'vOIhTNHimO', 'fMSh9rg3pu', 'SRUhe2jI9X', 'v3dhbZYse2', 'uajhd8ZTTs', 'LRPhAaLpd7', 'sOlh0gsKTJ', 'rRphCVnBeZ', 'EpohuArMri'
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, p7Da0a6RAbndVtqN8j.csHigh entropy of concatenated method names: 'Dispose', 'KVZcP7Ptby', 'JXxneaNOqN', 'yyxqqy51LF', 'fwxcfBcAhP', 'a7UczAjmas', 'ProcessDialogKey', 'k7Tn5ONHNx', 'JUdncAdHmA', 'eMvnnuRrVR'
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, LQWl9jgFqx9ed5Z0ac.csHigh entropy of concatenated method names: 'BrYc2XM2R9', 'g9ucZJhtKS', 'SuZc8c5KMZ', 'WR3cmc2dgO', 'iGGcLc1DAi', 'K9ocNHIXJq', 'W9UOsdiVlNaVvr6466', 'WaGV5Md3A46WRNP3Us', 'pOuccJCTY4', 'VR9cQMxN46'
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, IH4LNyTuZc5KMZHR3c.csHigh entropy of concatenated method names: 'YSnpknIZU9', 'YjFpSYvZp9', 'LyCpMBEL2L', 'k8qpTHLSPH', 'I5HpLgBJ7p', 'FUBpNTV5Bg', 'jR9pKW6xOo', 'Qyvpwl0Lag', 'XJNp4nvW9i', 'daApYpWUJc'
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, DICsZ8zaHKaTHria89.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'snl4h0XigF', 'iZU4L8veQP', 'bF14NMGTOc', 'cet4KjuT4k', 's4J4w9ZRAH', 'fb8441J556', 'RXN4YcPhHg'
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, dqkscgc5qRyKRlbcFQB.csHigh entropy of concatenated method names: 'UYp4itGvSC', 'm1m41vF867', 'H9M4GeS6Jl', 'V0p4krMkH3', 'zNr4rEUMqw', 'gyP4Sp2wnX', 'zky4FWV41q', 'mfv4M4keIK', 'hsX4TrbcFv', 'uEV4X8aCCh'
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, TH9snRn08Vg9b5CVEn.csHigh entropy of concatenated method names: 'KbNGJBFcW', 'jJmkaqW8d', 'EpWSIkWDi', 'qoTFFAscP', 'ThWTwMncY', 'Fy1XJL7OD', 'tbIZfBGZR3jKoyKxv0', 'dEtK6K1OrJtlnHvRg2', 'lCywIIGgM', 'DBlYhqS7W'
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, NRRM5XsUNoHCuGlSUC.csHigh entropy of concatenated method names: 'xwQLCGETA5', 'Q2RLDx1HOi', 'BD3Lsy6Vwv', 'NbNLtpRfOX', 'wg4LeD3jh4', 'wZaLVI9oWY', 'yPxLbfe7MN', 'MYLLdg8teU', 'c6XLl3Vke5', 'e6tLAxcqYB'
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, ORrVRmfgs7pNHjuU4H.csHigh entropy of concatenated method names: 'afI4cgk7jw', 'Xhd4QCGDrb', 'hXC4gFsWIl', 'CAG4Oatunq', 'p5K46R63qF', 'giE4RICerO', 'pSZ4JCC1Vb', 'a6UwHfV04r', 'CSdw3FA3YN', 'rjowP0JjoF'
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, tXM2R9Mp9uJhtKSc3Q.csHigh entropy of concatenated method names: 'hj06sBbnSK', 'UAZ6t0dV8J', 'xGa6yYolIY', 'yYD6UgpCHV', 'Ugy6xwDDRM', 'lF26vMwZMv', 'TbN6Hp5awH', 'TLH63s1n3k', 'kM46PVA2c5', 'YHZ6fkCUrE'
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, XUCb71cQCrnCYxpmfib.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Bo5Ysyhws8', 'P6bYtDLwB8', 'IqxYy6YlMn', 'fIdYUqRZTn', 'nn1YxJrrYi', 'MENYvfuCyI', 'LpwYHdJMWH'
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, uw0s4PcnXqDkf7IcS02.csHigh entropy of concatenated method names: 'tJYYiF9oeB', 'TDiY1sHcbq', 'CHuYGqMRa3', 'Icv7Z3Eeqq4hwvc9CWQ', 'OprQcSEINl4P9xHQijy', 'oPLYWAEil1yS3LYmQpI', 'nsf9uxEdXX9GIwmVNK8'
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, LuP0AvAVNu3WAkDN2Z.csHigh entropy of concatenated method names: 'Odr2O5NE9y', 'gF12prUkCf', 'Uux2JJxKZ2', 'g8MJf7iKuN', 'xBoJzgUasw', 'Gmu25yRccX', 'aFi2cs9xuu', 'GTf2nlLX2V', 'HuQ2QFfQdp', 'Nt82g666Ln'
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, PAil9o9HIXJqTnkAlF.csHigh entropy of concatenated method names: 'AeDJIHSXsk', 'EWIJ638T4Q', 'MfiJRxcBbb', 'OVRJ2JD8dX', 'QdmJZ5mapI', 'STiRxflhhh', 'YXyRvhdlnO', 'TOnRH0I76M', 'X1TR3JlDBm', 'SoARPF2Qxi'
                    Source: 0.2.RFQ#1047.exe.39c8240.10.raw.unpack, YA7n3FZTdLntNid9Yp.csHigh entropy of concatenated method names: 'AUoQI8gCqw', 'SH9QOy1Y1Q', 'otJQ6b2LYO', 'bHcQpYOVsf', 'wS5QRLLpSo', 'QcKQJ9NsfA', 'tEdQ2u7lSk', 'FwfQZR5EWL', 'WXUQWgwn4S', 'BiQQ8ZadHV'
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\RFQ#1047.exeMemory allocated: 9F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeMemory allocated: 2660000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeMemory allocated: 24B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeMemory allocated: 8640000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeMemory allocated: 9640000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeMemory allocated: 9840000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeMemory allocated: A840000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: C90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2850000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 25B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 120000000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 119999862Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 119999738Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 119999613Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 119999488Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 119999363Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 7854Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exe TID: 4972Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -23058430092136925s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3472Thread sleep count: 2000 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -99875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3472Thread sleep count: 7854 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -99766s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -99546s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -99438s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -99313s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -99188s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -99078s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -98969s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -98844s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -98734s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -98625s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -98485s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -98375s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -98266s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -98141s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -98031s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -97922s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -97812s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -97703s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -97594s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -97484s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -97375s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -97266s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -97146s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -97016s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -96906s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -96797s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -96687s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -96578s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -96469s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -96359s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -96250s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -96140s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -96031s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -95922s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -95812s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -95703s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -95594s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -95484s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -95375s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -95266s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -95156s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -120000000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -119999862s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -119999738s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -119999613s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -119999488s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1616Thread sleep time: -119999363s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\RFQ#1047.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98844Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98266Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98141Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97484Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97266Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97146Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97016Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96797Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95484Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95266Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 120000000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 119999862Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 119999738Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 119999613Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 119999488Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 119999363Jump to behavior
                    Source: MSBuild.exe, 00000003.00000002.4575146951.0000000005B11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\RFQ#1047.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\RFQ#1047.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\RFQ#1047.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 73A008Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeQueries volume information: C:\Users\user\Desktop\RFQ#1047.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ#1047.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.RFQ#1047.exe.389e128.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ#1047.exe.38d8b48.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ#1047.exe.38d8b48.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ#1047.exe.389e128.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.4571683281.00000000028C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4564658212.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4571683281.0000000002851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2135311417.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ#1047.exe PID: 2488, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6440, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.RFQ#1047.exe.389e128.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ#1047.exe.38d8b48.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ#1047.exe.38d8b48.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ#1047.exe.389e128.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.4564658212.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4571683281.0000000002851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2135311417.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ#1047.exe PID: 2488, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6440, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.RFQ#1047.exe.389e128.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ#1047.exe.38d8b48.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ#1047.exe.38d8b48.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ#1047.exe.389e128.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.4571683281.00000000028C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4564658212.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4571683281.0000000002851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2135311417.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ#1047.exe PID: 2488, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6440, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		12
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		111
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model21
                    Input Capture                    		12
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt311
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    RFQ#1047.exe32%VirustotalBrowse
                    RFQ#1047.exe26%ReversingLabsWin32.Trojan.CrypterX
                    RFQ#1047.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    fp2e7a.wpc.phicdn.net0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://r3.o.lencr.org00%URL Reputationsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://r3.i.lencr.org/00%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.xpl.co.nz
                    		203.170.87.105
                    		truetrue
                      		unknown
                      fp2e7a.wpc.phicdn.net
                      		192.229.211.108
                      		truefalseunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://r3.o.lencr.org0MSBuild.exe, 00000003.00000002.4575146951.0000000005B11000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4571683281.0000000002851000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4567897518.0000000000A24000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://account.dyn.com/RFQ#1047.exe, 00000000.00000002.2135311417.000000000389E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4564658212.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        		high
                        http://x1.c.lencr.org/0MSBuild.exe, 00000003.00000002.4567897518.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4575146951.0000000005B11000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4571683281.0000000002851000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://x1.i.lencr.org/0MSBuild.exe, 00000003.00000002.4567897518.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4575146951.0000000005B11000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4571683281.0000000002851000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://r3.i.lencr.org/0MSBuild.exe, 00000003.00000002.4575146951.0000000005B11000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4571683281.0000000002851000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4567897518.0000000000A24000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        203.170.87.105
                        		mail.xpl.co.nzAustralia
                        		38719DREAMSCAPE-AS-APDreamscapeNetworksLimitedAUtrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1426825
                        Start date and time:2024-04-16 17:13:06 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 8m 35s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:10
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:RFQ#1047.exe
                        Detection:MAL
                        Classification:mal100.spre.troj.spyw.evad.winEXE@3/1@1/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 97%
                        • Number of executed functions: 90
                        • Number of non-executed functions: 11
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 23.63.206.91, 52.159.126.152, 40.68.123.157, 192.229.211.108, 23.47.204.63, 23.47.204.79, 23.47.204.52, 23.47.204.73, 23.47.204.45, 23.47.204.82, 23.47.204.44, 23.47.204.76, 23.47.204.78, 52.165.164.15, 13.85.23.206, 23.47.204.67, 23.47.204.64, 23.47.204.75, 23.47.204.49, 23.47.204.69, 23.47.204.48, 23.47.204.68, 52.159.127.243, 40.126.7.32, 40.126.28.21, 40.126.28.12, 40.126.28.14, 40.126.28.13, 40.126.28.19, 40.126.28.18, 40.126.28.20, 204.79.197.200, 13.107.21.200
                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, www.tm.lg.prod.aadmsa.akadns.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.trafficmanager.net, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.bing.com, client.wns.windows.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, dual-a-0001.a-msedge.net, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, login.msa.msidentity.com, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, wwwprod.www-bing-com.akadns.net
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        17:13:54API Interceptor2x Sleep call for process: RFQ#1047.exe modified
                        17:13:56API Interceptor12364467x Sleep call for process: MSBuild.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        203.170.87.105RFQ#1047.exeGet hashmaliciousAgentTeslaBrowse
                          RFQ 1.exeGet hashmaliciousAgentTeslaBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            mail.xpl.co.nzRFQ#1047.exeGet hashmaliciousAgentTeslaBrowse
                            • 203.170.87.105
                            RFQ 1.exeGet hashmaliciousAgentTeslaBrowse
                            • 203.170.87.105
                            fp2e7a.wpc.phicdn.nethttp://169.150.221.147Get hashmaliciousUnknownBrowse
                            • 192.229.211.108
                            http://live-uoe-edweb.pantheonsite.ioGet hashmaliciousUnknownBrowse
                            • 192.229.211.108
                            https://www.dropbox.com/l/AABrfWjSV514IDLhR60LLT60TO4apO7UVoY/privacy#privacyGet hashmaliciousUnknownBrowse
                            • 192.229.211.108
                            http://s.ksrndkehqnwntyxlhgto.comGet hashmaliciousUnknownBrowse
                            • 192.229.211.108
                            vRp56pf5a9.exeGet hashmaliciousCredGrabber, PureLog Stealer, zgRATBrowse
                            • 192.229.211.108
                            http://www.makefun.onlineGet hashmaliciousCaptcha PhishBrowse
                            • 192.229.211.108
                            http://msmetal.comGet hashmaliciousUnknownBrowse
                            • 192.229.211.108
                            https://dweb.link/ipfs/bafkreihtggm5lijbcmgnngp56fgtaxfzglditdvyi6vhk6v4yi5nmurq2u?filename=Login.html#lbannon@nexpoint.comGet hashmaliciousUnknownBrowse
                            • 192.229.211.108
                            https://dweb.link/ipfs/bafkreihtggm5lijbcmgnngp56fgtaxfzglditdvyi6vhk6v4yi5nmurq2u?filename=Login.html#hello@better.comGet hashmaliciousUnknownBrowse
                            • 192.229.211.108
                            http://www.mtalx.comGet hashmaliciousUnknownBrowse
                            • 192.229.211.108

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            DREAMSCAPE-AS-APDreamscapeNetworksLimitedAURFQ#1047.exeGet hashmaliciousAgentTeslaBrowse
                            • 203.170.87.105
                            RFQ 1.exeGet hashmaliciousAgentTeslaBrowse
                            • 203.170.87.105
                            http://wyndham.ezybill.com.auGet hashmaliciousUnknownBrowse
                            • 122.201.126.100
                            https://loveyawork.com.au/stack/office-3D8/index.phpGet hashmaliciousHTMLPhisherBrowse
                            • 122.201.80.143
                            https://brentwoodbuilding.com.au/mark/auth/parcel.phpGet hashmaliciousUnknownBrowse
                            • 185.184.154.193
                            LF6B2XTwcV.elfGet hashmaliciousGafgyt, MiraiBrowse
                            • 27.54.90.247
                            https://elgon.com.au/yahoomail/word/index.phpGet hashmaliciousUnknownBrowse
                            • 103.68.166.129
                            Payment Receipt.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • 103.226.222.98
                            https://bloxe.vn/za.htmlGet hashmaliciousUnknownBrowse
                            • 27.54.86.65
                            payment_Adv.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • 103.226.222.98

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            1138de370e523e824bbca92d049a3777file.exeGet hashmaliciousUnknownBrowse
                            • 173.222.162.64
                            vRp56pf5a9.exeGet hashmaliciousCredGrabber, PureLog Stealer, zgRATBrowse
                            • 173.222.162.64
                            http://msmetal.comGet hashmaliciousUnknownBrowse
                            • 173.222.162.64
                            https://dweb.link/ipfs/bafkreihtggm5lijbcmgnngp56fgtaxfzglditdvyi6vhk6v4yi5nmurq2u?filename=Login.html#hello@better.comGet hashmaliciousUnknownBrowse
                            • 173.222.162.64
                            http://www.mtalx.comGet hashmaliciousUnknownBrowse
                            • 173.222.162.64
                            HTZ4az17lj.exeGet hashmaliciousStormKittyBrowse
                            • 173.222.162.64
                            http://cubes.concordia.ca/track?type=click&enid=bWFpbGluZ2lkPTM2MjMmbWVzc2FnZWlkPTQxMjEmZGF0YWJhc2VpZD05MDEmc2VyaWFsPTEyNzU1MDM1NzUmZW1haWxpZD13YXJpZXN0NTkzMzgud2Vla2x5bWFpbEBibG9nZ2VyLmNvbSZ1c2VyaWQ9NDcxJmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&2028&&&http://gbmaucstans.com/?ddg5B=ZnJhbmNvaXMuYm91bGFuZ2VyQGNnaS5jb20=Get hashmaliciousUnknownBrowse
                            • 173.222.162.64
                            DHL Receipt_pdf.vbsGet hashmaliciousAgentTeslaBrowse
                            • 173.222.162.64
                            SecuriteInfo.com.IL.Trojan.MSILZilla.30455.29056.1307.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                            • 173.222.162.64
                            Purchase#order10662324.pdf.exeGet hashmaliciousAgentTeslaBrowse
                            • 173.222.162.64

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ#1047.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\RFQ#1047.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1216
                            Entropy (8bit):5.34331486778365
                            Encrypted:false
                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.9709267708957725
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:RFQ#1047.exe
                            File size:634'368 bytes
                            MD5:6846f1fb78fad5224b98b0137e7a862d
                            SHA1:f40fa249d6464ef5c1f9e39748162fd5d70e7aaa
                            SHA256:66a0cfa14afdb23dec776fa355b9f89551405989b9838db6398c77ee6c73c084
                            SHA512:dce3134e45ba2a21efcfb4d3f4080dbecdb98d4dd4dafafd7f87daea5822350aab05dd0148b6a53e7ed7e8af26db7ee6a89de6312d1ea921b81f5a10b20326dc
                            SSDEEP:12288:tnteikJg6ZUpq4BRAa0yTow0ADZVY8HnvcHEx0MTOw:3eBJgxpq4B+adowrZfnvckG
                            TLSH:7AD423D122EA27A1F2F653FA291173040F72B87B4548E7059EC4B1EB5AB2753836E707
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....7...............0.................. ........@.. ....................... ............@................................

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x49c2c6
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0xC237A2E0 [Mon Apr 3 06:21:20 2073 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            inc esi
                            inc esp
                            inc ebp
                            inc esi
                            inc ebx
                            push esp
                            dec esi
                            inc edi
                            dec eax
                            inc ebp
                            push edi
                            inc ecx
                            dec edi
                            push edx
                            push edx
                            cmp byte ptr [ebx+5Ah], al
                            dec edx
                            inc esi
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x9c2720x4f.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x9e0000x5e4.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xa00000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x9b0340x70.text
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x9a2e40x9a4004c9a6badb726c5657de2578842097774False0.9742263472447326data7.976223626985366IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0x9e0000x5e40x600ae3244a75bfa6afacd2d654020a8f444False0.4290364583333333data4.192056340190565IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xa00000xc0x2000427bd97cd700d073390810ff2b0adf5False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0x9e0900x354data0.41901408450704225
                            RT_MANIFEST0x9e3f40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Apr 16, 2024 17:13:53.885703087 CEST49674443192.168.2.6173.222.162.64
                            Apr 16, 2024 17:13:53.885704041 CEST49673443192.168.2.6173.222.162.64
                            Apr 16, 2024 17:13:54.166915894 CEST49672443192.168.2.6173.222.162.64
                            Apr 16, 2024 17:13:58.242888927 CEST49712587192.168.2.6203.170.87.105
                            Apr 16, 2024 17:13:58.545114994 CEST58749712203.170.87.105192.168.2.6
                            Apr 16, 2024 17:13:58.545212984 CEST49712587192.168.2.6203.170.87.105
                            Apr 16, 2024 17:13:59.384289026 CEST58749712203.170.87.105192.168.2.6
                            Apr 16, 2024 17:13:59.395700932 CEST49712587192.168.2.6203.170.87.105
                            Apr 16, 2024 17:13:59.697180986 CEST58749712203.170.87.105192.168.2.6
                            Apr 16, 2024 17:13:59.697403908 CEST49712587192.168.2.6203.170.87.105
                            Apr 16, 2024 17:14:00.003189087 CEST58749712203.170.87.105192.168.2.6
                            Apr 16, 2024 17:14:00.010113001 CEST49712587192.168.2.6203.170.87.105
                            Apr 16, 2024 17:14:00.329638958 CEST58749712203.170.87.105192.168.2.6
                            Apr 16, 2024 17:14:00.329687119 CEST58749712203.170.87.105192.168.2.6
                            Apr 16, 2024 17:14:00.329721928 CEST58749712203.170.87.105192.168.2.6
                            Apr 16, 2024 17:14:00.329871893 CEST49712587192.168.2.6203.170.87.105
                            Apr 16, 2024 17:14:00.359599113 CEST49712587192.168.2.6203.170.87.105
                            Apr 16, 2024 17:14:00.661768913 CEST58749712203.170.87.105192.168.2.6
                            Apr 16, 2024 17:14:00.677556992 CEST49712587192.168.2.6203.170.87.105
                            Apr 16, 2024 17:14:00.979262114 CEST58749712203.170.87.105192.168.2.6
                            Apr 16, 2024 17:14:00.980441093 CEST49712587192.168.2.6203.170.87.105
                            Apr 16, 2024 17:14:01.282983065 CEST58749712203.170.87.105192.168.2.6
                            Apr 16, 2024 17:14:01.283988953 CEST49712587192.168.2.6203.170.87.105
                            Apr 16, 2024 17:14:01.599713087 CEST58749712203.170.87.105192.168.2.6
                            Apr 16, 2024 17:14:01.600014925 CEST49712587192.168.2.6203.170.87.105
                            Apr 16, 2024 17:14:01.902515888 CEST58749712203.170.87.105192.168.2.6
                            Apr 16, 2024 17:14:01.902848005 CEST49712587192.168.2.6203.170.87.105
                            Apr 16, 2024 17:14:02.206264973 CEST58749712203.170.87.105192.168.2.6
                            Apr 16, 2024 17:14:02.206540108 CEST49712587192.168.2.6203.170.87.105
                            Apr 16, 2024 17:14:02.509093046 CEST58749712203.170.87.105192.168.2.6
                            Apr 16, 2024 17:14:02.509785891 CEST49712587192.168.2.6203.170.87.105
                            Apr 16, 2024 17:14:02.509919882 CEST49712587192.168.2.6203.170.87.105
                            Apr 16, 2024 17:14:02.509919882 CEST49712587192.168.2.6203.170.87.105
                            Apr 16, 2024 17:14:02.510087967 CEST49712587192.168.2.6203.170.87.105
                            Apr 16, 2024 17:14:02.814424038 CEST58749712203.170.87.105192.168.2.6
                            Apr 16, 2024 17:14:02.814443111 CEST58749712203.170.87.105192.168.2.6
                            Apr 16, 2024 17:14:02.814460039 CEST58749712203.170.87.105192.168.2.6
                            Apr 16, 2024 17:14:02.814475060 CEST58749712203.170.87.105192.168.2.6
                            Apr 16, 2024 17:14:02.825556993 CEST58749712203.170.87.105192.168.2.6
                            Apr 16, 2024 17:14:02.870275021 CEST49712587192.168.2.6203.170.87.105
                            Apr 16, 2024 17:14:03.495121002 CEST49673443192.168.2.6173.222.162.64
                            Apr 16, 2024 17:14:03.496428967 CEST49674443192.168.2.6173.222.162.64
                            Apr 16, 2024 17:14:03.776304960 CEST49672443192.168.2.6173.222.162.64
                            Apr 16, 2024 17:14:05.209971905 CEST44349706173.222.162.64192.168.2.6
                            Apr 16, 2024 17:14:05.210072994 CEST49706443192.168.2.6173.222.162.64
                            Apr 16, 2024 17:14:15.861531973 CEST49706443192.168.2.6173.222.162.64
                            Apr 16, 2024 17:14:15.861630917 CEST49706443192.168.2.6173.222.162.64
                            Apr 16, 2024 17:14:15.863904953 CEST49722443192.168.2.6173.222.162.64
                            Apr 16, 2024 17:14:15.863969088 CEST44349722173.222.162.64192.168.2.6
                            Apr 16, 2024 17:14:15.864252090 CEST49722443192.168.2.6173.222.162.64
                            Apr 16, 2024 17:14:15.865124941 CEST49722443192.168.2.6173.222.162.64
                            Apr 16, 2024 17:14:15.865140915 CEST44349722173.222.162.64192.168.2.6
                            Apr 16, 2024 17:14:16.013802052 CEST44349706173.222.162.64192.168.2.6
                            Apr 16, 2024 17:14:16.013825893 CEST44349706173.222.162.64192.168.2.6
                            Apr 16, 2024 17:14:16.179956913 CEST44349722173.222.162.64192.168.2.6
                            Apr 16, 2024 17:14:16.180130005 CEST49722443192.168.2.6173.222.162.64
                            Apr 16, 2024 17:14:35.339215040 CEST44349722173.222.162.64192.168.2.6
                            Apr 16, 2024 17:14:35.339658022 CEST49722443192.168.2.6173.222.162.64
                            Apr 16, 2024 17:15:33.573424101 CEST4970480192.168.2.623.47.204.65
                            Apr 16, 2024 17:15:33.679718971 CEST804970423.47.204.65192.168.2.6
                            Apr 16, 2024 17:15:33.679878950 CEST4970480192.168.2.623.47.204.65
                            Apr 16, 2024 17:15:37.934330940 CEST49712587192.168.2.6203.170.87.105
                            Apr 16, 2024 17:15:38.238459110 CEST58749712203.170.87.105192.168.2.6
                            Apr 16, 2024 17:15:38.243614912 CEST49712587192.168.2.6203.170.87.105

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Apr 16, 2024 17:13:57.920991898 CEST5345153192.168.2.61.1.1.1
                            Apr 16, 2024 17:13:58.236480951 CEST53534511.1.1.1192.168.2.6

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Apr 16, 2024 17:13:57.920991898 CEST192.168.2.61.1.1.10xe3fbStandard query (0)mail.xpl.co.nzA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Apr 16, 2024 17:13:58.236480951 CEST1.1.1.1192.168.2.60xe3fbNo error (0)mail.xpl.co.nz203.170.87.105A (IP address)IN (0x0001)false
                            Apr 16, 2024 17:14:14.894503117 CEST1.1.1.1192.168.2.60x6df7No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                            Apr 16, 2024 17:14:14.894503117 CEST1.1.1.1192.168.2.60x6df7No error (0)fp2e7a.wpc.phicdn.net192.229.211.108A (IP address)IN (0x0001)false

                            SMTP Packets

                            TimestampSource PortDest PortSource IPDest IPCommands
                            Apr 16, 2024 17:13:59.384289026 CEST58749712203.170.87.105192.168.2.6220-cp-wc12.per01.ds.network ESMTP Exim 4.96.2 #2 Tue, 16 Apr 2024 23:13:59 +0800
                            220-We do not authorize the use of this system to transport unsolicited,
                            220 and/or bulk e-mail.
                            Apr 16, 2024 17:13:59.395700932 CEST49712587192.168.2.6203.170.87.105EHLO 910646
                            Apr 16, 2024 17:13:59.697180986 CEST58749712203.170.87.105192.168.2.6250-cp-wc12.per01.ds.network Hello 910646 [81.181.57.52]
                            250-SIZE 52428800
                            250-8BITMIME
                            250-PIPELINING
                            250-PIPECONNECT
                            250-AUTH PLAIN LOGIN
                            250-STARTTLS
                            250 HELP
                            Apr 16, 2024 17:13:59.697403908 CEST49712587192.168.2.6203.170.87.105STARTTLS
                            Apr 16, 2024 17:14:00.003189087 CEST58749712203.170.87.105192.168.2.6220 TLS go ahead

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:17:13:54
                            Start date:16/04/2024
                            Path:C:\Users\user\Desktop\RFQ#1047.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\RFQ#1047.exe"
                            Imagebase:0x210000
                            File size:634'368 bytes
                            MD5 hash:6846F1FB78FAD5224B98B0137E7A862D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2135311417.000000000389E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2135311417.000000000389E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:3
                            Start time:17:13:55
                            Start date:16/04/2024
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                            Imagebase:0x440000
                            File size:262'432 bytes
                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4571683281.00000000028C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4564658212.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4564658212.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4571683281.0000000002851000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4571683281.0000000002851000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:moderate
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:10.1%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:138
                              Total number of Limit Nodes:9
                              execution_graph 29000 25415c0 29001 254174b 29000->29001 29002 25415e6 29000->29002 29002->29001 29005 2541840 PostMessageW 29002->29005 29007 2541838 29002->29007 29006 25418ac 29005->29006 29006->29002 29008 2541840 PostMessageW 29007->29008 29009 25418ac 29008->29009 29009->29002 28958 9fad98 28962 9fae7f 28958->28962 28970 9fae90 28958->28970 28959 9fada7 28963 9faea1 28962->28963 28964 9faec4 28962->28964 28963->28964 28978 9fb118 28963->28978 28982 9fb128 28963->28982 28964->28959 28965 9faebc 28965->28964 28966 9fb0c8 GetModuleHandleW 28965->28966 28967 9fb0f5 28966->28967 28967->28959 28971 9faea1 28970->28971 28972 9faec4 28970->28972 28971->28972 28976 9fb118 LoadLibraryExW 28971->28976 28977 9fb128 LoadLibraryExW 28971->28977 28972->28959 28973 9faebc 28973->28972 28974 9fb0c8 GetModuleHandleW 28973->28974 28975 9fb0f5 28974->28975 28975->28959 28976->28973 28977->28973 28979 9fb13c 28978->28979 28980 9fb161 28979->28980 28986 9fa8d0 28979->28986 28980->28965 28983 9fb13c 28982->28983 28984 9fb161 28983->28984 28985 9fa8d0 LoadLibraryExW 28983->28985 28984->28965 28985->28984 28987 9fb308 LoadLibraryExW 28986->28987 28989 9fb381 28987->28989 28989->28980 28990 9fd118 28991 9fd15e GetCurrentProcess 28990->28991 28993 9fd1a9 28991->28993 28994 9fd1b0 GetCurrentThread 28991->28994 28993->28994 28995 9fd1ed GetCurrentProcess 28994->28995 28996 9fd1e6 28994->28996 28997 9fd223 28995->28997 28996->28995 28998 9fd24b GetCurrentThreadId 28997->28998 28999 9fd27c 28998->28999 29121 9f4668 29122 9f467a 29121->29122 29123 9f4686 29122->29123 29125 9f4778 29122->29125 29126 9f479d 29125->29126 29130 9f4888 29126->29130 29134 9f4878 29126->29134 29132 9f48af 29130->29132 29131 9f498c 29131->29131 29132->29131 29138 9f449c 29132->29138 29136 9f48af 29134->29136 29135 9f498c 29136->29135 29137 9f449c CreateActCtxA 29136->29137 29137->29135 29139 9f5918 CreateActCtxA 29138->29139 29141 9f59db 29139->29141 29010 25403ce 29011 254035c 29010->29011 29012 25403d1 29010->29012 29014 25403ae 29011->29014 29028 2540cec 29011->29028 29031 2540a42 29011->29031 29035 2541062 29011->29035 29039 2540b42 29011->29039 29043 2540ec0 29011->29043 29046 2540de4 29011->29046 29050 2540bfb 29011->29050 29054 2540939 29011->29054 29058 25407fc 29011->29058 29062 2540bd2 29011->29062 29066 25411d4 29011->29066 29069 2540a68 29011->29069 29073 254094f 29011->29073 29077 2540d6e 29011->29077 29081 6ccee68 29028->29081 29032 2540a4f 29031->29032 29085 6ccef28 29032->29085 29036 2540939 29035->29036 29037 2540987 29036->29037 29038 6ccef28 WriteProcessMemory 29036->29038 29037->29014 29038->29037 29040 2540a05 29039->29040 29040->29039 29041 2540e81 29040->29041 29089 6cce8a8 29040->29089 29041->29014 29093 6cce958 29043->29093 29047 2540939 29046->29047 29048 2540987 29047->29048 29049 6ccef28 WriteProcessMemory 29047->29049 29048->29014 29049->29048 29051 2540bff 29050->29051 29053 6ccef28 WriteProcessMemory 29051->29053 29052 2540f7e 29052->29014 29052->29052 29053->29052 29055 2540944 29054->29055 29056 2540987 29055->29056 29057 6ccef28 WriteProcessMemory 29055->29057 29056->29014 29057->29056 29059 25407ff 29058->29059 29097 6ccf1b0 29059->29097 29063 2540bff 29062->29063 29065 6ccef28 WriteProcessMemory 29063->29065 29064 2540f7e 29064->29014 29064->29064 29065->29064 29068 6cce958 Wow64SetThreadContext 29066->29068 29067 25411ee 29068->29067 29070 2540fde 29069->29070 29101 6ccf018 29070->29101 29074 25408f2 29073->29074 29075 254091d 29073->29075 29076 6ccf1b0 CreateProcessA 29074->29076 29076->29075 29078 2540d97 29077->29078 29080 6ccef28 WriteProcessMemory 29078->29080 29079 2540dbb 29080->29079 29082 6cceea8 VirtualAllocEx 29081->29082 29084 2540d0a 29082->29084 29084->29014 29086 6ccef70 WriteProcessMemory 29085->29086 29088 2540dbb 29086->29088 29090 6cce8e8 ResumeThread 29089->29090 29092 6cce919 29090->29092 29092->29040 29094 6cce99d Wow64SetThreadContext 29093->29094 29096 2540eda 29094->29096 29098 6ccf239 CreateProcessA 29097->29098 29100 6ccf3fb 29098->29100 29102 6ccf063 ReadProcessMemory 29101->29102 29104 2541000 29102->29104 29105 2544478 29106 2544486 29105->29106 29109 25444a4 29105->29109 29117 25438b4 FindCloseChangeNotification 29106->29117 29108 25444e8 29109->29108 29112 2544513 29109->29112 29110 25444a0 29113 2544536 29112->29113 29116 2544554 29112->29116 29118 25438c0 29113->29118 29116->29116 29117->29110 29119 2544378 FindCloseChangeNotification 29118->29119 29120 25443df 29119->29120 29120->29108 29142 9fd421 29143 9fd3e4 DuplicateHandle 29142->29143 29145 9fd42a 29142->29145 29144 9fd3f6 29143->29144

                              Executed Functions

                              Function 06CC0A98 Relevance: 3.1, Strings: 2, Instructions: 564COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 44 6cc0a98-6cc0ac0 45 6cc0ac7-6cc0bee 44->45 46 6cc0ac2 44->46 55 6cc0b96-6cc0c13 45->55 56 6cc0bf0-6cc0bfd 45->56 46->45 58 6cc113d-6cc117f 55->58 59 6cc0c19-6cc1357 55->59 56->55 63 6cc1182-6cc1186 58->63 64 6cc118c-6cc1192 63->64 65 6cc0cea-6cc0cee 63->65 64->58 68 6cc1194-6cc11ef 64->68 66 6cc0cf0-6cc0cfe 65->66 67 6cc0d03-6cc0d09 65->67 69 6cc0d83-6cc0db5 66->69 70 6cc0d54-6cc0d58 67->70 84 6cc1226-6cc1250 68->84 85 6cc11f1-6cc1224 68->85 88 6cc0ddf 69->88 89 6cc0db7-6cc0dc3 69->89 72 6cc0d5a-6cc0d71 70->72 73 6cc0d0b-6cc0d17 70->73 77 6cc0d26-6cc0d2c 72->77 78 6cc0d73-6cc0d76 72->78 74 6cc0d1e-6cc0d23 73->74 75 6cc0d19 73->75 74->77 75->74 80 6cc0d2e-6cc0d32 77->80 81 6cc0d51 77->81 82 6cc0d79-6cc0d7d 78->82 86 6cc0d35-6cc0d42 80->86 81->70 82->69 87 6cc0cd0-6cc0ce7 82->87 100 6cc1259-6cc12d8 84->100 85->100 90 6cc0d48-6cc0d4f 86->90 91 6cc0ca7-6cc0ccb 86->91 87->65 96 6cc0de5-6cc0e0b 88->96 92 6cc0dcd-6cc0dd3 89->92 93 6cc0dc5-6cc0dcb 89->93 90->72 91->82 98 6cc0ddd 92->98 93->98 104 6cc0e0e-6cc0e12 96->104 98->96 112 6cc12df-6cc12f2 100->112 105 6cc0e14-6cc0e4c 104->105 106 6cc0e61-6cc0e97 104->106 114 6cc1301-6cc1306 105->114 106->86 111 6cc0e9d-6cc0f16 106->111 126 6cc0f1f-6cc0f20 111->126 127 6cc0f18 111->127 112->114 116 6cc131d-6cc133c 114->116 117 6cc1308-6cc1316 114->117 121 6cc0c5f-6cc0c60 116->121 122 6cc1342-6cc1349 116->122 117->116 121->91 124 6cc13a9-6cc13b0 121->124 128 6cc0f77-6cc0f7d 126->128 127->126 129 6cc0f7f-6cc1041 128->129 130 6cc0f22-6cc0f44 128->130 141 6cc1082-6cc1086 129->141 142 6cc1043-6cc107c 129->142 131 6cc0f4b-6cc0f74 130->131 132 6cc0f46 130->132 131->128 132->131 143 6cc1088-6cc10c1 141->143 144 6cc10c7-6cc10cb 141->144 142->141 143->144 145 6cc110c-6cc1110 144->145 146 6cc10cd-6cc1106 144->146 145->68 148 6cc1116-6cc112e 145->148 146->145 148->104 151 6cc1134-6cc113b 148->151 151->63
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2138819439.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cc0000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID: :$~
                              • API String ID: 0-2431124681
                              • Opcode ID: 95367758e3243e569ce701f8d774fdb7e26738ad02f1363e783d6f46613b459b
                              • Instruction ID: 7deee83ce339e6c25b666e2de229f29a65d5e262d1b5f4e3137fd7a5ab0f3a8d
                              • Opcode Fuzzy Hash: 95367758e3243e569ce701f8d774fdb7e26738ad02f1363e783d6f46613b459b
                              • Instruction Fuzzy Hash: 8D42E775E00218DFDB55CFA9C840A99BBB2FF49314F1580E9E509AB222D732EE91DF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 02542B88 Relevance: .4, Instructions: 396COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2134551323.0000000002540000.00000040.00000800.00020000.00000000.sdmp, Offset: 02540000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2540000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 267ba09f15f01ad216af668b905463025cd86c4c81b3b7ca601d544ea0b1596d
                              • Instruction ID: 901a344d80223dbf5c17af7c54d17db4dbaf2feec268a73fb946e10e94f114cc
                              • Opcode Fuzzy Hash: 267ba09f15f01ad216af668b905463025cd86c4c81b3b7ca601d544ea0b1596d
                              • Instruction Fuzzy Hash: BDE1BD71B016149FDB29DB65C450BAEBBF6BF88708F144469E90ADB2A1CF34E902CB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 02540A17 Relevance: .0, Instructions: 26COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2134551323.0000000002540000.00000040.00000800.00020000.00000000.sdmp, Offset: 02540000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2540000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 142994f707bae91236fd668329e8f597b6b02cda57bf0435c7c97cd9b03b3a77
                              • Instruction ID: bf821014ea5463dcc127dec39455bc44c1ddb69539485e7f8c8fdf413e5c5d98
                              • Opcode Fuzzy Hash: 142994f707bae91236fd668329e8f597b6b02cda57bf0435c7c97cd9b03b3a77
                              • Instruction Fuzzy Hash: 70E08034D4D544CFCB505F55A8441F4F77CFB87119F0464A5C50DF7602D92485D4CA1C
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 009FD108 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 009FD196
                              • GetCurrentThread.KERNEL32 ref: 009FD1D3
                              • GetCurrentProcess.KERNEL32 ref: 009FD210
                              • GetCurrentThreadId.KERNEL32 ref: 009FD269
                              Memory Dump Source
                              • Source File: 00000000.00000002.2133654711.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9f0000_RFQ#1047.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: 985336531a4b0a23b2aa472f263f5476de4f129a744892717a9592fa94944ef4
                              • Instruction ID: 45123fce43301659d70b0910137f949e0ae422b5110f122ffa0112527b6c6e73
                              • Opcode Fuzzy Hash: 985336531a4b0a23b2aa472f263f5476de4f129a744892717a9592fa94944ef4
                              • Instruction Fuzzy Hash: 7D518BB0901749CFDB14CFAAD948BEEBBF1EF48304F208059E119A7360D7759944CB65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 009FD118 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 009FD196
                              • GetCurrentThread.KERNEL32 ref: 009FD1D3
                              • GetCurrentProcess.KERNEL32 ref: 009FD210
                              • GetCurrentThreadId.KERNEL32 ref: 009FD269
                              Memory Dump Source
                              • Source File: 00000000.00000002.2133654711.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9f0000_RFQ#1047.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: ade8ae061e93c862abf7c5f973297eff8f75b8a5b19d76bacf984de5e591a688
                              • Instruction ID: fec5c6b2c06b17b46658abec0360f55f1190da769b355a196c4b9c16703925f4
                              • Opcode Fuzzy Hash: ade8ae061e93c862abf7c5f973297eff8f75b8a5b19d76bacf984de5e591a688
                              • Instruction Fuzzy Hash: 655168B0901749CFDB14CFAAD948BEEBBF2EF88304F208059E519A7360D775A944CB65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06CCF1B0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 152 6ccf1b0-6ccf245 154 6ccf27e-6ccf29e 152->154 155 6ccf247-6ccf251 152->155 160 6ccf2d7-6ccf306 154->160 161 6ccf2a0-6ccf2aa 154->161 155->154 156 6ccf253-6ccf255 155->156 158 6ccf278-6ccf27b 156->158 159 6ccf257-6ccf261 156->159 158->154 162 6ccf265-6ccf274 159->162 163 6ccf263 159->163 171 6ccf33f-6ccf3f9 CreateProcessA 160->171 172 6ccf308-6ccf312 160->172 161->160 164 6ccf2ac-6ccf2ae 161->164 162->162 165 6ccf276 162->165 163->162 166 6ccf2b0-6ccf2ba 164->166 167 6ccf2d1-6ccf2d4 164->167 165->158 169 6ccf2bc 166->169 170 6ccf2be-6ccf2cd 166->170 167->160 169->170 170->170 173 6ccf2cf 170->173 183 6ccf3fb-6ccf401 171->183 184 6ccf402-6ccf488 171->184 172->171 174 6ccf314-6ccf316 172->174 173->167 176 6ccf318-6ccf322 174->176 177 6ccf339-6ccf33c 174->177 178 6ccf324 176->178 179 6ccf326-6ccf335 176->179 177->171 178->179 179->179 180 6ccf337 179->180 180->177 183->184 194 6ccf498-6ccf49c 184->194 195 6ccf48a-6ccf48e 184->195 196 6ccf4ac-6ccf4b0 194->196 197 6ccf49e-6ccf4a2 194->197 195->194 198 6ccf490 195->198 200 6ccf4c0-6ccf4c4 196->200 201 6ccf4b2-6ccf4b6 196->201 197->196 199 6ccf4a4 197->199 198->194 199->196 203 6ccf4d6-6ccf4dd 200->203 204 6ccf4c6-6ccf4cc 200->204 201->200 202 6ccf4b8 201->202 202->200 205 6ccf4df-6ccf4ee 203->205 206 6ccf4f4 203->206 204->203 205->206
                              APIs
                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06CCF3E6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2138819439.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cc0000_RFQ#1047.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: cb2ffaf848d9159e952ae17366324624de41d10ee0dffe014f0779772d4ad23d
                              • Instruction ID: 9432a8cbf57aa2ff58299048b400dd65e4f8a958cb795cb85e5ea57008d4b3e2
                              • Opcode Fuzzy Hash: cb2ffaf848d9159e952ae17366324624de41d10ee0dffe014f0779772d4ad23d
                              • Instruction Fuzzy Hash: 3F914B71D00659DFEB50CF68C841BEDBBB2BF48320F1485ADE858A7240DB759A85CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 009FAE90 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 208 9fae90-9fae9f 209 9faecb-9faecf 208->209 210 9faea1-9faeae call 9f9898 208->210 211 9faee3-9faf24 209->211 212 9faed1-9faedb 209->212 215 9faec4 210->215 216 9faeb0 210->216 219 9faf26-9faf2e 211->219 220 9faf31-9faf3f 211->220 212->211 215->209 263 9faeb6 call 9fb118 216->263 264 9faeb6 call 9fb128 216->264 219->220 222 9faf63-9faf65 220->222 223 9faf41-9faf46 220->223 221 9faebc-9faebe 221->215 226 9fb000-9fb0c0 221->226 227 9faf68-9faf6f 222->227 224 9faf48-9faf4f call 9fa874 223->224 225 9faf51 223->225 229 9faf53-9faf61 224->229 225->229 258 9fb0c8-9fb0f3 GetModuleHandleW 226->258 259 9fb0c2-9fb0c5 226->259 230 9faf7c-9faf83 227->230 231 9faf71-9faf79 227->231 229->227 233 9faf85-9faf8d 230->233 234 9faf90-9faf92 call 9fa884 230->234 231->230 233->234 237 9faf97-9faf99 234->237 239 9faf9b-9fafa3 237->239 240 9fafa6-9fafab 237->240 239->240 242 9fafad-9fafb4 240->242 243 9fafc9-9fafd6 240->243 242->243 244 9fafb6-9fafc6 call 9fa894 call 9fa8a4 242->244 249 9faff9-9fafff 243->249 250 9fafd8-9faff6 243->250 244->243 250->249 260 9fb0fc-9fb110 258->260 261 9fb0f5-9fb0fb 258->261 259->258 261->260 263->221 264->221
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 009FB0E6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2133654711.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9f0000_RFQ#1047.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: cce3066be6f1da0a0978528c9cdfb5a891c081830937da06f6b2988f9f340a64
                              • Instruction ID: 8bd37e51dda22deb66ddb87b1b454d18b2b9b91705d029ff82481ad170c8352c
                              • Opcode Fuzzy Hash: cce3066be6f1da0a0978528c9cdfb5a891c081830937da06f6b2988f9f340a64
                              • Instruction Fuzzy Hash: D1716CB0A00B099FDB24DF2AD45176ABBF5FF88300F00892DE14ADBA40DB75E845CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 009F590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 265 9f590c-9f59d9 CreateActCtxA 267 9f59db-9f59e1 265->267 268 9f59e2-9f5a3c 265->268 267->268 275 9f5a3e-9f5a41 268->275 276 9f5a4b-9f5a4f 268->276 275->276 277 9f5a51-9f5a5d 276->277 278 9f5a60 276->278 277->278 280 9f5a61 278->280 280->280
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 009F59C9
                              Memory Dump Source
                              • Source File: 00000000.00000002.2133654711.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9f0000_RFQ#1047.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 9ac8ee0a3e8d5f53c9c1dfa73c66d29b8cc04798769b3d69335fbe598c981b26
                              • Instruction ID: fec16930af8d9dd3324f60b95427da40e46a5e135ad85b0391d08ed273c72738
                              • Opcode Fuzzy Hash: 9ac8ee0a3e8d5f53c9c1dfa73c66d29b8cc04798769b3d69335fbe598c981b26
                              • Instruction Fuzzy Hash: 514100B0C0075DCFDB24CFA9C885B9DBBB5BF89304F20816AD508AB261D771694ACF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 009F449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 281 9f449c-9f59d9 CreateActCtxA 284 9f59db-9f59e1 281->284 285 9f59e2-9f5a3c 281->285 284->285 292 9f5a3e-9f5a41 285->292 293 9f5a4b-9f5a4f 285->293 292->293 294 9f5a51-9f5a5d 293->294 295 9f5a60 293->295 294->295 297 9f5a61 295->297 297->297
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 009F59C9
                              Memory Dump Source
                              • Source File: 00000000.00000002.2133654711.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9f0000_RFQ#1047.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: eac49928398e18b7a3ca969c8c33320b5b9aa185171a87a6e2d2bd7f2500d908
                              • Instruction ID: 7765bce618709d8c621fc5172a7eb40c51f00fca0694008e3d1e88304e818296
                              • Opcode Fuzzy Hash: eac49928398e18b7a3ca969c8c33320b5b9aa185171a87a6e2d2bd7f2500d908
                              • Instruction Fuzzy Hash: 8741E2B0C0071DCBDB24DFAAC884B9EBBF5BF49704F60816AD508AB251DBB56945CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 009FD421 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 298 9fd421-9fd428 299 9fd42a-9fd54e 298->299 300 9fd3e4-9fd3f4 DuplicateHandle 298->300 301 9fd3fd-9fd41a 300->301 302 9fd3f6-9fd3fc 300->302 302->301
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 009FD3E7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2133654711.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9f0000_RFQ#1047.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 92f599e805bb3d168bbc251627542ef5da4015a93a68ed3bd45151d3af734d30
                              • Instruction ID: 99af17bb418417f01e8945ae0e04c53b9b81e00b53bc4437df47a8bd0bd5dfcf
                              • Opcode Fuzzy Hash: 92f599e805bb3d168bbc251627542ef5da4015a93a68ed3bd45151d3af734d30
                              • Instruction Fuzzy Hash: EB313934A413808FE714EFA5F8547793BA6E7C8750F10852AE9619F7E9CBB84847CB11
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06CCEF28 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 316 6ccef28-6ccef76 318 6ccef78-6ccef84 316->318 319 6ccef86-6ccefc5 WriteProcessMemory 316->319 318->319 321 6ccefce-6cceffe 319->321 322 6ccefc7-6ccefcd 319->322 322->321
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06CCEFB8
                              Memory Dump Source
                              • Source File: 00000000.00000002.2138819439.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cc0000_RFQ#1047.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: c67a0178e64caf73c9d6bfbcfe05e0b1f7efe4c4737ac4255a9929dca58df4b2
                              • Instruction ID: 9e7707fb5769ff8aebe3d769ebc62f80e7502d65ac86ea05781848280ac6503e
                              • Opcode Fuzzy Hash: c67a0178e64caf73c9d6bfbcfe05e0b1f7efe4c4737ac4255a9929dca58df4b2
                              • Instruction Fuzzy Hash: EF2113719003499FDB10CFAAC881BEEBBF5FF48320F10842AE919A7240C7799944CBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 009FD358 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 326 9fd358-9fd3f4 DuplicateHandle 327 9fd3fd-9fd41a 326->327 328 9fd3f6-9fd3fc 326->328 328->327
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 009FD3E7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2133654711.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9f0000_RFQ#1047.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: fb1f2c335ac2cb1d58ba4f8b83b79bd846566c9ea878c52c8c081c9420e3f01e
                              • Instruction ID: 7fac9a3c7e7e83e0f75b9a979640f9c90ebdee903122015d1fec415081ccc7f9
                              • Opcode Fuzzy Hash: fb1f2c335ac2cb1d58ba4f8b83b79bd846566c9ea878c52c8c081c9420e3f01e
                              • Instruction Fuzzy Hash: 752105B5901249DFDB10CFAAD885ADEBFF5EB48314F10841AE918A3310C374A944CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06CCF018 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 341 6ccf018-6ccf0a5 ReadProcessMemory 344 6ccf0ae-6ccf0de 341->344 345 6ccf0a7-6ccf0ad 341->345 345->344
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06CCF098
                              Memory Dump Source
                              • Source File: 00000000.00000002.2138819439.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cc0000_RFQ#1047.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: 042d49e2d5d2ea1b6f1ea169d232529a78c88c669984064ba5c1bcb23f0d0da7
                              • Instruction ID: 6c67238a2d59c09dcb54be35d840bc8c99131ae5ea8a20cd58a01c2a4cbeaf4b
                              • Opcode Fuzzy Hash: 042d49e2d5d2ea1b6f1ea169d232529a78c88c669984064ba5c1bcb23f0d0da7
                              • Instruction Fuzzy Hash: 1621E4B1C003499FDB10DFAAC881AEEBBF5FF48720F50842EE519A7240D7799944CBA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06CCE958 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 331 6cce958-6cce9a3 333 6cce9a5-6cce9b1 331->333 334 6cce9b3-6cce9e3 Wow64SetThreadContext 331->334 333->334 336 6cce9ec-6ccea1c 334->336 337 6cce9e5-6cce9eb 334->337 337->336
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06CCE9D6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2138819439.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cc0000_RFQ#1047.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: 217f0f86950338dec69f2888711c402e2783479f58c734a47cef8e8f5bf15e86
                              • Instruction ID: a7d72735e3cfc0024914701fb4b05c1e96786881ca58c03d73a4aae7fd678adf
                              • Opcode Fuzzy Hash: 217f0f86950338dec69f2888711c402e2783479f58c734a47cef8e8f5bf15e86
                              • Instruction Fuzzy Hash: B1213771D003098FDB50DFAAC4857EEBBF4AF89320F14842ED559A7241C7789944CFA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 009FD360 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 349 9fd360-9fd3f4 DuplicateHandle 350 9fd3fd-9fd41a 349->350 351 9fd3f6-9fd3fc 349->351 351->350
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 009FD3E7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2133654711.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9f0000_RFQ#1047.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 42600f8166b332293b139d9908e8c20c451a70e0c4756289c80e8d96824abbba
                              • Instruction ID: a5106da05970d463a5338747bb4e9263186db614cd54775c4d0f8d71bba40a99
                              • Opcode Fuzzy Hash: 42600f8166b332293b139d9908e8c20c451a70e0c4756289c80e8d96824abbba
                              • Instruction Fuzzy Hash: 6121E4B5900249DFDB10CFAAD884ADEBFF9EB48310F14841AE918A3350C379A954CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 009FA8D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 354 9fa8d0-9fb348 356 9fb34a-9fb34d 354->356 357 9fb350-9fb37f LoadLibraryExW 354->357 356->357 358 9fb388-9fb3a5 357->358 359 9fb381-9fb387 357->359 359->358
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,009FB161,00000800,00000000,00000000), ref: 009FB372
                              Memory Dump Source
                              • Source File: 00000000.00000002.2133654711.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9f0000_RFQ#1047.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 533c336c0b60899b13471254730174094ba9c79efdcaf75c6fa5498e4b41821b
                              • Instruction ID: 2fe5661c2c5d511e13d387b6200ef7aad04c6d417c9b938c26bd52da8167f949
                              • Opcode Fuzzy Hash: 533c336c0b60899b13471254730174094ba9c79efdcaf75c6fa5498e4b41821b
                              • Instruction Fuzzy Hash: 4B11E4B6904349DFDB10CF9AD444AAEFBF8EB48714F14842AD919A7200C3B9A945CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06CCEE68 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 362 6ccee68-6cceee3 VirtualAllocEx 365 6cceeec-6ccef11 362->365 366 6cceee5-6cceeeb 362->366 366->365
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06CCEED6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2138819439.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cc0000_RFQ#1047.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: 0f667a23d2e7d1ebc98640b4441f1fc16e69d753c2210393c54a0c504474ec47
                              • Instruction ID: 411545d68637ddc48613e45de04784c869ed913c242b7b91355e280a97b97d26
                              • Opcode Fuzzy Hash: 0f667a23d2e7d1ebc98640b4441f1fc16e69d753c2210393c54a0c504474ec47
                              • Instruction Fuzzy Hash: 6C1114718002499FDB10DFAAC845AEEBBF5AF89320F148419E519A7250C7799540CBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 009FB300 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,009FB161,00000800,00000000,00000000), ref: 009FB372
                              Memory Dump Source
                              • Source File: 00000000.00000002.2133654711.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9f0000_RFQ#1047.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 88cf8284145d4b2427d2e3a4cedf836a4a59f753c587db10be26117239615d20
                              • Instruction ID: c85df8e8d31043931cf500abd432fbf891d5d00dac3dbdbf71667e266bd905cb
                              • Opcode Fuzzy Hash: 88cf8284145d4b2427d2e3a4cedf836a4a59f753c587db10be26117239615d20
                              • Instruction Fuzzy Hash: D511E4B6D00349CFDB10CFAAD444A9EFBF4EB48310F15851AD529A7600C379A545CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 025438C0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,02544229,?,?), ref: 025443D0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2134551323.0000000002540000.00000040.00000800.00020000.00000000.sdmp, Offset: 02540000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2540000_RFQ#1047.jbxd
                              Similarity
                              • API ID: ChangeCloseFindNotification
                              • String ID:
                              • API String ID: 2591292051-0
                              • Opcode ID: 2eab4096ee487d579a43aeb29cd0ed5eb374aa03354f0df3c19ecc6d0fabfd11
                              • Instruction ID: d00477b629c279678f1b3742b1b57dbb329c0ac349db0598e7a9ee1a21d6d117
                              • Opcode Fuzzy Hash: 2eab4096ee487d579a43aeb29cd0ed5eb374aa03354f0df3c19ecc6d0fabfd11
                              • Instruction Fuzzy Hash: DB1143B1804749CFDB10CF9AD445BEEFBF4EB48324F108459D558A7340C778A944CBA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0254389C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,02544229,?,?), ref: 025443D0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2134551323.0000000002540000.00000040.00000800.00020000.00000000.sdmp, Offset: 02540000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2540000_RFQ#1047.jbxd
                              Similarity
                              • API ID: ChangeCloseFindNotification
                              • String ID:
                              • API String ID: 2591292051-0
                              • Opcode ID: cb52d32287fb879cacf640c17a083612f6bebe7e6984cfb950c1e89652d8d65d
                              • Instruction ID: b6a31318d16dde04ca9a4a58422cda8bdb1c89185b38c42ab09520c628107291
                              • Opcode Fuzzy Hash: cb52d32287fb879cacf640c17a083612f6bebe7e6984cfb950c1e89652d8d65d
                              • Instruction Fuzzy Hash: EC1143B1804749CFDB10CF9AD445BEEFBF4EB48328F108459D958A7340C738A944CBA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 025438B4 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,02544229,?,?), ref: 025443D0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2134551323.0000000002540000.00000040.00000800.00020000.00000000.sdmp, Offset: 02540000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2540000_RFQ#1047.jbxd
                              Similarity
                              • API ID: ChangeCloseFindNotification
                              • String ID:
                              • API String ID: 2591292051-0
                              • Opcode ID: d0c0c05905989ffca69f05b78b986bd8476b038535a6661bc0bcf569cc27d0d2
                              • Instruction ID: f2ac173ce0cb0b4cf48c688f93d7b0404bb77e46186fb651931cc6c61c743481
                              • Opcode Fuzzy Hash: d0c0c05905989ffca69f05b78b986bd8476b038535a6661bc0bcf569cc27d0d2
                              • Instruction Fuzzy Hash: 1A1143B1804749CFDB10DF9AD445BEEFBF4EB48328F108459DA58A7240D738A944CBA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 02544371 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                              Download Yara Rule
                              APIs
                              • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,02544229,?,?), ref: 025443D0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2134551323.0000000002540000.00000040.00000800.00020000.00000000.sdmp, Offset: 02540000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2540000_RFQ#1047.jbxd
                              Similarity
                              • API ID: ChangeCloseFindNotification
                              • String ID:
                              • API String ID: 2591292051-0
                              • Opcode ID: e2bef4fadf96f73382927bae4ad1fd5453df8f9f62c361cf2275088607750b08
                              • Instruction ID: 0ef8a45a96d6eb5e37b44b0c04ee9a1b969967e617d7c21434feadfe2aaf5b49
                              • Opcode Fuzzy Hash: e2bef4fadf96f73382927bae4ad1fd5453df8f9f62c361cf2275088607750b08
                              • Instruction Fuzzy Hash: D21143B5800649CFDB10CF99D445BDEBBF4EF88324F10845AD958A7241C339A984CBA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 02541838 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,?,?,?), ref: 0254189D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2134551323.0000000002540000.00000040.00000800.00020000.00000000.sdmp, Offset: 02540000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2540000_RFQ#1047.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: fa4cc22cd6acf889f4cf00abc0fd087676f1802681e29c107627a05efc7438f8
                              • Instruction ID: fca46997158bbf5a92e9d02cdf2d2487d11d2f512241ca08fdbf4bbca1bc050d
                              • Opcode Fuzzy Hash: fa4cc22cd6acf889f4cf00abc0fd087676f1802681e29c107627a05efc7438f8
                              • Instruction Fuzzy Hash: 9511FDB58006499EDB10DF9AD945ADABBF8FB48324F10881AE918A3200D375A584CBA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06CCE8A8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2138819439.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cc0000_RFQ#1047.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: 3f2eee21285d87e5625d59133280c44b0d8d252dd273a585f40df53582fd41dc
                              • Instruction ID: b264eeb3274e1ba7d5a9bdade5e8d4ee316cf139c3fecf0b1007af8741af8304
                              • Opcode Fuzzy Hash: 3f2eee21285d87e5625d59133280c44b0d8d252dd273a585f40df53582fd41dc
                              • Instruction Fuzzy Hash: 4B112871D003498FDB10DFAAC4457DEFBF4EF89624F248419D519A7240C7796544CBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 009FB080 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 009FB0E6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2133654711.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9f0000_RFQ#1047.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: a455cef8a49862f6e7f55048459d9e426514feab3e5b8cbfd5b4abedac57f179
                              • Instruction ID: 5dd48f55a049a684fe70ac105daf0ef11c94d6c856a887ee7fabe7b2962da47c
                              • Opcode Fuzzy Hash: a455cef8a49862f6e7f55048459d9e426514feab3e5b8cbfd5b4abedac57f179
                              • Instruction Fuzzy Hash: 0C11DFB5C00749CFDB20CF9AD444A9EFBF8EF88314F14841AD529A7610C779A545CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 02541840 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,?,?,?), ref: 0254189D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2134551323.0000000002540000.00000040.00000800.00020000.00000000.sdmp, Offset: 02540000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2540000_RFQ#1047.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: 1ae3270042de870cd3d71189bfba582c60c73c34e117ee9f9d563a89a89ae991
                              • Instruction ID: cca6ec2e66a4d7ef39284bed0576f613c0bc129175ec80b2510a54450bda5843
                              • Opcode Fuzzy Hash: 1ae3270042de870cd3d71189bfba582c60c73c34e117ee9f9d563a89a89ae991
                              • Instruction Fuzzy Hash: CA11EDB5800649DFDB10CF9AD985BDEBBF8EB48324F10841AE918A7200C375A984CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0088D1FC Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2133277139.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_88d000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7716264e2d0b30905577d7f561c39040f02bdc8bf8592e51061d2f0834458377
                              • Instruction ID: 784d2dc33f354440b2ec79dc17f5ebb13bb4490312d637ee32f4ecbc0fd3025e
                              • Opcode Fuzzy Hash: 7716264e2d0b30905577d7f561c39040f02bdc8bf8592e51061d2f0834458377
                              • Instruction Fuzzy Hash: 3221D372504344EFDF05EF54D9C0B26BB66FB88314F24C569ED098B286C37AE856CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0088D3D8 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2133277139.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_88d000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 849f35d1422f7ed19ae75d8e2fdf803c304bcce99e295937f37ae38002b61afa
                              • Instruction ID: 419dd8422f4d3ce08bafe1016a49f184ecb4eb5c77142f1357d36c0f78cc33fe
                              • Opcode Fuzzy Hash: 849f35d1422f7ed19ae75d8e2fdf803c304bcce99e295937f37ae38002b61afa
                              • Instruction Fuzzy Hash: 36212871500304EFDB04EF14D9C0B16BF65FB94324F20C16DD9098B296C336E856CBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0089D01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2133388875.000000000089D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0089D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_89d000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e411bab07afa61cb25afc4fc4f77f75e0abd405a8697bbefc70a6ca14dff0816
                              • Instruction ID: 63d2af790f43dff603002d48f83319bf3e1d4690afe4ca718474ab5b561c30ed
                              • Opcode Fuzzy Hash: e411bab07afa61cb25afc4fc4f77f75e0abd405a8697bbefc70a6ca14dff0816
                              • Instruction Fuzzy Hash: D721F271604704EFDF14EF24D9C4B26BB65FB84318F28C56DE90A8B286C33AD847CA65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0089D1D4 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2133388875.000000000089D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0089D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_89d000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3ecd8f6876a58716235f87eb9a9a67c6ae366c221cd703d36b5fd90736bbf3d7
                              • Instruction ID: 6fe799319bfc91d894112626cc936e90f50a4f2bdb5e210e694cf0d72d9830c4
                              • Opcode Fuzzy Hash: 3ecd8f6876a58716235f87eb9a9a67c6ae366c221cd703d36b5fd90736bbf3d7
                              • Instruction Fuzzy Hash: 6D212971504304EFDF05EF54D5C0B25BB65FB84318F28C56DE9098B392C336E846CA65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0088D1F7 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2133277139.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_88d000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8a958cd7c859b04241e3965f2995fa9ff46dd324e9e88069bdc96e2e9819e0d2
                              • Instruction ID: e07c006cc1799c4e016738cffdb98d46256a6c4bb8e74a75cc076a363298fb29
                              • Opcode Fuzzy Hash: 8a958cd7c859b04241e3965f2995fa9ff46dd324e9e88069bdc96e2e9819e0d2
                              • Instruction Fuzzy Hash: 60219D76504244DFCB06DF50D9C4B16BF62FB84314F24C6A9DC094B696C33AE82ACBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0088D3D3 Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2133277139.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_88d000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                              • Instruction ID: 02530efbc53b5480469b938e74ba198bdda180e45869192a6b0af2b39390da13
                              • Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                              • Instruction Fuzzy Hash: 3111B176504344DFCB15DF10D5C4B16BF71FB94324F24C6A9D8094B656C33AE85ACBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0089D1CF Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2133388875.000000000089D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0089D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_89d000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                              • Instruction ID: 6f1a81b52a8d5a15f8ad1a9324834605ac5a79169eb1213d67e0c3bde92b0333
                              • Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                              • Instruction Fuzzy Hash: 4D118B75904384DFCB15DF50D5C4B15FBA2FB84314F28C6A9D8498B696C33AE84ACB62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0089D017 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2133388875.000000000089D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0089D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_89d000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                              • Instruction ID: f0cfc71b2129b9e232f371888a41e019833675439fc7f9456ab5929d12e2fe3a
                              • Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                              • Instruction Fuzzy Hash: E511BB75504780DFCB11DF14D5C4B15FBA2FB84314F28C6AAD8098B656C33AD80ACBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0088D745 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2133277139.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_88d000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f13d546fd2e871966aa9c2e77e9ac00fb5ae1ee1c3016dcea888016b2c025028
                              • Instruction ID: b258e3498f5fbf151a87a61081c4ebfd6d7306aa917023d061a46602ba3d4be7
                              • Opcode Fuzzy Hash: f13d546fd2e871966aa9c2e77e9ac00fb5ae1ee1c3016dcea888016b2c025028
                              • Instruction Fuzzy Hash: 0301A771005344EAE7107E25DD84B66FF98FF41764F14C51AED098A2C6D6799844C771
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0088D744 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2133277139.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_88d000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 36342c323d323b0202130fb29a456d5475869915cd7201f771e8f0968e91371e
                              • Instruction ID: 00674e41194825f7597513c84e6ff5f3cd0f33ebe65ec1f0fd1f0c091e5ac94f
                              • Opcode Fuzzy Hash: 36342c323d323b0202130fb29a456d5475869915cd7201f771e8f0968e91371e
                              • Instruction Fuzzy Hash: 95F06D71405344AAEB10AE16CD88B66FFA8EB91734F18C45AED084B286C3799844CBB1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions

                              Function 06CCC448 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2138819439.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cc0000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c23769dbb63dd6cc1028f99a78d850c82d9bbb9eec93612e6512109f598b6499
                              • Instruction ID: 423db4761a73aa558b4d0ceee2d3bd3b51c6e4a792a91a6214b0413a031f2a0d
                              • Opcode Fuzzy Hash: c23769dbb63dd6cc1028f99a78d850c82d9bbb9eec93612e6512109f598b6499
                              • Instruction Fuzzy Hash: 20E12B74E002598FDB14DFA9C5809AEFBF2FF89315F248169D419AB359C730A942CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06CCE080 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2138819439.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cc0000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9eae0f6c8afcc54ae5376713ebc4d239adbc42af242376339ef80be8ffd5d906
                              • Instruction ID: 5cb14ce0c1b0cc2521e9a4bcebb3a890a6f698d42f3349bb2ac5d407b9f4653e
                              • Opcode Fuzzy Hash: 9eae0f6c8afcc54ae5376713ebc4d239adbc42af242376339ef80be8ffd5d906
                              • Instruction Fuzzy Hash: 69E13C74E00259CFDB14DF99C584AAEFBB2FF89315F248169D415AB359C730A942CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06CCC010 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2138819439.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cc0000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: de47afe02ecb7bc4cd475f91a38f69a479aaf2e162fc3445a04da24016f641d0
                              • Instruction ID: bdf0393b2027b935ccf91f499301a9111b666e699093c53aff49fca5e774fd53
                              • Opcode Fuzzy Hash: de47afe02ecb7bc4cd475f91a38f69a479aaf2e162fc3445a04da24016f641d0
                              • Instruction Fuzzy Hash: 50E13C74E002598FDB14DFA9C5909AEFBF2FF89315F248169D819AB355C730A942CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06CCEA30 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2138819439.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cc0000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1bf7d36a39d767e86cb405f3ab84729efa92c280f1c28abed03823e7dd4ad565
                              • Instruction ID: 6ed0da9c8250cc9ebccc18e1a07655577ae04b097285a415abf0ef7584d44a94
                              • Opcode Fuzzy Hash: 1bf7d36a39d767e86cb405f3ab84729efa92c280f1c28abed03823e7dd4ad565
                              • Instruction Fuzzy Hash: 34E12A74E002598FDB14DFA9C5909AEFBF2FF89315F248169D815AB359C730A942CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06CCC880 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2138819439.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cc0000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ace51c3b8b3867ba8a3c61a8077bf504aa554ef5c4844c0e45cf293203ab9d49
                              • Instruction ID: 43d5151b8038b6265c8c4c147048810315dba991e0854e1a48680656e5381348
                              • Opcode Fuzzy Hash: ace51c3b8b3867ba8a3c61a8077bf504aa554ef5c4844c0e45cf293203ab9d49
                              • Instruction Fuzzy Hash: D1E12C74E002598FDB14DFA9C5909AEFBB2FF89315F248169D419AB359C730AD42CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06CC3789 Relevance: .3, Instructions: 271COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2138819439.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cc0000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fc44a3968dfe170d3693cdc552b0f578b471dae0819e1d258b2e73db43fe5aac
                              • Instruction ID: 9a8a9c9ea1c842a4562d571ee1be256d3b1b483b583f9248a74b1cce31e65da5
                              • Opcode Fuzzy Hash: fc44a3968dfe170d3693cdc552b0f578b471dae0819e1d258b2e73db43fe5aac
                              • Instruction Fuzzy Hash: D1D1163192065ACADB00EB64D89069DF7B1FFA9300F20D79AE54A77214EB706AC5CF81
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 009FDCD4 Relevance: .3, Instructions: 264COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2133654711.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9f0000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4c62fcaa1e9a224df061724955b3056a1ddb4771d6da61c5b176557b932c4e10
                              • Instruction ID: a3af0f674b1f9855555cf3eb05c2339d30158b9c24ab66f21f81e0f29405ac4e
                              • Opcode Fuzzy Hash: 4c62fcaa1e9a224df061724955b3056a1ddb4771d6da61c5b176557b932c4e10
                              • Instruction Fuzzy Hash: C9A18C32E002098FCF15DFB5D8545EEB7B6FF84300B1585BAEA05AB265DB71E906CB80
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06CC3798 Relevance: .3, Instructions: 264COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2138819439.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cc0000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a3a8017a69b09e6a9b565581cb5c90e8140c98fb6894c8b6499e63408862afff
                              • Instruction ID: 52ade8bdc300603338ab54b638c05799c4b2cbdf21fbf59780119373d52343a6
                              • Opcode Fuzzy Hash: a3a8017a69b09e6a9b565581cb5c90e8140c98fb6894c8b6499e63408862afff
                              • Instruction Fuzzy Hash: F1D1163192065ACADB00EB64D99069DF3B1FF99300F20D7AAE54A77214FB706AC5CF81
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06CCBFE0 Relevance: .2, Instructions: 154COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2138819439.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cc0000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 40e58e8109a34896c5c6bcbe4ed2bb77c11ea81bc23b726a59f068e3660c5786
                              • Instruction ID: 0e596cf59eac76cff8f0b46a15bed5811714eea4da3536a3d93e7ac81164ddc9
                              • Opcode Fuzzy Hash: 40e58e8109a34896c5c6bcbe4ed2bb77c11ea81bc23b726a59f068e3660c5786
                              • Instruction Fuzzy Hash: AD515C70E002598FDB14CFA9C9905AEFBF2FF89304F24816AD458AB356D7349942CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06CCC437 Relevance: .1, Instructions: 134COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2138819439.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cc0000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: af0b7b0c910a842121cbc89de203993b61a8bfb720c5f2b7f5ddb3756449cbac
                              • Instruction ID: bd36c7135d16b1011f6931f769177ecfb5b5b3df34d989e3eaf062d078d982c2
                              • Opcode Fuzzy Hash: af0b7b0c910a842121cbc89de203993b61a8bfb720c5f2b7f5ddb3756449cbac
                              • Instruction Fuzzy Hash: 20512870E002598FDB14CFA9C5905AEFBF2FF89315F2481AAD458AB356D7309942CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06CCC870 Relevance: .1, Instructions: 131COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2138819439.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cc0000_RFQ#1047.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f24250c75dda64e492aed8ef1fa298099e127c52ad44694e26e0569fe6fe1e22
                              • Instruction ID: 105cf04ff90ab2fdcbeaa6e0500b63fdd2ccba76bfba114edd734eb26c889400
                              • Opcode Fuzzy Hash: f24250c75dda64e492aed8ef1fa298099e127c52ad44694e26e0569fe6fe1e22
                              • Instruction Fuzzy Hash: C2512770E002598FDB14CFA9C5805AEFBF2FF89315F24C16AD419AB255D730AA42CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Execution Graph

                              Execution Coverage:8.7%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:97
                              Total number of Limit Nodes:15
                              execution_graph 22572 5426e10 22573 5426e18 22572->22573 22575 5426e3b 22573->22575 22576 5425894 22573->22576 22577 5426e50 KiUserCallbackDispatcher 22576->22577 22579 5426ebe 22577->22579 22579->22573 22580 54276d0 22581 54276db 22580->22581 22582 54276eb 22581->22582 22584 542714c 22581->22584 22585 5427720 OleInitialize 22584->22585 22586 5427784 22585->22586 22586->22582 22587 54293b0 22589 54293f4 SetWindowsHookExA 22587->22589 22590 542943a 22589->22590 22591 c4d030 22592 c4d048 22591->22592 22593 c4d0a2 22592->22593 22596 5426851 22592->22596 22605 54201e4 22592->22605 22597 542685a 22596->22597 22598 542686a 22596->22598 22597->22593 22599 54268e1 22598->22599 22601 54268d1 22598->22601 22625 542583c 22599->22625 22613 54269f8 22601->22613 22619 5426a08 22601->22619 22602 54268df 22606 54201ef 22605->22606 22607 54268e1 22606->22607 22610 54268d1 22606->22610 22608 542583c 2 API calls 22607->22608 22609 54268df 22608->22609 22611 54269f8 2 API calls 22610->22611 22612 5426a08 2 API calls 22610->22612 22611->22609 22612->22609 22615 5426a08 22613->22615 22614 542583c 2 API calls 22614->22615 22615->22614 22616 5426af6 22615->22616 22632 5426ef0 22615->22632 22637 5426ee0 22615->22637 22616->22602 22621 5426a16 22619->22621 22620 542583c 2 API calls 22620->22621 22621->22620 22622 5426af6 22621->22622 22623 5426ee0 OleGetClipboard 22621->22623 22624 5426ef0 OleGetClipboard 22621->22624 22622->22602 22623->22621 22624->22621 22626 5425847 22625->22626 22627 5426b52 22626->22627 22628 5426bfc 22626->22628 22630 5426baa CallWindowProcW 22627->22630 22631 5426b59 22627->22631 22629 54201e4 OleGetClipboard 22628->22629 22629->22631 22630->22631 22631->22602 22633 5426f0f 22632->22633 22634 5426fae 22633->22634 22642 54274b0 22633->22642 22648 5427477 22633->22648 22634->22615 22638 5426ef0 22637->22638 22639 5426fae 22638->22639 22640 54274b0 OleGetClipboard 22638->22640 22641 5427477 OleGetClipboard 22638->22641 22639->22615 22640->22638 22641->22638 22644 54274b8 22642->22644 22643 54274cc 22643->22633 22644->22643 22654 54274e8 22644->22654 22665 54274f8 22644->22665 22645 54274e1 22645->22633 22649 542748d 22648->22649 22650 54274cc 22649->22650 22652 54274e8 OleGetClipboard 22649->22652 22653 54274f8 OleGetClipboard 22649->22653 22650->22633 22651 54274e1 22651->22633 22652->22651 22653->22651 22655 54274f2 22654->22655 22656 5427525 22655->22656 22658 5427569 22655->22658 22661 54274e8 OleGetClipboard 22656->22661 22662 54274f8 OleGetClipboard 22656->22662 22657 542752b 22657->22645 22660 54275e9 22658->22660 22676 54277c0 22658->22676 22680 54277b0 22658->22680 22659 5427607 22659->22645 22660->22645 22661->22657 22662->22657 22666 542750a 22665->22666 22667 5427525 22666->22667 22669 5427569 22666->22669 22672 54274e8 OleGetClipboard 22667->22672 22673 54274f8 OleGetClipboard 22667->22673 22668 542752b 22668->22645 22671 54275e9 22669->22671 22674 54277c0 OleGetClipboard 22669->22674 22675 54277b0 OleGetClipboard 22669->22675 22670 5427607 22670->22645 22671->22645 22672->22668 22673->22668 22674->22670 22675->22670 22678 54277d5 22676->22678 22679 54277fb 22678->22679 22684 5427260 22678->22684 22679->22659 22682 54277c0 22680->22682 22681 5427260 OleGetClipboard 22681->22682 22682->22681 22683 54277fb 22682->22683 22683->22659 22685 5427868 OleGetClipboard 22684->22685 22687 5427902 22685->22687

                              Executed Functions

                              Function 026AD065 Relevance: 2.2, Instructions: 2232COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b9d0ac29929f64f64c55ce19d56ef56f6e845235f10d518ec70dff9396389a78
                              • Instruction ID: 7732fec4bf99436a85d57c2183ded0e5cc9dead25a931c33f8d3a0409124e3ec
                              • Opcode Fuzzy Hash: b9d0ac29929f64f64c55ce19d56ef56f6e845235f10d518ec70dff9396389a78
                              • Instruction Fuzzy Hash: 0B331D31D107198EDB11EF68C8906ADF7B1FF99300F15D69AE449A7221EB70AAC5CF81
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026AB2D7 Relevance: 1.2, Instructions: 1238COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 546 26ab2d7-26ab2df 547 26ab2e1-26ab2f2 546->547 548 26ab2f7-26ab2fa 546->548 547->548 549 26ac58d-26ac599 548->549 550 26ab300-26ab303 548->550 555 26ac59e-26ac5a1 549->555 553 26ab309-26ab30c 550->553 554 26abb7e-26abc0a 550->554 556 26ab31a-26ab326 553->556 557 26ab30e-26ab315 553->557 598 26abc10 554->598 599 26ac4f1-26ac57d 554->599 558 26ac79d-26ac7a0 555->558 559 26ac5a7-26ac792 call 26a9b30 call 26ab2d7 555->559 564 26ab328-26ab339 556->564 565 26ab33e-26ab341 556->565 557->556 562 26abb6a-26abb70 558->562 563 26ac7a6-26ac7a9 558->563 734 26ac798 559->734 569 26abb75-26abb78 562->569 570 26ac7af-26ac841 563->570 571 26ac846-26ac849 563->571 564->565 566 26ab343-26ab352 565->566 567 26ab357-26ab35a 565->567 566->567 573 26ab39b-26ab39e 567->573 574 26ab35c-26ab396 567->574 569->554 577 26abc15-26abc18 569->577 570->571 575 26abf6e-26abf71 571->575 576 26ac84f-26ac852 571->576 584 26ab43b-26ab43e 573->584 585 26ab3a4-26ab430 573->585 574->573 586 26abf76-26abf79 575->586 581 26ac870-26ac873 576->581 582 26ac854-26ac86b 576->582 579 26abc1a-26abc36 577->579 580 26abc3b-26abc3e 577->580 579->580 592 26abf5c-26abf5f 580->592 593 26abc44-26abf57 580->593 594 26ac87d-26ac889 581->594 595 26ac875-26ac87a 581->595 582->581 589 26ab4e9-26ab4ec 584->589 590 26ab444-26ab4de 584->590 597 26ab802-26aba79 call 26a9b30 585->597 665 26ab436 585->665 596 26abf7f-26abf82 586->596 586->597 601 26ab4f2-26ab66c call 26a9b30 589->601 602 26ab671-26ab674 589->602 641 26ac2f6-26ac42f call 26a9b30 590->641 642 26ab4e4 590->642 606 26abf69-26abf6c 592->606 607 26abf61-26abf66 592->607 593->592 595->594 610 26abf88-26ac121 596->610 611 26ac126-26ac129 596->611 627 26aba7e-26aba81 597->627 598->577 599->585 678 26ac583 599->678 601->602 618 26ab67a-26ab741 602->618 619 26ab7f9-26ab7fc 602->619 606->575 606->586 607->606 610->611 620 26ac26e-26ac27a 611->620 621 26ac12f-26ac269 call 26a9b30 611->621 687 26ab74c-26ab7f4 call 26a9b30 618->687 619->597 619->627 636 26ac2ab-26ac2ae 620->636 637 26ac27c-26ac293 620->637 621->620 634 26abaaa-26abaad 627->634 635 26aba83-26aba9c 627->635 643 26abac9-26abacc 634->643 644 26abaaf-26abac4 634->644 655 26abaa5 635->655 650 26ac2b0-26ac2c1 636->650 651 26ac2c6-26ac2c9 636->651 657 26ac2a6 637->657 658 26ac295-26ac2a0 637->658 685 26ac434-26ac437 641->685 642->589 643->575 656 26abad2-26abade 643->656 644->643 650->651 660 26ac2cb-26ac2d5 651->660 661 26ac2e0-26ac2e3 651->661 655->634 682 26abae4-26abb60 656->682 683 26abb65-26abb68 656->683 657->636 658->657 660->579 674 26ac2db 660->674 675 26ac2ed-26ac2f0 661->675 676 26ac2e5-26ac2ea 661->676 665->584 674->661 675->641 675->685 676->675 686 26ac588-26ac58b 678->686 682->683 683->562 683->569 689 26ac4be-26ac4c1 685->689 690 26ac43d-26ac4b9 685->690 686->549 686->555 687->619 700 26ac4e8-26ac4eb 689->700 701 26ac4c3-26ac4e3 689->701 690->689 700->599 700->686 701->700 734->558
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cfa22d2a8ae83a23fb758af51ad88df8c11799d462e2d0632ea54358a8314448
                              • Instruction ID: ff87dd2c8f364a86fc5a0f15743d6963b8268a754b1d63593c4d568e46b93d02
                              • Opcode Fuzzy Hash: cfa22d2a8ae83a23fb758af51ad88df8c11799d462e2d0632ea54358a8314448
                              • Instruction Fuzzy Hash: 92D2D931D10B5A8ADB11EB68C8946A9F7B1FF99300F11D79AE45877221FB70AAC4CF41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A4A98 Relevance: .3, Instructions: 266COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 02c59584324e7f794139a3ac8c7a4b0ed67ffd5fbe740704c6cfc859fb874666
                              • Instruction ID: 3bd37fff11c02298113f3d1291801d73bdc35b50f554571be354653b2d5bee75
                              • Opcode Fuzzy Hash: 02c59584324e7f794139a3ac8c7a4b0ed67ffd5fbe740704c6cfc859fb874666
                              • Instruction Fuzzy Hash: 76B14C70E00209CFDB14DFA9CCA179DBBF2AF88754F148529D819AB394EBB49845CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A3E80 Relevance: .2, Instructions: 238COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d05a2d31c24d4147c54d52217a7a049adb223d1e3885a8a4c39a312822ca5df8
                              • Instruction ID: 6c5b3a3f7195a7a60b87c3d4d0841a683c90a069f30f5c808c411eb9726cb738
                              • Opcode Fuzzy Hash: d05a2d31c24d4147c54d52217a7a049adb223d1e3885a8a4c39a312822ca5df8
                              • Instruction Fuzzy Hash: 40915870E10249CFDB10CFA9C9A17AEBBF2AF88304F148129E415AB394EB749C45CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0542583C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 420 542583c-5426b4c 423 5426b52-5426b57 420->423 424 5426bfc-5426c1c call 54201e4 420->424 426 5426baa-5426be2 CallWindowProcW 423->426 427 5426b59-5426b90 423->427 431 5426c1f-5426c2c 424->431 428 5426be4-5426bea 426->428 429 5426beb-5426bfa 426->429 434 5426b92-5426b98 427->434 435 5426b99-5426ba8 427->435 428->429 429->431 434->435 435->431
                              APIs
                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 05426BD1
                              Memory Dump Source
                              • Source File: 00000003.00000002.4575097787.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5420000_MSBuild.jbxd
                              Similarity
                              • API ID: CallProcWindow
                              • String ID:
                              • API String ID: 2714655100-0
                              • Opcode ID: 6795367f914e7534f60f8eac54543ae897f5bfee2417976a35e88e619a9c6091
                              • Instruction ID: 9098bbeda8b195b46de3a124793af9ce9bcaa75f0863a412d67571d66b17e710
                              • Opcode Fuzzy Hash: 6795367f914e7534f60f8eac54543ae897f5bfee2417976a35e88e619a9c6091
                              • Instruction Fuzzy Hash: 03412AB5A00325DFDB14CF59C488AAABBF5FF88314F25C499D519AB321D735A841CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05427260 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 437 5427260-5427900 OleGetClipboard 440 5427902-5427908 437->440 441 5427909-5427957 437->441 440->441 446 5427967 441->446 447 5427959-542795d 441->447 449 5427968 446->449 447->446 448 542795f 447->448 448->446 449->449
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.4575097787.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5420000_MSBuild.jbxd
                              Similarity
                              • API ID: Clipboard
                              • String ID:
                              • API String ID: 220874293-0
                              • Opcode ID: 383d629530d94f76cf71705223a6984ed755993aad647df868a32906d48071dd
                              • Instruction ID: 953705546814404956cc1597f0c35ed9b245e575e7170b8c8338fce0673fd3a8
                              • Opcode Fuzzy Hash: 383d629530d94f76cf71705223a6984ed755993aad647df868a32906d48071dd
                              • Instruction Fuzzy Hash: 6B31EFB0901329DFEB10CF99C594BCEBBF5EF48704F24806AE409AB390D7B46845CBA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0542785C Relevance: 1.6, APIs: 1, Instructions: 73comclipboardCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 450 542785c-54278b8 451 54278c2-5427900 OleGetClipboard 450->451 452 5427902-5427908 451->452 453 5427909-5427957 451->453 452->453 458 5427967 453->458 459 5427959-542795d 453->459 461 5427968 458->461 459->458 460 542795f 459->460 460->458 461->461
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.4575097787.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5420000_MSBuild.jbxd
                              Similarity
                              • API ID: Clipboard
                              • String ID:
                              • API String ID: 220874293-0
                              • Opcode ID: 313bedd2218f37f6f1af60da5ff76029aa3987abbe59a8e6468180d77a212b50
                              • Instruction ID: 45e2a845626adf11a26035c7a5f2469a0a6238cd8cd9c99557fba463af7736e3
                              • Opcode Fuzzy Hash: 313bedd2218f37f6f1af60da5ff76029aa3987abbe59a8e6468180d77a212b50
                              • Instruction Fuzzy Hash: B731EDB0901329DFEB10CF99C594BCEBBF5AF48304F24805AE409BB390DB746845CB65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 054293AB Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 462 54293ab-54293fa 465 5429406-5429438 SetWindowsHookExA 462->465 466 54293fc-5429404 462->466 467 5429441-5429461 465->467 468 542943a-5429440 465->468 466->465 468->467
                              APIs
                              • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0542942B
                              Memory Dump Source
                              • Source File: 00000003.00000002.4575097787.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5420000_MSBuild.jbxd
                              Similarity
                              • API ID: HookWindows
                              • String ID:
                              • API String ID: 2559412058-0
                              • Opcode ID: 3707e17b47d04c1ca057c0efbee20a3357b682232b94538acc47334fdc441841
                              • Instruction ID: e86b807d02cbf9b40bfa0a3b8798fafea7cbf93471d91fe902832a031f8a38ac
                              • Opcode Fuzzy Hash: 3707e17b47d04c1ca057c0efbee20a3357b682232b94538acc47334fdc441841
                              • Instruction Fuzzy Hash: F42110B5D042199FDB14CF9AD844BEEFBF5BF88310F10842AE419A7250CB74A944CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 054293B0 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 472 54293b0-54293fa 474 5429406-5429438 SetWindowsHookExA 472->474 475 54293fc-5429404 472->475 476 5429441-5429461 474->476 477 542943a-5429440 474->477 475->474 477->476
                              APIs
                              • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0542942B
                              Memory Dump Source
                              • Source File: 00000003.00000002.4575097787.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5420000_MSBuild.jbxd
                              Similarity
                              • API ID: HookWindows
                              • String ID:
                              • API String ID: 2559412058-0
                              • Opcode ID: 6e7945b6e260291de4b87069895660ca644becf364b54b30c76329a6474680cf
                              • Instruction ID: 3846ff4c2c18e2d0fcd0b3dfb99d2c2a17cdad6928b4082486537f799cc30bbd
                              • Opcode Fuzzy Hash: 6e7945b6e260291de4b87069895660ca644becf364b54b30c76329a6474680cf
                              • Instruction Fuzzy Hash: 2E2110B1D042199FDB14CF9AD844BEEFBF5BF88310F10842AE419A7250CB74A944CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05425892 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 481 5425892-5426e89 483 5426e91-5426ebc KiUserCallbackDispatcher 481->483 484 5426ec5-5426ed9 483->484 485 5426ebe-5426ec4 483->485 485->484
                              APIs
                              • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,05426E25), ref: 05426EAF
                              Memory Dump Source
                              • Source File: 00000003.00000002.4575097787.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5420000_MSBuild.jbxd
                              Similarity
                              • API ID: CallbackDispatcherUser
                              • String ID:
                              • API String ID: 2492992576-0
                              • Opcode ID: ac106451d519e18789693849b6c2d4990f04a281f473b92be9abe1a56b2318ee
                              • Instruction ID: abc6b2410dfb951cb146f6b3adde1f79f75e9375bd4e54648a072ee54ea792e5
                              • Opcode Fuzzy Hash: ac106451d519e18789693849b6c2d4990f04a281f473b92be9abe1a56b2318ee
                              • Instruction Fuzzy Hash: 201122B1804259CFDB10CF9AC485BDEBBF4AB48320F20841AD519B7340C778A544CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0542714C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 493 542714c-5427782 OleInitialize 495 5427784-542778a 493->495 496 542778b-54277a8 493->496 495->496
                              APIs
                              • OleInitialize.OLE32(00000000), ref: 05427775
                              Memory Dump Source
                              • Source File: 00000003.00000002.4575097787.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5420000_MSBuild.jbxd
                              Similarity
                              • API ID: Initialize
                              • String ID:
                              • API String ID: 2538663250-0
                              • Opcode ID: 2d8bec8f7f1a44e06ca47132895cfc677b2b858f3b62e3dc37583b4f01820603
                              • Instruction ID: 4abd2e3e0757c5f0d4dcfdf8a7e27c9dc99cea81ad218dd7c3ce69fedb5db52b
                              • Opcode Fuzzy Hash: 2d8bec8f7f1a44e06ca47132895cfc677b2b858f3b62e3dc37583b4f01820603
                              • Instruction Fuzzy Hash: 3C1112B5804759CFDB20DF9AD484BDEBBF8EB88320F20845AD519A7310C378A944CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05425894 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 487 5425894-5426ebc KiUserCallbackDispatcher 490 5426ec5-5426ed9 487->490 491 5426ebe-5426ec4 487->491 491->490
                              APIs
                              • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,05426E25), ref: 05426EAF
                              Memory Dump Source
                              • Source File: 00000003.00000002.4575097787.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5420000_MSBuild.jbxd
                              Similarity
                              • API ID: CallbackDispatcherUser
                              • String ID:
                              • API String ID: 2492992576-0
                              • Opcode ID: b07253842d5b2e957a840e9010267d0621231f1e39f87c2b522541318f282ba8
                              • Instruction ID: b404a560c187a3e006f7c2170c50305c67e385a8f133343c2db71f9dd8b9b9c1
                              • Opcode Fuzzy Hash: b07253842d5b2e957a840e9010267d0621231f1e39f87c2b522541318f282ba8
                              • Instruction Fuzzy Hash: B0112EB1804758CFDB20CF9AD444BDEBBF8EB88720F20845AE519A7300C774A944CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05427719 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 499 5427719-542771b 500 5427720-5427782 OleInitialize 499->500 501 5427784-542778a 500->501 502 542778b-54277a8 500->502 501->502
                              APIs
                              • OleInitialize.OLE32(00000000), ref: 05427775
                              Memory Dump Source
                              • Source File: 00000003.00000002.4575097787.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5420000_MSBuild.jbxd
                              Similarity
                              • API ID: Initialize
                              • String ID:
                              • API String ID: 2538663250-0
                              • Opcode ID: d4cc92d502590caaf2f8c0508043894db8ea08f4a7eec80f6963d00c07d1fa21
                              • Instruction ID: 25ca37cbfcbe36d12f3c310aefb13b1a47fd388d5b226d2c5f236e29c0152fb3
                              • Opcode Fuzzy Hash: d4cc92d502590caaf2f8c0508043894db8ea08f4a7eec80f6963d00c07d1fa21
                              • Instruction Fuzzy Hash: 241115B5800759CFDB10CFAAD885BDEBBF4EB48314F14845AD519A7310D378A544CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05426E49 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 505 5426e49-5426e89 506 5426e91-5426ebc KiUserCallbackDispatcher 505->506 507 5426ec5-5426ed9 506->507 508 5426ebe-5426ec4 506->508 508->507
                              APIs
                              • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,05426E25), ref: 05426EAF
                              Memory Dump Source
                              • Source File: 00000003.00000002.4575097787.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5420000_MSBuild.jbxd
                              Similarity
                              • API ID: CallbackDispatcherUser
                              • String ID:
                              • API String ID: 2492992576-0
                              • Opcode ID: cb93511dfb78d749244da6bc1d9dd2b3bbf08531adeb986d11e36600835fb981
                              • Instruction ID: 07ea61cdab75b681f2e36707691fe571c7fb6af13fef34ff0ae771bb21775912
                              • Opcode Fuzzy Hash: cb93511dfb78d749244da6bc1d9dd2b3bbf08531adeb986d11e36600835fb981
                              • Instruction Fuzzy Hash: 24113DB5800258CFDB20CF9AC585BDEBBF4AF48320F20841AD519B7300C738A944CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A7908 Relevance: .6, Instructions: 554COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 755 26a7908-26a791f 757 26a7921-26a7924 755->757 758 26a7951-26a7954 757->758 759 26a7926-26a794c 757->759 760 26a7981-26a7984 758->760 761 26a7956-26a797c 758->761 759->758 763 26a79b1-26a79b4 760->763 764 26a7986-26a79ac 760->764 761->760 765 26a79e1-26a79e4 763->765 766 26a79b6-26a79dc 763->766 764->763 770 26a7a11-26a7a14 765->770 771 26a79e6-26a7a0c 765->771 766->765 772 26a7a41-26a7a44 770->772 773 26a7a16-26a7a3c 770->773 771->770 779 26a7a71-26a7a74 772->779 780 26a7a46-26a7a6c 772->780 773->772 781 26a7a91-26a7a94 779->781 782 26a7a76-26a7a8c 779->782 780->779 789 26a7ac1-26a7ac4 781->789 790 26a7a96-26a7abc 781->790 782->781 791 26a7af1-26a7af4 789->791 792 26a7ac6-26a7aec 789->792 790->789 798 26a7b21-26a7b24 791->798 799 26a7af6-26a7b1c 791->799 792->791 801 26a7b51-26a7b54 798->801 802 26a7b26-26a7b4c 798->802 799->798 808 26a7b6f-26a7b72 801->808 809 26a7b56-26a7b6a 801->809 802->801 811 26a7b9f-26a7ba2 808->811 812 26a7b74-26a7b9a 808->812 809->808 817 26a7bcf-26a7bd2 811->817 818 26a7ba4-26a7bca 811->818 812->811 820 26a7bff-26a7c02 817->820 821 26a7bd4-26a7bfa 817->821 818->817 827 26a7c2f-26a7c32 820->827 828 26a7c04-26a7c2a 820->828 821->820 830 26a7c5f-26a7c62 827->830 831 26a7c34-26a7c5a 827->831 828->827 835 26a7c8f-26a7c92 830->835 836 26a7c64-26a7c8a 830->836 831->830 839 26a7cbf-26a7cc2 835->839 840 26a7c94-26a7cba 835->840 836->835 845 26a7cef-26a7cf2 839->845 846 26a7cc4-26a7cea 839->846 840->839 849 26a7d1f-26a7d22 845->849 850 26a7cf4-26a7d1a 845->850 846->845 855 26a7d4f-26a7d52 849->855 856 26a7d24-26a7d4a 849->856 850->849 859 26a7d7f-26a7d82 855->859 860 26a7d54-26a7d7a 855->860 856->855 865 26a7d93-26a7d96 859->865 866 26a7d84-26a7d86 859->866 860->859 872 26a7d98-26a7dbe 865->872 873 26a7dc3-26a7dc6 865->873 970 26a7d88 call 26a9203 866->970 971 26a7d88 call 26a9160 866->971 972 26a7d88 call 26a9150 866->972 872->873 875 26a7dc8-26a7dee 873->875 876 26a7df3-26a7df6 873->876 875->876 882 26a7df8-26a7e1e 876->882 883 26a7e23-26a7e26 876->883 877 26a7d8e 877->865 882->883 885 26a7e28-26a7e4e 883->885 886 26a7e53-26a7e56 883->886 885->886 891 26a7e58-26a7e7e 886->891 892 26a7e83-26a7e86 886->892 891->892 893 26a7e88-26a7eae 892->893 894 26a7eb3-26a7eb6 892->894 893->894 900 26a7eb8-26a7ede 894->900 901 26a7ee3-26a7ee6 894->901 900->901 902 26a7ee8-26a7f0e 901->902 903 26a7f13-26a7f16 901->903 902->903 910 26a7f18-26a7f3e 903->910 911 26a7f43-26a7f46 903->911 910->911 912 26a7f48-26a7f6e 911->912 913 26a7f73-26a7f76 911->913 912->913 920 26a7f78-26a7f9e 913->920 921 26a7fa3-26a7fa6 913->921 920->921 922 26a7fa8 921->922 923 26a7fb3-26a7fb6 921->923 934 26a7fae 922->934 930 26a7fb8-26a7fde 923->930 931 26a7fe3-26a7fe6 923->931 930->931 932 26a7fe8-26a800e 931->932 933 26a8013-26a8016 931->933 932->933 939 26a8018-26a803e 933->939 940 26a8043-26a8046 933->940 934->923 939->940 942 26a8048-26a806e 940->942 943 26a8073-26a8076 940->943 942->943 947 26a8078-26a809e 943->947 948 26a80a3-26a80a6 943->948 947->948 953 26a80a8-26a80ce 948->953 954 26a80d3-26a80d5 948->954 953->954 956 26a80dc-26a80df 954->956 957 26a80d7 954->957 956->757 963 26a80e5-26a80eb 956->963 957->956 970->877 971->877 972->877
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a8b9c32b96c025b0d0949a912f3a0751ef2e0d35763cacf4a4e135620e2bcbfd
                              • Instruction ID: 3654aac6d728f0c312080f0be930ba4be8b29ecaf5d8c05e4b273348e89d1419
                              • Opcode Fuzzy Hash: a8b9c32b96c025b0d0949a912f3a0751ef2e0d35763cacf4a4e135620e2bcbfd
                              • Instruction Fuzzy Hash: 141260347102028BEB29AB38E46536CB7A2EBCA346F10497DE505CB355DF79ED469F80
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A96E0 Relevance: .4, Instructions: 364COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 973 26a96e0-26a96fa 974 26a96fc-26a96ff 973->974 975 26a9701-26a9703 974->975 976 26a9706-26a9709 974->976 975->976 977 26a972a-26a972d 976->977 978 26a970b-26a9725 976->978 979 26a9733-26a9736 977->979 980 26a9851-26a9854 977->980 978->977 984 26a973c-26a973f 979->984 985 26a986d-26a9877 979->985 982 26a982e-26a9831 980->982 983 26a9856 980->983 989 26a9878-26a98f3 982->989 990 26a9833-26a9837 982->990 986 26a985b-26a985d 983->986 987 26a975e-26a9761 984->987 988 26a9741-26a975d 984->988 993 26a985f 986->993 994 26a9864-26a9867 986->994 995 26a9779-26a977c 987->995 996 26a9763-26a9772 987->996 1030 26a9a0a-26a9a11 989->1030 1031 26a98f9-26a98fb 989->1031 991 26a983c-26a983f 990->991 997 26a984c-26a984f 991->997 998 26a9841-26a9847 991->998 993->994 994->974 994->985 999 26a977e-26a9797 995->999 1000 26a979c-26a979f 995->1000 996->988 1011 26a9774 996->1011 997->980 997->986 998->997 999->1000 1003 26a97c0-26a97c3 1000->1003 1004 26a97a1-26a97b9 1000->1004 1007 26a97e5-26a97e8 1003->1007 1008 26a97c5-26a97e0 1003->1008 1016 26a980e-26a980f 1004->1016 1018 26a97bb 1004->1018 1012 26a97ea-26a97f0 1007->1012 1013 26a9809-26a980c 1007->1013 1008->1007 1011->995 1021 26a97f8-26a9804 1012->1021 1013->1016 1017 26a9814-26a9817 1013->1017 1016->1017 1022 26a9829-26a982c 1017->1022 1023 26a9819 1017->1023 1018->1003 1021->1013 1022->982 1022->991 1027 26a9822-26a9824 1023->1027 1027->1022 1078 26a98fe call 26a968e 1031->1078 1079 26a98fe call 26a96e0 1031->1079 1080 26a98fe call 26a9490 1031->1080 1081 26a98fe call 26a9364 1031->1081 1032 26a9904-26a9910 1034 26a991b-26a9922 1032->1034 1035 26a9912-26a9919 1032->1035 1035->1034 1036 26a9923-26a994a 1035->1036 1040 26a994c-26a9953 1036->1040 1041 26a9954-26a995b 1036->1041 1042 26a9a12-26a9a1a 1041->1042 1043 26a9961-26a9965 1041->1043 1047 26a9a1e 1042->1047 1048 26a9a1c-26a9a1d 1042->1048 1044 26a996f-26a99ee 1043->1044 1045 26a9967-26a996e 1043->1045 1060 26a99fe-26a9a04 call 26ab2d7 1044->1060 1061 26a99f0-26a99f7 1044->1061 1050 26a9a22 1047->1050 1051 26a9a20-26a9a21 1047->1051 1048->1047 1052 26a9a26-26a9a43 1050->1052 1053 26a9a24-26a9a25 1050->1053 1051->1050 1055 26a9a45-26a9a47 1052->1055 1053->1052 1056 26a9a49 1055->1056 1057 26a9a4e-26a9a51 1055->1057 1056->1057 1057->1055 1059 26a9a53-26a9a8f call 26a0368 1057->1059 1066 26a9a91-26a9a93 1059->1066 1067 26a9a97-26a9a9a 1059->1067 1060->1030 1061->1060 1068 26a9ae1 1066->1068 1069 26a9a95 1066->1069 1067->1068 1070 26a9a9c-26a9ac6 1067->1070 1071 26a9ae6-26a9aea 1068->1071 1069->1070 1077 26a9acc-26a9adf 1070->1077 1073 26a9aec 1071->1073 1074 26a9af5 1071->1074 1073->1074 1077->1071 1078->1032 1079->1032 1080->1032 1081->1032
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 80145fa93c0102a7c7a831d256691ba2d9d8accd8c88c6e53726d9984de27fa9
                              • Instruction ID: 9d8784bb41eda3c7e467f128c12dc84f96178b40727dba82dc45ea25d63aa2e2
                              • Opcode Fuzzy Hash: 80145fa93c0102a7c7a831d256691ba2d9d8accd8c88c6e53726d9984de27fa9
                              • Instruction Fuzzy Hash: 6ED1AF30A012058FDB14DF69D8907AEBBB6FF89310F20856AE909EB395D734DC45CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A9364 Relevance: .3, Instructions: 318COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 70256bc89b0e0f8030f547a8d9d4e8c9c2dfa1b8eae7e19ac11f35b0c69a75c7
                              • Instruction ID: e9377768da3c073c88796f78e54ec41cbfa9a69fed4241a56e13f7ef97b12eb3
                              • Opcode Fuzzy Hash: 70256bc89b0e0f8030f547a8d9d4e8c9c2dfa1b8eae7e19ac11f35b0c69a75c7
                              • Instruction Fuzzy Hash: 19C19F34A012058FDB18DF79D4A4AADBBB2EF89311F208469E906E7395DB35EC42CF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A4A8C Relevance: .3, Instructions: 265COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4403d4827522a43ba53769a053d54f62a470a60f98ebdc2b3657e6572cb2e3a5
                              • Instruction ID: b1eba4bc127efa2b141ef1c295447844558c195cef36fed9c64e7112f3b80d47
                              • Opcode Fuzzy Hash: 4403d4827522a43ba53769a053d54f62a470a60f98ebdc2b3657e6572cb2e3a5
                              • Instruction Fuzzy Hash: 30B16B70E00249CFDB10DFA8DCA179DBBF1AF88754F148529D819AB394EBB49885CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A3E77 Relevance: .2, Instructions: 237COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a949b145825b401e1b1a377a392a4e4ae40a92dab96dacf31d2971c940b49544
                              • Instruction ID: 4c950f10931dad6d52836397ad9679ee993e70660f983073cc27d62c8c07f31c
                              • Opcode Fuzzy Hash: a949b145825b401e1b1a377a392a4e4ae40a92dab96dacf31d2971c940b49544
                              • Instruction Fuzzy Hash: 95A14970E10249DFDB10CFA8C9957AEBBF2AF88314F148129E415A7354EB749C55CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A4804 Relevance: .2, Instructions: 181COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 75b148623cb89ef3fc99f91bd9fc462ae11ddbb69b215f71433c49f920986abf
                              • Instruction ID: 82c9e3ffc0c7bcb6c0cc2d0a426c8c7e9070e1ab5e3fb9f78e7fa6b0035bbc3c
                              • Opcode Fuzzy Hash: 75b148623cb89ef3fc99f91bd9fc462ae11ddbb69b215f71433c49f920986abf
                              • Instruction Fuzzy Hash: 877168B0E00249DFDB10CFA9D89179EBBF2BF88714F148129E415AB354EBB49842CF95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A4810 Relevance: .2, Instructions: 180COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8048fb29794247d17d6fb33abd41cc9b527996c85f7fec0f889adffc5e1a06a2
                              • Instruction ID: 021cc627b8c3f668f2a0ae7e90ea02ee972bfb9f59977206afde693cf4543e68
                              • Opcode Fuzzy Hash: 8048fb29794247d17d6fb33abd41cc9b527996c85f7fec0f889adffc5e1a06a2
                              • Instruction Fuzzy Hash: B8716A70E00249DFDB14CFA9D89179EBBF2BF88714F148129E415AB354EBB49841CF95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A6F23 Relevance: .2, Instructions: 156COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 18e658a8fc0b5fdab6c4a1d2e548dc34fb3b99f956b52fb9a4f2f66b3f6b3b31
                              • Instruction ID: bf21484c78ca6cf45222e35f3259a96f475cab8294876a7f29efeb020bf0f0c5
                              • Opcode Fuzzy Hash: 18e658a8fc0b5fdab6c4a1d2e548dc34fb3b99f956b52fb9a4f2f66b3f6b3b31
                              • Instruction Fuzzy Hash: 3051D170A002459FDF25DF78C4617AEB7B6EF8A304F148569E405EB391DB719C428F91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A6CDF Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: be4687bf6b2f6139def0545cba6147cae68da4c9f412e916903f526e46326b6a
                              • Instruction ID: 9d42a60ec296759c5953d6b130a8196bc60355df5c394bd5159d58ee173c1402
                              • Opcode Fuzzy Hash: be4687bf6b2f6139def0545cba6147cae68da4c9f412e916903f526e46326b6a
                              • Instruction Fuzzy Hash: C8512371E002188FDF18DFAAC864BADBBB5BF48304F18811AE815BB391D774A844CF95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A6CE8 Relevance: .1, Instructions: 132COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b351cc9882e58bfbe6e505d63b43d52fe178498fae34f57fe9afbae38fa867dc
                              • Instruction ID: def2c18c9bb6c7e950c16e4bf9970e7125b98802028f1d38c3551a7099939efb
                              • Opcode Fuzzy Hash: b351cc9882e58bfbe6e505d63b43d52fe178498fae34f57fe9afbae38fa867dc
                              • Instruction Fuzzy Hash: 32510371E002188FDF18DFAAC8A4BADBBB5BF48314F188519E815BB391D774A844CF95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A112B Relevance: .1, Instructions: 117COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8ef9946c82b94da973b34ea46d42c07764426626755a5ba97308853e55226874
                              • Instruction ID: 70f5d47a2ddb67140a8fb89b7a2da266944edf0e4daf2f8765d78e275d6a1e9a
                              • Opcode Fuzzy Hash: 8ef9946c82b94da973b34ea46d42c07764426626755a5ba97308853e55226874
                              • Instruction Fuzzy Hash: AF51BD39201B46CFD70AFF28F894B993BB6F7E630571459E9D1004B23AEA686905DB80
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026AF4CD Relevance: .1, Instructions: 116COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 911c884a8f57fee7beb8cdd2e4d776d0d10f687d25f52ff18b61b44b5e16e832
                              • Instruction ID: 69146a3d2f1087b71fe4e831c05789c6f61c2ebc50547d0f9181398ac6373974
                              • Opcode Fuzzy Hash: 911c884a8f57fee7beb8cdd2e4d776d0d10f687d25f52ff18b61b44b5e16e832
                              • Instruction Fuzzy Hash: 0C41C230B002458BDB19AB34D56476E7BB3AFC9254B2445A8D402DB395EF36CC42CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A1138 Relevance: .1, Instructions: 112COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f40f6ef18f67ea47f5993e64bc71afa48510d41b531f481f2c72e7891b4e0af7
                              • Instruction ID: aea269de8845541d93a81e6974780271d8507974102f70e9cdae68f92d9205e8
                              • Opcode Fuzzy Hash: f40f6ef18f67ea47f5993e64bc71afa48510d41b531f481f2c72e7891b4e0af7
                              • Instruction Fuzzy Hash: CE51BC39201B46CFD70AFF29F894B893BB6F7E630531459E9D1004B239EEB86905DB80
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026AF390 Relevance: .1, Instructions: 103COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f7380dd61b3cd87bfdc268c36df9663b581facbca1e990f283dda246896118f0
                              • Instruction ID: f738f7f34ff454464551e384e820871718d744e7c7eb51b03439cebb9c01b3cb
                              • Opcode Fuzzy Hash: f7380dd61b3cd87bfdc268c36df9663b581facbca1e990f283dda246896118f0
                              • Instruction Fuzzy Hash: DC318E35E006059BDB19CF65D8A469EB7B2FF88300F108929E806E7751EB75EC42CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A6F78 Relevance: .1, Instructions: 95COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 50e9832e9ac426472153864ee1e36d0b03a8aabdf766a37e7a2bd1fabf77b725
                              • Instruction ID: 6455db02fc78fa001fd44efeb650a38a4ec217c375a201925403641bdc5db0d8
                              • Opcode Fuzzy Hash: 50e9832e9ac426472153864ee1e36d0b03a8aabdf766a37e7a2bd1fabf77b725
                              • Instruction Fuzzy Hash: 1C316E70E002498BEB15CFA5D46179EF7B6EF85300F108525E406EB340DB719D42CB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A26DC Relevance: .1, Instructions: 93COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c49b3f9acf1f50200d96fa1c53c15bb5dfbf96f120c85444f997aa5b11f3c1b6
                              • Instruction ID: b196b69d650c51fd151712ecad155c7c6507a9ef06dbf4978a7bb1e486035ecf
                              • Opcode Fuzzy Hash: c49b3f9acf1f50200d96fa1c53c15bb5dfbf96f120c85444f997aa5b11f3c1b6
                              • Instruction Fuzzy Hash: CA410FB0900349DFEB10CFA9C494ADEBBB5BF48310F148129E819AB250DB359949CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026AF3A0 Relevance: .1, Instructions: 91COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 86105a9912c1b4536a51277a16ac20004b1a57d3d652c12747a1396cbb2cf255
                              • Instruction ID: 5f0ce211a95461d25a0b680beda76365f4e8632beec91a9964d8faebe5079855
                              • Opcode Fuzzy Hash: 86105a9912c1b4536a51277a16ac20004b1a57d3d652c12747a1396cbb2cf255
                              • Instruction Fuzzy Hash: 5B315C34F006059BDB19DF65D86469EB7B2FF89300F108529E806E7791DB75EC42CB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A26E8 Relevance: .1, Instructions: 90COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9ca18ab99f240fce973f665124e6e898cf39fe3ba9dd03199e20488facdb6f85
                              • Instruction ID: 97fa756a338ac3cef613bbb8c7fb8b0c08d2c88263722a85820aa56e37aef8d5
                              • Opcode Fuzzy Hash: 9ca18ab99f240fce973f665124e6e898cf39fe3ba9dd03199e20488facdb6f85
                              • Instruction Fuzzy Hash: 1D41EFB0D00348DFEB10CFA9C594ADEBBF5BF48710F108029E819AB250DB75A949CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A17C0 Relevance: .1, Instructions: 89COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c226b8510c803baf5ede3db5d88e6f2a19c70c0eb27d427f36dc47744769f7ce
                              • Instruction ID: 10dd35f1bef3aade7c3e150cb102f4fd597990424ba9d875e06afade730fb6e3
                              • Opcode Fuzzy Hash: c226b8510c803baf5ede3db5d88e6f2a19c70c0eb27d427f36dc47744769f7ce
                              • Instruction Fuzzy Hash: 94212935F002019BDF11AB78A8647AA3BE6EB8A754F1454E5EA0EC7344EB38CC418F84
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A9251 Relevance: .1, Instructions: 87COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a15bfc8f13407a6ae5b71a4bd75fd7f2f79df18402b40a3926cf8b3723f003ec
                              • Instruction ID: e33bedd2e9ee5fb0bb2414b414af9a0bd4b1667f09b9f5491d745c53c3812af0
                              • Opcode Fuzzy Hash: a15bfc8f13407a6ae5b71a4bd75fd7f2f79df18402b40a3926cf8b3723f003ec
                              • Instruction Fuzzy Hash: D2317F31E1164A9BDB15CFA4D4A079EB7B2EF89304F208559E905AB350EB71ED42CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A16A0 Relevance: .1, Instructions: 82COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 391eee0d6b38ecf04dd3609c4d87bb7078b434e1a67bf474b0c4e61133a06fe2
                              • Instruction ID: 61b1734a9e10240dc73bea1b4965f0b670d2caf4d54a185d3ce94fd2e9f2b8b2
                              • Opcode Fuzzy Hash: 391eee0d6b38ecf04dd3609c4d87bb7078b434e1a67bf474b0c4e61133a06fe2
                              • Instruction Fuzzy Hash: 7121D3346042419FDB12EB7CE8A47693B66EB47344F14A9E9E00ACB356EB78DC418F91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A9150 Relevance: .1, Instructions: 80COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9146e3077ac73a97a4f067538170b513c80fe6dffbe2393308e1d5ef8bfabd60
                              • Instruction ID: 2a70bfbe3c9efb933be89bc7fd72719980a81730dcd32c03f85500951c6c8bce
                              • Opcode Fuzzy Hash: 9146e3077ac73a97a4f067538170b513c80fe6dffbe2393308e1d5ef8bfabd60
                              • Instruction Fuzzy Hash: 4221E534E012558BDB18CFA4D864ADEB7B2AF89310F20856AE812FB351DB71EC42CF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A9260 Relevance: .1, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 40a0e4085819aa4e34f6bac775e1496f526c63a7d3678bf8d3935b81dcae9ac1
                              • Instruction ID: cbd8fe5947646e168ba3e7c565a3f3c95971fa9d6000494e1205508ee42fa9e9
                              • Opcode Fuzzy Hash: 40a0e4085819aa4e34f6bac775e1496f526c63a7d3678bf8d3935b81dcae9ac1
                              • Instruction Fuzzy Hash: 7B215E30E1160A9BDB05DFA4D59079EF7B2FF89304F20C559E905AB340DB71AC46CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A4F88 Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8556e175f6ac4aa84761e0e0a7fea21032c399ead5b631bbef76a9f023f0f60d
                              • Instruction ID: 7170a72bfbdabeb0261bdc144c29356bd8c06b727d9576c68e9df05b75ceff41
                              • Opcode Fuzzy Hash: 8556e175f6ac4aa84761e0e0a7fea21032c399ead5b631bbef76a9f023f0f60d
                              • Instruction Fuzzy Hash: D4214A346002858FDB14DF78C969BAD77F1AF89305B2004A8E406EB3A5DB769D41CF95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A1380 Relevance: .1, Instructions: 73COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fb1b49602d1efec09f508e4af072854cb82e5f7c6a96246639c93c0dce9f41e8
                              • Instruction ID: 5b3000af09a192134dea9583c7a315f33615c583892c94b3b5bbda3b30b1f3fe
                              • Opcode Fuzzy Hash: fb1b49602d1efec09f508e4af072854cb82e5f7c6a96246639c93c0dce9f41e8
                              • Instruction Fuzzy Hash: 66217230A003408BEF256B3CE4B476D7766EB47315F1448EAE60ECB391DB798C858B52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00C4D030 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4568388040.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_c4d000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b1a34a45753927dcecc9ae1500960046f132901fff30fd5fd026255b38d1e36e
                              • Instruction ID: a1da6415b2d53112380ad7ce527e2cd484522b032fa357cc3f65026821305fd1
                              • Opcode Fuzzy Hash: b1a34a45753927dcecc9ae1500960046f132901fff30fd5fd026255b38d1e36e
                              • Instruction Fuzzy Hash: AE21F371604344EFDB14EF24D9C0B26BBA5FB84314F34C56DE90A4B296C37AD847CA62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A187B Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b7e82ec93b7be511fa5ef01ef4ac705f2c367b88e746a31f49a1e2e7556cb703
                              • Instruction ID: 9179efb64fac38dfd104a99e65e056f5675ce934a10d9eacca5910b242003e11
                              • Opcode Fuzzy Hash: b7e82ec93b7be511fa5ef01ef4ac705f2c367b88e746a31f49a1e2e7556cb703
                              • Instruction Fuzzy Hash: 66213930B042458FDB14EB68C5647AD77B6BF8A205F2004A8C50AEB3A4DB369D41CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00C4D005 Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4568388040.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_c4d000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7d303037e55060fe6b24b2460177e3bce786360d5cdcb4c752f989753fcf1bb3
                              • Instruction ID: 01a8cb73c758e079764bf6316f75de7036308d8b2f667fb4bb847611653a5d86
                              • Opcode Fuzzy Hash: 7d303037e55060fe6b24b2460177e3bce786360d5cdcb4c752f989753fcf1bb3
                              • Instruction Fuzzy Hash: 9C21487150D3C09FCB03DF24D990711BF71AB46214F2985EBD8898F2A7C27A981ACB62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A9160 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 890289be1182a7f6cd10e326243d8cce371ed211c79cc48261c90dc760898380
                              • Instruction ID: a1b36e4d14bb1070e443d32c37cceba90146c8877c72aa5e69986215fdb71857
                              • Opcode Fuzzy Hash: 890289be1182a7f6cd10e326243d8cce371ed211c79cc48261c90dc760898380
                              • Instruction Fuzzy Hash: D7215334E1121A9BDB18CFA4D85469EB7B2AF89310F20851AE815FB340DB71ED46CF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A1888 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b0c8f37dcf18d7e9f7c560b8d412309818813bfb245284f929bdf031113692fc
                              • Instruction ID: 86f2969d1aa64d430ceb662048353d4043eb458aa4fb5d3c0b1ec963c31c1d4d
                              • Opcode Fuzzy Hash: b0c8f37dcf18d7e9f7c560b8d412309818813bfb245284f929bdf031113692fc
                              • Instruction Fuzzy Hash: D121FA34B00249CFDB54EB68C5647AE77F6AB8A205F2004A8D50AEB3A4DF759D41CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A16B0 Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b92f9e19c725246a1631ac6017e8a147c47c1b08b0fe855551647065c1f5a1c4
                              • Instruction ID: db11d1f041fd80c5b9045f695a9041e2d418d23b1661dab0602835f49eaaf5c2
                              • Opcode Fuzzy Hash: b92f9e19c725246a1631ac6017e8a147c47c1b08b0fe855551647065c1f5a1c4
                              • Instruction Fuzzy Hash: 8921A5386002019BDF12FF38F8A47593766EB46344F1069A5E10ACB355EB78DC41CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A4F98 Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cb0c2fd5d295ff47efaf963209e249db5cdea2324912b8dce982f21fce68092f
                              • Instruction ID: 37de9afe43d182b004d4c818959b190dd931274ef36ced76d96ce5142698d82f
                              • Opcode Fuzzy Hash: cb0c2fd5d295ff47efaf963209e249db5cdea2324912b8dce982f21fce68092f
                              • Instruction Fuzzy Hash: 1F211634A00244CFDB54EF78C969BAD77F2AF89705B2004A8E406EB3A5DB769D41CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A80F1 Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 21f7189df22a4c573a209b9d4eb00061d6658ccc0dfbd174d261d5afcc8a0fbe
                              • Instruction ID: b17fdb859ce447eccb12190b6b407e85c31e3bc822d4d7fb1046067cb1b0a15d
                              • Opcode Fuzzy Hash: 21f7189df22a4c573a209b9d4eb00061d6658ccc0dfbd174d261d5afcc8a0fbe
                              • Instruction Fuzzy Hash: 8311B13060024ADBEB01FBB8F89179DBBB1EB85305F0046F9D545DB255EB35AE069B81
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A0838 Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e409907c1d72504d8cb5f53da3c18fbd114fa17eb9cc97817541be1e4a5dac87
                              • Instruction ID: f710e0948923e98d98d80d6906f355f706cb5c475e6c77205014abb729d11870
                              • Opcode Fuzzy Hash: e409907c1d72504d8cb5f53da3c18fbd114fa17eb9cc97817541be1e4a5dac87
                              • Instruction Fuzzy Hash: 3811A330B052144BEF25AA78D87076A3765EB83394F10487AD002CF382DB65DC4A8FDA
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A0848 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c1ec20aa337ada042ee6f34ffd40875f81bc314311d5935b392e6c0885a6cb8e
                              • Instruction ID: 68e1e786733463294514e60f4a600f91f117da9f711b99f4e7050a1eb9a6cb54
                              • Opcode Fuzzy Hash: c1ec20aa337ada042ee6f34ffd40875f81bc314311d5935b392e6c0885a6cb8e
                              • Instruction Fuzzy Hash: FE11A030B002098BEF24AA78D8A076A33A5EB86394F20483AD006CF345DB65DC868FD5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A148B Relevance: .1, Instructions: 60COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3157ef109e4acde7e8f4d48789d84efac0dd3ec1e93e3ced59f1803c08e65498
                              • Instruction ID: 71d357c52ab023dc0047bbc8559449576356258d35428bedfae191628557d365
                              • Opcode Fuzzy Hash: 3157ef109e4acde7e8f4d48789d84efac0dd3ec1e93e3ced59f1803c08e65498
                              • Instruction Fuzzy Hash: 90117331A002549FCB21AFB884703AEBBF5EF8A220F2444B9D809E7301D731CD428F95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A1498 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ec4b6aca9a93938f3adc664da214069743a37d3d3641fffc00b446ba02de46a7
                              • Instruction ID: fe6be63f00e42526136d04a95cad6164c103a76372c53ae642f279f7027adb2e
                              • Opcode Fuzzy Hash: ec4b6aca9a93938f3adc664da214069743a37d3d3641fffc00b446ba02de46a7
                              • Instruction Fuzzy Hash: B6010071A012159FDB25EFB984602AEBBF6EF49260F2404BAD809E7301E735DD418FE5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A7090 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7a7815e9d87591c41f4b5e3281a361e4655ed5044ed4c0822d0b4249feeafbd2
                              • Instruction ID: a32cf4882055fb4ea8ca908a502534c277a355966c78c97797ff4d97ff557d01
                              • Opcode Fuzzy Hash: 7a7815e9d87591c41f4b5e3281a361e4655ed5044ed4c0822d0b4249feeafbd2
                              • Instruction Fuzzy Hash: A1F0E739B40248CFD714DB64D5A8BAD77B2EF88715F1144A8E6069B3A4CB35AD42CF40
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A8100 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cca3fd618d00a65b74606e5d792e08515ded8f379d26da9318ba06e24a9cf221
                              • Instruction ID: 009ffc14d8b745a1d1b6e84b9da63da819794e04093bc4a0e59cbe6c0d5081f9
                              • Opcode Fuzzy Hash: cca3fd618d00a65b74606e5d792e08515ded8f379d26da9318ba06e24a9cf221
                              • Instruction Fuzzy Hash: 34F03C30A0024AEFDB05FFB8F89169D7BB1EB84340F1056F8C5049B254EE716F059B91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 026A6C0C Relevance: .0, Instructions: 12COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.4570167619.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_26a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2e4a71e02c8665e520d0af94c7f2da29280365ea5cd44086bf69edb55d6a6f3c
                              • Instruction ID: d573a2ee2f6563ad2a8de293698812f01f1bfc73a1b9233e3cad2663ce7f3124
                              • Opcode Fuzzy Hash: 2e4a71e02c8665e520d0af94c7f2da29280365ea5cd44086bf69edb55d6a6f3c
                              • Instruction Fuzzy Hash: C1C002363540544FC5059768E06447977B5DBCA56935401DAD159CB761CE159C029F44
                              Uniqueness

                              Uniqueness Score: -1.00%