Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
REMITTANCE COPY.exe

Overview

General Information

Sample name:REMITTANCE COPY.exe
Analysis ID:1428765
MD5:a33320345206b3021eb274e26392b642
SHA1:ff70bf20c4aa62f509a336f35273941cdc7a065a
SHA256:eb5262f8a8a005e32de9c99ccc53dbe005836c4a56916cef8d9d32ff2f87a80c
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • REMITTANCE COPY.exe (PID: 5676 cmdline: "C:\Users\user\Desktop\REMITTANCE COPY.exe" MD5: A33320345206B3021EB274E26392B642)
    • powershell.exe (PID: 5864 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REMITTANCE COPY.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1200 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6112 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 3128 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CNqCubHKvlzbGo" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 3040 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • CNqCubHKvlzbGo.exe (PID: 5988 cmdline: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exe MD5: A33320345206B3021EB274E26392B642)
    • schtasks.exe (PID: 2952 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CNqCubHKvlzbGo" /XML "C:\Users\user\AppData\Local\Temp\tmp20AE.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 736 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.tabcoeng.com", "Username": "tabco@tabcoeng.com", "Password": "TaSq3365!"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000008.00000002.2076423787.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000D.00000002.3251502190.0000000002F64000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000002.2076423787.0000000002FC0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000D.00000002.3251502190.0000000002F5E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000008.00000002.2072537987.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 19 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              9.2.CNqCubHKvlzbGo.exe.3cc6108.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                9.2.CNqCubHKvlzbGo.exe.3cc6108.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  9.2.CNqCubHKvlzbGo.exe.3cc6108.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x323e3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x32455:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x324df:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x32571:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x325db:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x3264d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x326e3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x32773:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  0.2.REMITTANCE COPY.exe.3ab0f18.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    0.2.REMITTANCE COPY.exe.3ab0f18.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 27 entries

                      Sigma Signatures

                      Networking

                      barindex
                      Sigma detected: MSBuild connects to smtp port
                      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 135.181.124.14, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 3040, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49705

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REMITTANCE COPY.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REMITTANCE COPY.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\REMITTANCE COPY.exe", ParentImage: C:\Users\user\Desktop\REMITTANCE COPY.exe, ParentProcessId: 5676, ParentProcessName: REMITTANCE COPY.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REMITTANCE COPY.exe", ProcessId: 5864, ProcessName: powershell.exe
                      Sigma detected: Silenttrinity Stager Msbuild Activity
                      Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 208.95.112.1, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 3040, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REMITTANCE COPY.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REMITTANCE COPY.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\REMITTANCE COPY.exe", ParentImage: C:\Users\user\Desktop\REMITTANCE COPY.exe, ParentProcessId: 5676, ParentProcessName: REMITTANCE COPY.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REMITTANCE COPY.exe", ProcessId: 5864, ProcessName: powershell.exe
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CNqCubHKvlzbGo" /XML "C:\Users\user\AppData\Local\Temp\tmp20AE.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CNqCubHKvlzbGo" /XML "C:\Users\user\AppData\Local\Temp\tmp20AE.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exe, ParentImage: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exe, ParentProcessId: 5988, ParentProcessName: CNqCubHKvlzbGo.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CNqCubHKvlzbGo" /XML "C:\Users\user\AppData\Local\Temp\tmp20AE.tmp", ProcessId: 2952, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CNqCubHKvlzbGo" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CNqCubHKvlzbGo" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\REMITTANCE COPY.exe", ParentImage: C:\Users\user\Desktop\REMITTANCE COPY.exe, ParentProcessId: 5676, ParentProcessName: REMITTANCE COPY.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CNqCubHKvlzbGo" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC.tmp", ProcessId: 3128, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REMITTANCE COPY.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REMITTANCE COPY.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\REMITTANCE COPY.exe", ParentImage: C:\Users\user\Desktop\REMITTANCE COPY.exe, ParentProcessId: 5676, ParentProcessName: REMITTANCE COPY.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REMITTANCE COPY.exe", ProcessId: 5864, ProcessName: powershell.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Scheduled temp file as task from temp location
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CNqCubHKvlzbGo" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CNqCubHKvlzbGo" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\REMITTANCE COPY.exe", ParentImage: C:\Users\user\Desktop\REMITTANCE COPY.exe, ParentProcessId: 5676, ParentProcessName: REMITTANCE COPY.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CNqCubHKvlzbGo" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC.tmp", ProcessId: 3128, ProcessName: schtasks.exe

                      Snort Signatures

                      Timestamp:04/19/24-15:37:03.080820
                      SID:2855542
                      Source Port:49705
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/19/24-15:37:03.080820
                      SID:2855245
                      Source Port:49705
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/19/24-15:37:03.080820
                      SID:2840032
                      Source Port:49705
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/19/24-15:37:06.758919
                      SID:2030171
                      Source Port:49707
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/19/24-15:37:06.758919
                      SID:2839723
                      Source Port:49707
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/19/24-15:37:06.759029
                      SID:2851779
                      Source Port:49707
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/19/24-15:37:03.080820
                      SID:2839723
                      Source Port:49705
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/19/24-15:37:03.080820
                      SID:2030171
                      Source Port:49705
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/19/24-15:37:06.759029
                      SID:2855542
                      Source Port:49707
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/19/24-15:37:06.759029
                      SID:2855245
                      Source Port:49707
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/19/24-15:37:06.759029
                      SID:2840032
                      Source Port:49707
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/19/24-15:37:03.080820
                      SID:2851779
                      Source Port:49705
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 9.2.CNqCubHKvlzbGo.exe.3d01928.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.tabcoeng.com", "Username": "tabco@tabcoeng.com", "Password": "TaSq3365!"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeReversingLabs: Detection: 44%
                      Multi AV Scanner detection for submitted file
                      Source: REMITTANCE COPY.exeReversingLabs: Detection: 44%
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: REMITTANCE COPY.exeJoe Sandbox ML: detected
                      Source: REMITTANCE COPY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49713 version: TLS 1.0
                      Source: REMITTANCE COPY.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: winload_prod.pdbY source: CNqCubHKvlzbGo.exe, 00000009.00000002.2100459259.0000000005DCE000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: XJmcU.pdb source: REMITTANCE COPY.exe, CNqCubHKvlzbGo.exe.0.dr
                      Source: Binary string: XJmcU.pdbSHA2569 source: REMITTANCE COPY.exe, CNqCubHKvlzbGo.exe.0.dr
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULLJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULLJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49705 -> 135.181.124.14:587
                      Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49705 -> 135.181.124.14:587
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49705 -> 135.181.124.14:587
                      Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49705 -> 135.181.124.14:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49705 -> 135.181.124.14:587
                      Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49705 -> 135.181.124.14:587
                      Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49707 -> 135.181.124.14:587
                      Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49707 -> 135.181.124.14:587
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49707 -> 135.181.124.14:587
                      Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49707 -> 135.181.124.14:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49707 -> 135.181.124.14:587
                      Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49707 -> 135.181.124.14:587
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.CNqCubHKvlzbGo.exe.3d01928.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REMITTANCE COPY.exe.3ab0f18.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REMITTANCE COPY.exe.3a756f8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.CNqCubHKvlzbGo.exe.3cc6108.2.raw.unpack, type: UNPACKEDPE
                      Source: global trafficTCP traffic: 192.168.2.5:49705 -> 135.181.124.14:587
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                      Source: Joe Sandbox ViewJA3 fingerprint: 1138de370e523e824bbca92d049a3777
                      Source: unknownDNS query: name: ip-api.com
                      Source: global trafficTCP traffic: 192.168.2.5:49705 -> 135.181.124.14:587
                      Source: unknownHTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49713 version: TLS 1.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: unknownDNS traffic detected: queries for: ip-api.com
                      Source: MSBuild.exe, 00000008.00000002.2076423787.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3251502190.0000000002F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                      Source: REMITTANCE COPY.exe, 00000000.00000002.2052332128.0000000003A75000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2076423787.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2072537987.0000000000402000.00000040.00000400.00020000.00000000.sdmp, CNqCubHKvlzbGo.exe, 00000009.00000002.2096737807.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3250308604.000000000125C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3251502190.0000000002F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                      Source: MSBuild.exe, 00000008.00000002.2076423787.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3251502190.0000000002F64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.tabcoeng.com
                      Source: REMITTANCE COPY.exe, 00000000.00000002.2051789680.0000000002A04000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2076423787.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, CNqCubHKvlzbGo.exe, 00000009.00000002.2094246093.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3251502190.0000000002F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: REMITTANCE COPY.exe, CNqCubHKvlzbGo.exe.0.drString found in binary or memory: http://tempuri.org/x.xsd?MultiGames.Properties.Resources
                      Source: REMITTANCE COPY.exe, 00000000.00000002.2052332128.0000000003A75000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2072537987.0000000000402000.00000040.00000400.00020000.00000000.sdmp, CNqCubHKvlzbGo.exe, 00000009.00000002.2096737807.0000000003CC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: REMITTANCE COPY.exe, CNqCubHKvlzbGo.exe.0.drString found in binary or memory: https://github.com/zuppao).
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.REMITTANCE COPY.exe.3a756f8.3.raw.unpack, cPKWk.cs.Net Code: _3etv
                      Source: 0.2.REMITTANCE COPY.exe.3ab0f18.2.raw.unpack, cPKWk.cs.Net Code: _3etv

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 9.2.CNqCubHKvlzbGo.exe.3cc6108.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.REMITTANCE COPY.exe.3ab0f18.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 9.2.CNqCubHKvlzbGo.exe.3d01928.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.REMITTANCE COPY.exe.3a756f8.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 9.2.CNqCubHKvlzbGo.exe.3d01928.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.REMITTANCE COPY.exe.3ab0f18.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.REMITTANCE COPY.exe.3a756f8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 9.2.CNqCubHKvlzbGo.exe.3cc6108.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      .NET source code contains very large array initializations
                      Source: 0.2.REMITTANCE COPY.exe.52d0000.4.raw.unpack, LoginForm.csLarge array initialization: : array initializer size 33603
                      .NET source code contains very large strings
                      Source: REMITTANCE COPY.exe, Form1.csLong String: Length: 131612
                      Source: CNqCubHKvlzbGo.exe.0.dr, Form1.csLong String: Length: 131612
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 0_2_00F3DC740_2_00F3DC74
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 0_2_0804CCF00_2_0804CCF0
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 0_2_0804F8400_2_0804F840
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 0_2_08048DD00_2_08048DD0
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 0_2_08047FD80_2_08047FD8
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 0_2_08047FE80_2_08047FE8
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 0_2_080463A80_2_080463A8
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 0_2_080484200_2_08048420
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 0_2_080467E00_2_080467E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_015141F08_2_015141F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_01514AC08_2_01514AC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_01513EA88_2_01513EA8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0151F6E08_2_0151F6E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_069C66A88_2_069C66A8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_069C87E08_2_069C87E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_069C00408_2_069C0040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_069CEC588_2_069CEC58
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_069CE8378_2_069CE837
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_069CB3988_2_069CB398
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_069C33C08_2_069C33C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_069C9C108_2_069C9C10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_069C8EF38_2_069C8EF3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_069CACB88_2_069CACB8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_069C59B88_2_069C59B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_069C00068_2_069C0006
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_02ABDC749_2_02ABDC74
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051F77F09_2_051F77F0
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051FC6D09_2_051FC6D0
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051F99909_2_051F9990
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051FC9E89_2_051FC9E8
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051F8AE09_2_051F8AE0
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051F85329_2_051F8532
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051F85409_2_051F8540
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051FF5909_2_051FF590
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051FF5809_2_051FF580
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051FA40A9_2_051FA40A
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051F77909_2_051F7790
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051FB6DA9_2_051FB6DA
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051FC6C19_2_051FC6C1
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051FB6E89_2_051FB6E8
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051F80789_2_051F8078
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051F80689_2_051F8068
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051FBC919_2_051FBC91
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051FD9509_2_051FD950
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051F994D9_2_051F994D
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051FC9D99_2_051FC9D9
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051FA8309_2_051FA830
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051FA8209_2_051FA820
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051F68D89_2_051F68D8
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051F68C99_2_051F68C9
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051F1B4F9_2_051F1B4F
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051F1B609_2_051F1B60
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051FBA589_2_051FBA58
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051FBA489_2_051FBA48
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051F8AD29_2_051F8AD2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_01324AC013_2_01324AC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0132CE8013_2_0132CE80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_01323EA813_2_01323EA8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_013241F013_2_013241F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0132F6E013_2_0132F6E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_01321A6D13_2_01321A6D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_067787E013_2_067787E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_067732F813_2_067732F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0677B39813_2_0677B398
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0677004013_2_06770040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06779C1013_2_06779C10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0677E84813_2_0677E848
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_067759C813_2_067759C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06778F0813_2_06778F08
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0677ACB813_2_0677ACB8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06BC33D013_2_06BC33D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0677000713_2_06770007
                      Source: REMITTANCE COPY.exe, 00000000.00000000.2001994444.0000000000422000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXJmcU.exe< vs REMITTANCE COPY.exe
                      Source: REMITTANCE COPY.exe, 00000000.00000002.2055141808.00000000052D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs REMITTANCE COPY.exe
                      Source: REMITTANCE COPY.exe, 00000000.00000002.2050320374.00000000009EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs REMITTANCE COPY.exe
                      Source: REMITTANCE COPY.exe, 00000000.00000002.2058423182.0000000008430000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs REMITTANCE COPY.exe
                      Source: REMITTANCE COPY.exe, 00000000.00000002.2051789680.0000000002A04000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename25c1d7be-ae86-4a0f-bd4e-a9e1f6e75e07.exe4 vs REMITTANCE COPY.exe
                      Source: REMITTANCE COPY.exe, 00000000.00000002.2052332128.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename25c1d7be-ae86-4a0f-bd4e-a9e1f6e75e07.exe4 vs REMITTANCE COPY.exe
                      Source: REMITTANCE COPY.exeBinary or memory string: OriginalFilenameXJmcU.exe< vs REMITTANCE COPY.exe
                      Source: REMITTANCE COPY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 9.2.CNqCubHKvlzbGo.exe.3cc6108.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.REMITTANCE COPY.exe.3ab0f18.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 9.2.CNqCubHKvlzbGo.exe.3d01928.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.REMITTANCE COPY.exe.3a756f8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 9.2.CNqCubHKvlzbGo.exe.3d01928.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.REMITTANCE COPY.exe.3ab0f18.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.REMITTANCE COPY.exe.3a756f8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 9.2.CNqCubHKvlzbGo.exe.3cc6108.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: REMITTANCE COPY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: CNqCubHKvlzbGo.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.REMITTANCE COPY.exe.3a756f8.3.raw.unpack, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.REMITTANCE COPY.exe.3a756f8.3.raw.unpack, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.REMITTANCE COPY.exe.3a756f8.3.raw.unpack, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.REMITTANCE COPY.exe.3a756f8.3.raw.unpack, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.REMITTANCE COPY.exe.3a756f8.3.raw.unpack, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.REMITTANCE COPY.exe.3a756f8.3.raw.unpack, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: 0.2.REMITTANCE COPY.exe.3a756f8.3.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.REMITTANCE COPY.exe.3a756f8.3.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, lAxGl550OXdIl6RgLf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, lAxGl550OXdIl6RgLf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, lAxGl550OXdIl6RgLf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, pMOI3TbUm5GfpCblLE.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, pMOI3TbUm5GfpCblLE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, pMOI3TbUm5GfpCblLE.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, pMOI3TbUm5GfpCblLE.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, pMOI3TbUm5GfpCblLE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, pMOI3TbUm5GfpCblLE.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, pMOI3TbUm5GfpCblLE.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, pMOI3TbUm5GfpCblLE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, pMOI3TbUm5GfpCblLE.csSecurity API names: _0020.AddAccessRule
                      Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@19/15@2/2
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile created: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1900:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4696:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3608:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeMutant created: \Sessions\1\BaseNamedObjects\cZdTWENAzkFduVDjnCEGSKqc
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3788:120:WilError_03
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile created: C:\Users\user\AppData\Local\Temp\tmpEBC.tmpJump to behavior
                      Source: REMITTANCE COPY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: REMITTANCE COPY.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: REMITTANCE COPY.exeReversingLabs: Detection: 44%
                      Source: REMITTANCE COPY.exeString found in binary or memory: Save/Load
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile read: C:\Users\user\Desktop\REMITTANCE COPY.exe:Zone.IdentifierJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\REMITTANCE COPY.exe "C:\Users\user\Desktop\REMITTANCE COPY.exe"
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REMITTANCE COPY.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CNqCubHKvlzbGo" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exe C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CNqCubHKvlzbGo" /XML "C:\Users\user\AppData\Local\Temp\tmp20AE.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REMITTANCE COPY.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CNqCubHKvlzbGo" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CNqCubHKvlzbGo" /XML "C:\Users\user\AppData\Local\Temp\tmp20AE.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: REMITTANCE COPY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: REMITTANCE COPY.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: REMITTANCE COPY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: winload_prod.pdbY source: CNqCubHKvlzbGo.exe, 00000009.00000002.2100459259.0000000005DCE000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: XJmcU.pdb source: REMITTANCE COPY.exe, CNqCubHKvlzbGo.exe.0.dr
                      Source: Binary string: XJmcU.pdbSHA2569 source: REMITTANCE COPY.exe, CNqCubHKvlzbGo.exe.0.dr

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: REMITTANCE COPY.exe, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                      Source: CNqCubHKvlzbGo.exe.0.dr, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                      Source: 0.2.REMITTANCE COPY.exe.52d0000.4.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, pMOI3TbUm5GfpCblLE.cs.Net Code: TVj8EAd5FJ System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, pMOI3TbUm5GfpCblLE.cs.Net Code: TVj8EAd5FJ System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, pMOI3TbUm5GfpCblLE.cs.Net Code: TVj8EAd5FJ System.Reflection.Assembly.Load(byte[])
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 0_2_00F3D89E pushfd ; ret 0_2_00F3D8A1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_01510CA1 push edi; retf 8_2_01510CAA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_069C9C01 push es; ret 8_2_069C9C0C
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051F93DD pushad ; retf 9_2_051F93DE
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051F93E7 pushad ; retf 9_2_051F93E8
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeCode function: 9_2_051F6EA7 push ebx; ret 9_2_051F6EAA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06779BAF push es; ret 13_2_06779C0C
                      Source: REMITTANCE COPY.exeStatic PE information: section name: .text entropy: 7.3230788156481825
                      Source: CNqCubHKvlzbGo.exe.0.drStatic PE information: section name: .text entropy: 7.3230788156481825
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, mSWj1bEngJU8Pdwr99.csHigh entropy of concatenated method names: 'bEqEBgnj4', 'G4u3gx96v', 'AOvsQV8bs', 'qfIRyCmPv', 'lwAWdAZ55', 'Lig1n0TrW', 'rGIcdP0hhZJ6ByCt1u', 'RYw2ynKJkWNZoQqtQr', 'ur5NAW4Pf', 'Jo9ZjTRol'
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, hayBOql2nDoLPMwIfo.csHigh entropy of concatenated method names: 'WCGtXFnsh4', 'D2ctQWh6K7', 'nRftENleb1', 'Iv2t3dRAE8', 'mTRtFjrPlN', 'AKttstHyUx', 'I0dtRYbWQt', 'ELPt0hbMmA', 'kH7tW5cTex', 'yIYt1kPqCi'
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, Ny8NKgZxupvGLLylyd.csHigh entropy of concatenated method names: 'DWEtAed4Tr', 'B50tgdvnqc', 'cdDtHGKfjB', 'b4oHYtNjP9', 'a2kHzVJl69', 'IiwtG0sW4s', 'yeMtB8YVKr', 'NkQtVCTfUb', 'KrotqQi07v', 'pT1t84WwVK'
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, BN1FGgo3GGJWA1QGmf.csHigh entropy of concatenated method names: 'uTsBtg7Oaj', 'M1IBMrk66O', 'dF4BO6xtE2', 'fJ7BlIoKk2', 'reCBuD2Y6b', 'Nd0BiUqUiy', 'GQUMSbcK0Pe0XuAUdb', 'qkm62eNbVUXgv3BHQi', 'EVlBB5Xt6M', 'AV7Bq0gqT9'
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, DXL5gBg78is2DHSaur.csHigh entropy of concatenated method names: 'KVOvDxLx43', 'z4LvYPvAsW', 'A0UNG5u1DM', 'WvlNBEp0w4', 'TNrv50fVsI', 'Hr7v7igt7I', 'SCQv23qfhZ', 'WQivSF2tqQ', 'tjbvyOwtiR', 'c2hvaXcjJn'
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, lAxGl550OXdIl6RgLf.csHigh entropy of concatenated method names: 'HChIS1Inpd', 'tguIyZHYeA', 'f0OIahdJuZ', 'NrRIp5CJaA', 'OM5InOMpPB', 'LflI42sCxL', 'iYmIbi3VOX', 'btcIDuNg25', 'HM3IkEDkHy', 'AIYIY36PCq'
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, WvOtTCYHK2dlyjEXVg.csHigh entropy of concatenated method names: 'Dispose', 'RmbBkGf4mn', 'ScKVhhmCmO', 'tFnccyZHXj', 'RowBYa6uQ3', 'wcOBzbqWLA', 'ProcessDialogKey', 'BTwVGWtcUp', 'pi5VBUZBUs', 'vR0VVBTXE9'
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, KsmfdO1N5flFtJIxIJ.csHigh entropy of concatenated method names: 'X1hg3ggbYA', 'S9PgskukOC', 'HD2g0M2K7L', 'wdXgWoE3Ia', 'HG8guk9lR2', 'C1KgivB2R3', 'vBCgv5f80h', 'O7cgNxiUjr', 'plUgdblOEs', 'dlCgZlYh7p'
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, K0c9I1QdnK7GlukgGpJ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uRiZSFWjXn', 'nvCZyXOdih', 'JZtZaYQUjL', 'vsxZpCcx7v', 'AZ0ZnIoUD7', 'VehZ4GZ0n2', 'B4OZbCfFo2'
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, PixJlLscNnE9HdSxV6.csHigh entropy of concatenated method names: 'iS8HjdSvSp', 'Je6HIx1RiG', 'zsZHUup3de', 'pk8HtYlSlr', 'kHYHM7xu1g', 'R7JUn0X43X', 'HHvU4mHLoH', 'JUEUbptaVk', 'pG5UDJ5EJq', 'CgTUkMKChV'
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, yOQC2Jm1hbZQa4f2bd.csHigh entropy of concatenated method names: 'NJGP07sxCI', 'aTGPWQnsfx', 'bxuPCHBH0v', 'N11PhRefgq', 'MODPeaT1QN', 'DCNPfAUOD6', 'f9dPxQ1hPk', 'iKOPwVlNdI', 'faVPTq9Y5k', 'HgdP570h7U'
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, jH2jk8jFnUtMSM8hgu.csHigh entropy of concatenated method names: 'SQyUFarsqI', 'RvwURduI0A', 'eBGgLBC3nC', 'SRMgeDCOC8', 'PgUgfuF9nU', 'MYVgKs4rBA', 'HAlgx5tYGK', 'nOMgwha83L', 'zcVgJwgCky', 'DlBgTwsjl0'
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, jZHnuMQV8gFUMVbwx2d.csHigh entropy of concatenated method names: 'eurdX8VMPk', 'k9TdQVcnus', 'LDedEXhPeh', 'GJ1d3U4MfA', 'OjedFCL0ek', 'LOrdsyefSy', 'DoNdR2dBqa', 'Cl3d0jHwed', 'BV0dWO6Nxp', 'w2td1qs8nd'
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, JjyIRG4DuVZ0H2YsgY.csHigh entropy of concatenated method names: 'mKkdBkyGNh', 'BcUdqaYbAt', 'LHod891iUS', 'rQNdAoBwAx', 'sqidINr2wm', 'qFndUfCVSV', 'EXldHrL9IQ', 'UBONbUo2Iw', 'XmfNDZF7ro', 'HaSNk8LhjY'
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, h4UeuoC4TZcO3oNu8T.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'kTAVk6rgUG', 'iUTVYpH7D3', 'g7AVzpXshT', 'WErqG4eoHQ', 'oTGqBQq2mO', 'rW7qVvuc6k', 'cmHqqWCHCB', 'QZZv1WsllfEtxeu7Gvh'
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, CENp6OhPSZ5tr40f2f.csHigh entropy of concatenated method names: 'MAcNAlwUPu', 'N1TNIqLjh8', 'Ql2NgNw3xB', 'oxyNUt5nJF', 'yTTNHLAuZk', 'dNQNtUGsNT', 'fGaNM7UdNW', 'L0nNmNeMAW', 'AT3NOqt3pF', 'DkxNlZckZ2'
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, pMOI3TbUm5GfpCblLE.csHigh entropy of concatenated method names: 'UTaqj2Qyyp', 'KTdqAof3FA', 'QFkqIB82kL', 'YNBqgBRr1B', 'msfqUsaZ9U', 'E2TqHBmqf6', 'yN5qtomi9P', 'LthqM1gUVj', 'XgFqmRQcUZ', 'UI3qO4b0pa'
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, BuFQNqzrftoHXmvp1l.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FY9dP6xUWx', 'q2lduNCB3A', 'c09dio65Y2', 'iCZdv2elEk', 'z41dNBnGtY', 'hliddvVAE4', 'EX9dZH4d0C'
                      Source: 0.2.REMITTANCE COPY.exe.46df4f8.0.raw.unpack, ddBdgUR2ehymCeoWPR.csHigh entropy of concatenated method names: 'XBUNCMNrRb', 'Ln6NhJWYww', 'psTNLljciF', 'OMRNeU2qRZ', 'GNNNSwSTP8', 'O0oNfXq901', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, mSWj1bEngJU8Pdwr99.csHigh entropy of concatenated method names: 'bEqEBgnj4', 'G4u3gx96v', 'AOvsQV8bs', 'qfIRyCmPv', 'lwAWdAZ55', 'Lig1n0TrW', 'rGIcdP0hhZJ6ByCt1u', 'RYw2ynKJkWNZoQqtQr', 'ur5NAW4Pf', 'Jo9ZjTRol'
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, hayBOql2nDoLPMwIfo.csHigh entropy of concatenated method names: 'WCGtXFnsh4', 'D2ctQWh6K7', 'nRftENleb1', 'Iv2t3dRAE8', 'mTRtFjrPlN', 'AKttstHyUx', 'I0dtRYbWQt', 'ELPt0hbMmA', 'kH7tW5cTex', 'yIYt1kPqCi'
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, Ny8NKgZxupvGLLylyd.csHigh entropy of concatenated method names: 'DWEtAed4Tr', 'B50tgdvnqc', 'cdDtHGKfjB', 'b4oHYtNjP9', 'a2kHzVJl69', 'IiwtG0sW4s', 'yeMtB8YVKr', 'NkQtVCTfUb', 'KrotqQi07v', 'pT1t84WwVK'
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, BN1FGgo3GGJWA1QGmf.csHigh entropy of concatenated method names: 'uTsBtg7Oaj', 'M1IBMrk66O', 'dF4BO6xtE2', 'fJ7BlIoKk2', 'reCBuD2Y6b', 'Nd0BiUqUiy', 'GQUMSbcK0Pe0XuAUdb', 'qkm62eNbVUXgv3BHQi', 'EVlBB5Xt6M', 'AV7Bq0gqT9'
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, DXL5gBg78is2DHSaur.csHigh entropy of concatenated method names: 'KVOvDxLx43', 'z4LvYPvAsW', 'A0UNG5u1DM', 'WvlNBEp0w4', 'TNrv50fVsI', 'Hr7v7igt7I', 'SCQv23qfhZ', 'WQivSF2tqQ', 'tjbvyOwtiR', 'c2hvaXcjJn'
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, lAxGl550OXdIl6RgLf.csHigh entropy of concatenated method names: 'HChIS1Inpd', 'tguIyZHYeA', 'f0OIahdJuZ', 'NrRIp5CJaA', 'OM5InOMpPB', 'LflI42sCxL', 'iYmIbi3VOX', 'btcIDuNg25', 'HM3IkEDkHy', 'AIYIY36PCq'
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, WvOtTCYHK2dlyjEXVg.csHigh entropy of concatenated method names: 'Dispose', 'RmbBkGf4mn', 'ScKVhhmCmO', 'tFnccyZHXj', 'RowBYa6uQ3', 'wcOBzbqWLA', 'ProcessDialogKey', 'BTwVGWtcUp', 'pi5VBUZBUs', 'vR0VVBTXE9'
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, KsmfdO1N5flFtJIxIJ.csHigh entropy of concatenated method names: 'X1hg3ggbYA', 'S9PgskukOC', 'HD2g0M2K7L', 'wdXgWoE3Ia', 'HG8guk9lR2', 'C1KgivB2R3', 'vBCgv5f80h', 'O7cgNxiUjr', 'plUgdblOEs', 'dlCgZlYh7p'
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, K0c9I1QdnK7GlukgGpJ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uRiZSFWjXn', 'nvCZyXOdih', 'JZtZaYQUjL', 'vsxZpCcx7v', 'AZ0ZnIoUD7', 'VehZ4GZ0n2', 'B4OZbCfFo2'
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, PixJlLscNnE9HdSxV6.csHigh entropy of concatenated method names: 'iS8HjdSvSp', 'Je6HIx1RiG', 'zsZHUup3de', 'pk8HtYlSlr', 'kHYHM7xu1g', 'R7JUn0X43X', 'HHvU4mHLoH', 'JUEUbptaVk', 'pG5UDJ5EJq', 'CgTUkMKChV'
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, yOQC2Jm1hbZQa4f2bd.csHigh entropy of concatenated method names: 'NJGP07sxCI', 'aTGPWQnsfx', 'bxuPCHBH0v', 'N11PhRefgq', 'MODPeaT1QN', 'DCNPfAUOD6', 'f9dPxQ1hPk', 'iKOPwVlNdI', 'faVPTq9Y5k', 'HgdP570h7U'
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, jH2jk8jFnUtMSM8hgu.csHigh entropy of concatenated method names: 'SQyUFarsqI', 'RvwURduI0A', 'eBGgLBC3nC', 'SRMgeDCOC8', 'PgUgfuF9nU', 'MYVgKs4rBA', 'HAlgx5tYGK', 'nOMgwha83L', 'zcVgJwgCky', 'DlBgTwsjl0'
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, jZHnuMQV8gFUMVbwx2d.csHigh entropy of concatenated method names: 'eurdX8VMPk', 'k9TdQVcnus', 'LDedEXhPeh', 'GJ1d3U4MfA', 'OjedFCL0ek', 'LOrdsyefSy', 'DoNdR2dBqa', 'Cl3d0jHwed', 'BV0dWO6Nxp', 'w2td1qs8nd'
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, JjyIRG4DuVZ0H2YsgY.csHigh entropy of concatenated method names: 'mKkdBkyGNh', 'BcUdqaYbAt', 'LHod891iUS', 'rQNdAoBwAx', 'sqidINr2wm', 'qFndUfCVSV', 'EXldHrL9IQ', 'UBONbUo2Iw', 'XmfNDZF7ro', 'HaSNk8LhjY'
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, h4UeuoC4TZcO3oNu8T.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'kTAVk6rgUG', 'iUTVYpH7D3', 'g7AVzpXshT', 'WErqG4eoHQ', 'oTGqBQq2mO', 'rW7qVvuc6k', 'cmHqqWCHCB', 'QZZv1WsllfEtxeu7Gvh'
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, CENp6OhPSZ5tr40f2f.csHigh entropy of concatenated method names: 'MAcNAlwUPu', 'N1TNIqLjh8', 'Ql2NgNw3xB', 'oxyNUt5nJF', 'yTTNHLAuZk', 'dNQNtUGsNT', 'fGaNM7UdNW', 'L0nNmNeMAW', 'AT3NOqt3pF', 'DkxNlZckZ2'
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, pMOI3TbUm5GfpCblLE.csHigh entropy of concatenated method names: 'UTaqj2Qyyp', 'KTdqAof3FA', 'QFkqIB82kL', 'YNBqgBRr1B', 'msfqUsaZ9U', 'E2TqHBmqf6', 'yN5qtomi9P', 'LthqM1gUVj', 'XgFqmRQcUZ', 'UI3qO4b0pa'
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, BuFQNqzrftoHXmvp1l.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FY9dP6xUWx', 'q2lduNCB3A', 'c09dio65Y2', 'iCZdv2elEk', 'z41dNBnGtY', 'hliddvVAE4', 'EX9dZH4d0C'
                      Source: 0.2.REMITTANCE COPY.exe.4783d18.1.raw.unpack, ddBdgUR2ehymCeoWPR.csHigh entropy of concatenated method names: 'XBUNCMNrRb', 'Ln6NhJWYww', 'psTNLljciF', 'OMRNeU2qRZ', 'GNNNSwSTP8', 'O0oNfXq901', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, mSWj1bEngJU8Pdwr99.csHigh entropy of concatenated method names: 'bEqEBgnj4', 'G4u3gx96v', 'AOvsQV8bs', 'qfIRyCmPv', 'lwAWdAZ55', 'Lig1n0TrW', 'rGIcdP0hhZJ6ByCt1u', 'RYw2ynKJkWNZoQqtQr', 'ur5NAW4Pf', 'Jo9ZjTRol'
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, hayBOql2nDoLPMwIfo.csHigh entropy of concatenated method names: 'WCGtXFnsh4', 'D2ctQWh6K7', 'nRftENleb1', 'Iv2t3dRAE8', 'mTRtFjrPlN', 'AKttstHyUx', 'I0dtRYbWQt', 'ELPt0hbMmA', 'kH7tW5cTex', 'yIYt1kPqCi'
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, Ny8NKgZxupvGLLylyd.csHigh entropy of concatenated method names: 'DWEtAed4Tr', 'B50tgdvnqc', 'cdDtHGKfjB', 'b4oHYtNjP9', 'a2kHzVJl69', 'IiwtG0sW4s', 'yeMtB8YVKr', 'NkQtVCTfUb', 'KrotqQi07v', 'pT1t84WwVK'
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, BN1FGgo3GGJWA1QGmf.csHigh entropy of concatenated method names: 'uTsBtg7Oaj', 'M1IBMrk66O', 'dF4BO6xtE2', 'fJ7BlIoKk2', 'reCBuD2Y6b', 'Nd0BiUqUiy', 'GQUMSbcK0Pe0XuAUdb', 'qkm62eNbVUXgv3BHQi', 'EVlBB5Xt6M', 'AV7Bq0gqT9'
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, DXL5gBg78is2DHSaur.csHigh entropy of concatenated method names: 'KVOvDxLx43', 'z4LvYPvAsW', 'A0UNG5u1DM', 'WvlNBEp0w4', 'TNrv50fVsI', 'Hr7v7igt7I', 'SCQv23qfhZ', 'WQivSF2tqQ', 'tjbvyOwtiR', 'c2hvaXcjJn'
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, lAxGl550OXdIl6RgLf.csHigh entropy of concatenated method names: 'HChIS1Inpd', 'tguIyZHYeA', 'f0OIahdJuZ', 'NrRIp5CJaA', 'OM5InOMpPB', 'LflI42sCxL', 'iYmIbi3VOX', 'btcIDuNg25', 'HM3IkEDkHy', 'AIYIY36PCq'
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, WvOtTCYHK2dlyjEXVg.csHigh entropy of concatenated method names: 'Dispose', 'RmbBkGf4mn', 'ScKVhhmCmO', 'tFnccyZHXj', 'RowBYa6uQ3', 'wcOBzbqWLA', 'ProcessDialogKey', 'BTwVGWtcUp', 'pi5VBUZBUs', 'vR0VVBTXE9'
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, KsmfdO1N5flFtJIxIJ.csHigh entropy of concatenated method names: 'X1hg3ggbYA', 'S9PgskukOC', 'HD2g0M2K7L', 'wdXgWoE3Ia', 'HG8guk9lR2', 'C1KgivB2R3', 'vBCgv5f80h', 'O7cgNxiUjr', 'plUgdblOEs', 'dlCgZlYh7p'
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, K0c9I1QdnK7GlukgGpJ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uRiZSFWjXn', 'nvCZyXOdih', 'JZtZaYQUjL', 'vsxZpCcx7v', 'AZ0ZnIoUD7', 'VehZ4GZ0n2', 'B4OZbCfFo2'
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, PixJlLscNnE9HdSxV6.csHigh entropy of concatenated method names: 'iS8HjdSvSp', 'Je6HIx1RiG', 'zsZHUup3de', 'pk8HtYlSlr', 'kHYHM7xu1g', 'R7JUn0X43X', 'HHvU4mHLoH', 'JUEUbptaVk', 'pG5UDJ5EJq', 'CgTUkMKChV'
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, yOQC2Jm1hbZQa4f2bd.csHigh entropy of concatenated method names: 'NJGP07sxCI', 'aTGPWQnsfx', 'bxuPCHBH0v', 'N11PhRefgq', 'MODPeaT1QN', 'DCNPfAUOD6', 'f9dPxQ1hPk', 'iKOPwVlNdI', 'faVPTq9Y5k', 'HgdP570h7U'
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, jH2jk8jFnUtMSM8hgu.csHigh entropy of concatenated method names: 'SQyUFarsqI', 'RvwURduI0A', 'eBGgLBC3nC', 'SRMgeDCOC8', 'PgUgfuF9nU', 'MYVgKs4rBA', 'HAlgx5tYGK', 'nOMgwha83L', 'zcVgJwgCky', 'DlBgTwsjl0'
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, jZHnuMQV8gFUMVbwx2d.csHigh entropy of concatenated method names: 'eurdX8VMPk', 'k9TdQVcnus', 'LDedEXhPeh', 'GJ1d3U4MfA', 'OjedFCL0ek', 'LOrdsyefSy', 'DoNdR2dBqa', 'Cl3d0jHwed', 'BV0dWO6Nxp', 'w2td1qs8nd'
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, JjyIRG4DuVZ0H2YsgY.csHigh entropy of concatenated method names: 'mKkdBkyGNh', 'BcUdqaYbAt', 'LHod891iUS', 'rQNdAoBwAx', 'sqidINr2wm', 'qFndUfCVSV', 'EXldHrL9IQ', 'UBONbUo2Iw', 'XmfNDZF7ro', 'HaSNk8LhjY'
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, h4UeuoC4TZcO3oNu8T.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'kTAVk6rgUG', 'iUTVYpH7D3', 'g7AVzpXshT', 'WErqG4eoHQ', 'oTGqBQq2mO', 'rW7qVvuc6k', 'cmHqqWCHCB', 'QZZv1WsllfEtxeu7Gvh'
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, CENp6OhPSZ5tr40f2f.csHigh entropy of concatenated method names: 'MAcNAlwUPu', 'N1TNIqLjh8', 'Ql2NgNw3xB', 'oxyNUt5nJF', 'yTTNHLAuZk', 'dNQNtUGsNT', 'fGaNM7UdNW', 'L0nNmNeMAW', 'AT3NOqt3pF', 'DkxNlZckZ2'
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, pMOI3TbUm5GfpCblLE.csHigh entropy of concatenated method names: 'UTaqj2Qyyp', 'KTdqAof3FA', 'QFkqIB82kL', 'YNBqgBRr1B', 'msfqUsaZ9U', 'E2TqHBmqf6', 'yN5qtomi9P', 'LthqM1gUVj', 'XgFqmRQcUZ', 'UI3qO4b0pa'
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, BuFQNqzrftoHXmvp1l.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FY9dP6xUWx', 'q2lduNCB3A', 'c09dio65Y2', 'iCZdv2elEk', 'z41dNBnGtY', 'hliddvVAE4', 'EX9dZH4d0C'
                      Source: 0.2.REMITTANCE COPY.exe.8430000.7.raw.unpack, ddBdgUR2ehymCeoWPR.csHigh entropy of concatenated method names: 'XBUNCMNrRb', 'Ln6NhJWYww', 'psTNLljciF', 'OMRNeU2qRZ', 'GNNNSwSTP8', 'O0oNfXq901', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile created: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CNqCubHKvlzbGo" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC.tmp"

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: REMITTANCE COPY.exe PID: 5676, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: CNqCubHKvlzbGo.exe PID: 5988, type: MEMORYSTR
                      Check if machine is in data center or colocation facility
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: REMITTANCE COPY.exe, 00000000.00000002.2052332128.0000000003A75000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2072537987.0000000000402000.00000040.00000400.00020000.00000000.sdmp, CNqCubHKvlzbGo.exe, 00000009.00000002.2096737807.0000000003CC6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory allocated: EF0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory allocated: 29D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory allocated: 28F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory allocated: 5C70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory allocated: 6C70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory allocated: 6DA0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory allocated: 7DA0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory allocated: 84E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory allocated: 5C70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1510000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2F60000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2E90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeMemory allocated: 11C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeMemory allocated: 2C20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeMemory allocated: 4C20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeMemory allocated: 60B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeMemory allocated: 70B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeMemory allocated: 71F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeMemory allocated: 81F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeMemory allocated: 8930000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeMemory allocated: 60B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 12E0000 memory reserve | memory write watch
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2F00000 memory reserve | memory write watch
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2C20000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6357Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1371Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6854Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2471Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 1474Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2108Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 3053
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 733
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exe TID: 1964Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2212Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1472Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6520Thread sleep count: 6854 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2704Thread sleep count: 2471 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4012Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 728Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4432Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4432Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3436Thread sleep count: 1474 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4432Thread sleep time: -99875s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3436Thread sleep count: 2108 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4432Thread sleep time: -99765s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4432Thread sleep time: -99656s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4432Thread sleep time: -99547s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4432Thread sleep time: -99429s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4432Thread sleep time: -99312s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4432Thread sleep time: -99203s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4432Thread sleep time: -99093s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4432Thread sleep time: -98984s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4432Thread sleep time: -98869s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4432Thread sleep time: -98750s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4432Thread sleep time: -98640s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4432Thread sleep time: -98531s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4432Thread sleep time: -98414s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4432Thread sleep time: -98297s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4432Thread sleep time: -98172s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4432Thread sleep time: -98062s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4432Thread sleep time: -97953s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exe TID: 5640Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1992Thread sleep time: -10145709240540247s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1992Thread sleep time: -100000s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1992Thread sleep time: -99890s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3680Thread sleep count: 3053 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1992Thread sleep time: -99781s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3680Thread sleep count: 733 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1992Thread sleep time: -99672s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1992Thread sleep time: -99547s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1992Thread sleep time: -99437s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1992Thread sleep time: -99328s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1992Thread sleep time: -99219s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1992Thread sleep time: -99094s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1992Thread sleep time: -98984s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1992Thread sleep time: -98875s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1992Thread sleep time: -98765s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1992Thread sleep time: -98656s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1992Thread sleep time: -98547s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1992Thread sleep time: -98437s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1992Thread sleep time: -98328s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1992Thread sleep time: -98213s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1992Thread sleep time: -98094s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1992Thread sleep time: -97984s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1992Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99765Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99656Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99547Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99429Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99312Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99203Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99093Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98984Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98869Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98750Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98640Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98531Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98414Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98297Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98172Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98062Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97953Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 100000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99890
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99781
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99672
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99547
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99437
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99328
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99219
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99094
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98984
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98875
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98765
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98656
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98547
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98437
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98328
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98213
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98094
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97984
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULLJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULLJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
                      Source: MSBuild.exe, 00000008.00000002.2082784983.00000000062BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
                      Source: CNqCubHKvlzbGo.exe, 00000009.00000002.2096737807.0000000003CC6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                      Source: CNqCubHKvlzbGo.exe, 00000009.00000002.2096737807.0000000003CC6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                      Source: MSBuild.exe, 0000000D.00000002.3257784727.00000000060FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_015170A8 CheckRemoteDebuggerPresent,8_2_015170A8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REMITTANCE COPY.exe"
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exe"
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REMITTANCE COPY.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exe"Jump to behavior
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43E000Jump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 440000Jump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: EFF008Jump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REMITTANCE COPY.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CNqCubHKvlzbGo" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CNqCubHKvlzbGo" /XML "C:\Users\user\AppData\Local\Temp\tmp20AE.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Users\user\Desktop\REMITTANCE COPY.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeQueries volume information: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\REMITTANCE COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 9.2.CNqCubHKvlzbGo.exe.3cc6108.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REMITTANCE COPY.exe.3ab0f18.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.CNqCubHKvlzbGo.exe.3d01928.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REMITTANCE COPY.exe.3a756f8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.CNqCubHKvlzbGo.exe.3d01928.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REMITTANCE COPY.exe.3ab0f18.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REMITTANCE COPY.exe.3a756f8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.CNqCubHKvlzbGo.exe.3cc6108.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2076423787.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.3251502190.0000000002F64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2076423787.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.3251502190.0000000002F5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2072537987.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2076423787.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.3251502190.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2096737807.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2052332128.0000000003A75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: REMITTANCE COPY.exe PID: 5676, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 3040, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: CNqCubHKvlzbGo.exe PID: 5988, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 736, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\FTP Navigator\Ftplist.txt
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 9.2.CNqCubHKvlzbGo.exe.3cc6108.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REMITTANCE COPY.exe.3ab0f18.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.CNqCubHKvlzbGo.exe.3d01928.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REMITTANCE COPY.exe.3a756f8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.CNqCubHKvlzbGo.exe.3d01928.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REMITTANCE COPY.exe.3ab0f18.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REMITTANCE COPY.exe.3a756f8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.CNqCubHKvlzbGo.exe.3cc6108.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2072537987.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2076423787.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.3251502190.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2096737807.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2052332128.0000000003A75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: REMITTANCE COPY.exe PID: 5676, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 3040, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: CNqCubHKvlzbGo.exe PID: 5988, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 736, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 9.2.CNqCubHKvlzbGo.exe.3cc6108.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REMITTANCE COPY.exe.3ab0f18.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.CNqCubHKvlzbGo.exe.3d01928.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REMITTANCE COPY.exe.3a756f8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.CNqCubHKvlzbGo.exe.3d01928.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REMITTANCE COPY.exe.3ab0f18.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.REMITTANCE COPY.exe.3a756f8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.CNqCubHKvlzbGo.exe.3cc6108.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2076423787.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.3251502190.0000000002F64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2076423787.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.3251502190.0000000002F5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2072537987.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2076423787.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.3251502190.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2096737807.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2052332128.0000000003A75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: REMITTANCE COPY.exe PID: 5676, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 3040, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: CNqCubHKvlzbGo.exe PID: 5988, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 736, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		2
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts2
                      Command and Scripting Interpreter                      		1
                      Scheduled Task/Job                      		311
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      Input Capture                      		24
                      System Information Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		12
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      Scheduled Task/Job                      		Logon Script (Windows)1
                      Scheduled Task/Job                      		2
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		521
                      Security Software Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                      Software Packing                      		NTDS1
                      Process Discovery                      		Distributed Component Object Model1
                      Input Capture                      		2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets151
                      Virtualization/Sandbox Evasion                      		SSHKeylogging13
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                      Virtualization/Sandbox Evasion                      		DCSync1
                      System Network Configuration Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
                      Process Injection                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428765 Sample: REMITTANCE COPY.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 42 mail.tabcoeng.com 2->42 44 ip-api.com 2->44 46 3 other IPs or domains 2->46 52 Snort IDS alert for network traffic 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 16 other signatures 2->58 8 REMITTANCE COPY.exe 7 2->8         started        12 CNqCubHKvlzbGo.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\CNqCubHKvlzbGo.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\Temp\tmpEBC.tmp, XML 8->40 dropped 60 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->60 62 Writes to foreign memory regions 8->62 64 Allocates memory in foreign processes 8->64 70 2 other signatures 8->70 14 MSBuild.exe 15 2 8->14         started        18 powershell.exe 22 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        66 Multi AV Scanner detection for dropped file 12->66 68 Machine Learning detection for dropped file 12->68 24 MSBuild.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 48 mail.tabcoeng.com 135.181.124.14, 49705, 49707, 587 HETZNER-ASDE Germany 14->48 50 ip-api.com 208.95.112.1, 49704, 49706, 80 TUT-ASUS United States 14->50 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->72 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->74 76 Tries to steal Mail credentials (via file / registry access) 14->76 78 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 14->78 80 Loading BitLocker PowerShell Module 18->80 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        82 Tries to harvest and steal ftp login credentials 24->82 84 Tries to harvest and steal browser information (history, passwords, etc) 24->84 36 conhost.exe 26->36         started        signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      REMITTANCE COPY.exe45%ReversingLabs
                      REMITTANCE COPY.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exe45%ReversingLabs

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      bg.microsoft.map.fastly.net
                      		199.232.214.172
                      		truefalse
                        		unknown
                        ip-api.com
                        		208.95.112.1
                        		truefalse
                          		high
                          mail.tabcoeng.com
                          		135.181.124.14
                          		truetrue
                            		unknown
                            fp2e7a.wpc.phicdn.net
                            		192.229.211.108
                            		truefalse
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://ip-api.com/line/?fields=hostingfalse
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://tempuri.org/x.xsd?MultiGames.Properties.ResourcesREMITTANCE COPY.exe, CNqCubHKvlzbGo.exe.0.drfalse
                                  		unknown
                                  http://mail.tabcoeng.comMSBuild.exe, 00000008.00000002.2076423787.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3251502190.0000000002F64000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://account.dyn.com/REMITTANCE COPY.exe, 00000000.00000002.2052332128.0000000003A75000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2072537987.0000000000402000.00000040.00000400.00020000.00000000.sdmp, CNqCubHKvlzbGo.exe, 00000009.00000002.2096737807.0000000003CC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameREMITTANCE COPY.exe, 00000000.00000002.2051789680.0000000002A04000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2076423787.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, CNqCubHKvlzbGo.exe, 00000009.00000002.2094246093.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3251502190.0000000002F01000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://github.com/zuppao).REMITTANCE COPY.exe, CNqCubHKvlzbGo.exe.0.drfalse
                                          		high
                                          http://ip-api.comMSBuild.exe, 00000008.00000002.2076423787.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3251502190.0000000002F01000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            208.95.112.1
                                            		ip-api.comUnited States
                                            		53334TUT-ASUSfalse
                                            135.181.124.14
                                            		mail.tabcoeng.comGermany
                                            		24940HETZNER-ASDEtrue

                                            General Information

                                            Joe Sandbox version:40.0.0 Tourmaline
                                            Analysis ID:1428765
                                            Start date and time:2024-04-19 15:36:08 +02:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 7m 58s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:16
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:REMITTANCE COPY.exe
                                            Detection:MAL
                                            Classification:mal100.spre.troj.spyw.evad.winEXE@19/15@2/2
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HCA Information:
                                            • Successful, ratio: 99%
                                            • Number of executed functions: 197
                                            • Number of non-executed functions: 20
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe

                                            Warnings

                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                            • Excluded IPs from analysis (whitelisted): 40.68.123.157, 199.232.210.172, 192.229.211.108, 199.232.214.172, 20.242.39.171, 20.3.187.198
                                            • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtCreateKey calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • VT rate limit hit for: REMITTANCE COPY.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            15:36:56API Interceptor1x Sleep call for process: REMITTANCE COPY.exe modified
                                            15:36:57API Interceptor38x Sleep call for process: powershell.exe modified
                                            15:36:59Task SchedulerRun new task: CNqCubHKvlzbGo path: C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exe
                                            15:37:00API Interceptor38x Sleep call for process: MSBuild.exe modified
                                            15:37:01API Interceptor1x Sleep call for process: CNqCubHKvlzbGo.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            208.95.112.1New Voicemail_Daiichi-Sankyo.htmlGet hashmaliciousHTMLPhisherBrowse
                                            • ip-api.com/json/?fields=status,country,regionName,city,query
                                            DHL.exeGet hashmaliciousAgentTeslaBrowse
                                            • ip-api.com/line/?fields=hosting
                                            KjCBSM7Ukv.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                            • ip-api.com/line/?fields=hosting
                                            eO2bqORIJb.exeGet hashmaliciousAgentTeslaBrowse
                                            • ip-api.com/line/?fields=hosting
                                            SecuriteInfo.com.Win64.Evo-gen.10533.31255.exeGet hashmaliciousUnknownBrowse
                                            • ip-api.com/json
                                            13w4NM6mPa.exeGet hashmaliciousLummaCBrowse
                                            • ip-api.com/json
                                            mdWXrbOxsY.exeGet hashmaliciousXehook StealerBrowse
                                            • ip-api.com/line/?fields=hosting
                                            mdWXrbOxsY.exeGet hashmaliciousXehook StealerBrowse
                                            • ip-api.com/line/?fields=hosting
                                            Syknivkloo.exeGet hashmaliciousAgentTeslaBrowse
                                            • ip-api.com/line/?fields=hosting
                                            Shipping Dcuments_CI PKL_HL_.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • ip-api.com/line/?fields=hosting

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            fp2e7a.wpc.phicdn.neteOU2MVDmTd.exeGet hashmaliciousCredGrabber, Meduza Stealer, PureLog Stealer, zgRATBrowse
                                            • 192.229.211.108
                                            purchaseorder4.exeGet hashmaliciousPython StealerBrowse
                                            • 192.229.211.108
                                            https://cionfacttalleriproj.norwayeast.cloudapp.azure.com/?finanzas.busqueda?q=Secretar%C3%ADa+de+Administraci%C3%B3n+y+Finanzas?30337974_3097_705331937556-157889157889770732479410588494105884Get hashmaliciousHTMLPhisherBrowse
                                            • 192.229.211.108
                                            https://diversityjobs.com/employer/company/1665/Worthington-Industries-IncGet hashmaliciousUnknownBrowse
                                            • 192.229.211.108
                                            https://app.box.com/s/ktl5qtvf2us1megbgmjabwqaxcdy69b5Get hashmaliciousUnknownBrowse
                                            • 192.229.211.108
                                            https://dt.r24dmp.de/Get hashmaliciousUnknownBrowse
                                            • 192.229.211.108
                                            s.exeGet hashmaliciousUnknownBrowse
                                            • 192.229.211.108
                                            https://bestprizerhere.life/?u=3w8p605&o=pn1kfzq&t=pshtb_redirectUrl_bodyGet hashmaliciousGRQ ScamBrowse
                                            • 192.229.211.108
                                            http://bestprizerhere.life/Get hashmaliciousUnknownBrowse
                                            • 192.229.211.108
                                            https://cionfacttalleriproj.norwayeast.cloudapp.azure.com/?finanzas.busqueda?q=Secretar%C3%ADa+de+Administraci%C3%B3n+y+Finanzas?30337974_3097_705331937556-157889157889770732479410588494105884Get hashmaliciousHTMLPhisherBrowse
                                            • 192.229.211.108
                                            ip-api.comNew Voicemail_Daiichi-Sankyo.htmlGet hashmaliciousHTMLPhisherBrowse
                                            • 208.95.112.1
                                            DHL.exeGet hashmaliciousAgentTeslaBrowse
                                            • 208.95.112.1
                                            KjCBSM7Ukv.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                            • 208.95.112.1
                                            eO2bqORIJb.exeGet hashmaliciousAgentTeslaBrowse
                                            • 208.95.112.1
                                            SecuriteInfo.com.Win64.Evo-gen.10533.31255.exeGet hashmaliciousUnknownBrowse
                                            • 208.95.112.1
                                            13w4NM6mPa.exeGet hashmaliciousLummaCBrowse
                                            • 208.95.112.1
                                            mdWXrbOxsY.exeGet hashmaliciousXehook StealerBrowse
                                            • 208.95.112.1
                                            mdWXrbOxsY.exeGet hashmaliciousXehook StealerBrowse
                                            • 208.95.112.1
                                            Syknivkloo.exeGet hashmaliciousAgentTeslaBrowse
                                            • 208.95.112.1
                                            Shipping Dcuments_CI PKL_HL_.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 208.95.112.1
                                            bg.microsoft.map.fastly.netpurchaseorder4.exeGet hashmaliciousPython StealerBrowse
                                            • 199.232.210.172
                                            https://cionfacttalleriproj.norwayeast.cloudapp.azure.com/?finanzas.busqueda?q=Secretar%C3%ADa+de+Administraci%C3%B3n+y+Finanzas?30337974_3097_705331937556-157889157889770732479410588494105884Get hashmaliciousHTMLPhisherBrowse
                                            • 199.232.210.172
                                            https://diversityjobs.com/employer/company/1665/Worthington-Industries-IncGet hashmaliciousUnknownBrowse
                                            • 199.232.210.172
                                            s.exeGet hashmaliciousUnknownBrowse
                                            • 199.232.214.172
                                            https://bestprizerhere.life/?u=3w8p605&o=pn1kfzq&t=pshtb_redirectUrl_bodyGet hashmaliciousGRQ ScamBrowse
                                            • 199.232.214.172
                                            https://jll2.sharepoint.com/:f:/t/WorkplaceStrategy274/EqyxzpLxD8lEhSn1hXMNtKMBbmoik8-xeuIbHrYk7cgngA?e=5%3a2wyFQq&at=9&xsdata=MDV8MDJ8cGF0cmljaWEucmliZWlyb0Bub3ZvYmFuY28ucHR8NjlmMTdkMWU5YzBjNDFkN2UwZmIwOGRjNTNjN2YwZTV8MTAzMzgwNDgxOTNhNDI5OGFiZWEzNTk2YWU4OGIwNWV8MHwwfDYzODQ3NzM2NTQwMjI0OTQwNXxVbmtub3dufFRXRnBiR1pzYjNkOGV5SldJam9pTUM0d0xqQXdNREFpTENKUUlqb2lWMmx1TXpJaUxDSkJUaUk2SWsxaGFXd2lMQ0pYVkNJNk1uMD18MHx8fA%3d%3d&sdata=T2RkZHdHdHpwUXkxSG5Kd2Noc1RHVUc3YVNLVE1sOWZUTXdVZitYYXh6Yz0%3dGet hashmaliciousHTMLPhisherBrowse
                                            • 199.232.210.172
                                            ServerInfo.exeGet hashmaliciousUnknownBrowse
                                            • 199.232.210.172
                                            xYUpeXwPkWEHXm4.exeGet hashmaliciousAgentTeslaBrowse
                                            • 199.232.210.172
                                            https://www.joesandbox.com/loginGet hashmaliciousUnknownBrowse
                                            • 199.232.210.172
                                            dwutTyDPzl2TBZV.exeGet hashmaliciousAgentTeslaBrowse
                                            • 199.232.214.172

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            HETZNER-ASDEhttps://bestprizerhere.life/?u=3w8p605&o=pn1kfzq&t=pshtb_redirectUrl_bodyGet hashmaliciousGRQ ScamBrowse
                                            • 136.243.216.235
                                            New Soft Update.exeGet hashmaliciousUnknownBrowse
                                            • 116.203.164.39
                                            Oo2yeTdq5J.elfGet hashmaliciousMiraiBrowse
                                            • 88.198.32.246
                                            H8wnVxIEh6.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 197.242.86.246
                                            QXeoSsX87R.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 144.79.65.41
                                            3OcPSlVa7n.elfGet hashmaliciousMiraiBrowse
                                            • 168.119.31.114
                                            http://www.indeks.pt/Get hashmaliciousUnknownBrowse
                                            • 176.9.67.69
                                            PBZcC2ge1z.exeGet hashmaliciousPureLog Stealer, RHADAMANTHYSBrowse
                                            • 95.216.228.180
                                            https://00f82de.blob.core.windows.net/00f82de/1.html?4SdhQu6964HfYs43wfnwuulljn913CWVGBFRQHRPAHNP32199OVKO12176b14#14/43-6964/913-32199-12176Get hashmaliciousPhisherBrowse
                                            • 178.63.248.54
                                            Remittance Copy.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 148.251.133.229
                                            TUT-ASUSNew Voicemail_Daiichi-Sankyo.htmlGet hashmaliciousHTMLPhisherBrowse
                                            • 208.95.112.1
                                            DHL.exeGet hashmaliciousAgentTeslaBrowse
                                            • 208.95.112.1
                                            KjCBSM7Ukv.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                            • 208.95.112.1
                                            eO2bqORIJb.exeGet hashmaliciousAgentTeslaBrowse
                                            • 208.95.112.1
                                            SecuriteInfo.com.Win64.Evo-gen.10533.31255.exeGet hashmaliciousUnknownBrowse
                                            • 208.95.112.1
                                            13w4NM6mPa.exeGet hashmaliciousLummaCBrowse
                                            • 208.95.112.1
                                            mdWXrbOxsY.exeGet hashmaliciousXehook StealerBrowse
                                            • 208.95.112.1
                                            mdWXrbOxsY.exeGet hashmaliciousXehook StealerBrowse
                                            • 208.95.112.1
                                            Syknivkloo.exeGet hashmaliciousAgentTeslaBrowse
                                            • 208.95.112.1
                                            Shipping Dcuments_CI PKL_HL_.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 208.95.112.1

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            1138de370e523e824bbca92d049a3777https://www.dropbox.com/l/scl/AADwcgxTbjuvzakz6kszZMzP6RXavhxhixQGet hashmaliciousHTMLPhisherBrowse
                                            • 23.1.237.91
                                            eOU2MVDmTd.exeGet hashmaliciousCredGrabber, Meduza Stealer, PureLog Stealer, zgRATBrowse
                                            • 23.1.237.91
                                            https://cionfacttalleriproj.norwayeast.cloudapp.azure.com/?finanzas.busqueda?q=Secretar%C3%ADa+de+Administraci%C3%B3n+y+Finanzas?30337974_3097_705331937556-157889157889770732479410588494105884Get hashmaliciousHTMLPhisherBrowse
                                            • 23.1.237.91
                                            https://bestprizerhere.life/?u=3w8p605&o=pn1kfzq&t=pshtb_redirectUrl_bodyGet hashmaliciousGRQ ScamBrowse
                                            • 23.1.237.91
                                            New Voicemail_Daiichi-Sankyo.htmlGet hashmaliciousHTMLPhisherBrowse
                                            • 23.1.237.91
                                            VnSRmWE631.htmlGet hashmaliciousUnknownBrowse
                                            • 23.1.237.91
                                            xYUpeXwPkWEHXm4.exeGet hashmaliciousAgentTeslaBrowse
                                            • 23.1.237.91
                                            nBBR7c5gR5.htmlGet hashmaliciousUnknownBrowse
                                            • 23.1.237.91
                                            dwutTyDPzl2TBZV.exeGet hashmaliciousAgentTeslaBrowse
                                            • 23.1.237.91
                                            https://ilo.slepptek.com/Get hashmaliciousUnknownBrowse
                                            • 23.1.237.91

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CNqCubHKvlzbGo.exe.log

                                            Download File
                                            Process:C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1216
                                            Entropy (8bit):5.34331486778365
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\REMITTANCE COPY.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\REMITTANCE COPY.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1216
                                            Entropy (8bit):5.34331486778365
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                            Malicious:false
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):2232
                                            Entropy (8bit):5.380805901110357
                                            Encrypted:false
                                            SSDEEP:48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:lGLHyIFKL3IZ2KRH9Oug8s
                                            MD5:16AD599332DD2FF94DA0787D71688B62
                                            SHA1:02F738694B02E84FFE3BAB7DE5709001823C6E40
                                            SHA-256:452876FE504FC0DBEDBD7F8467E94F6E80002DB4572D02C723ABC69F8DF0B367
                                            SHA-512:A96158FDFFA424A4AC01220EDC789F3236C03AAA6A7C1A3D8BE62074B4923957E6CFEEB6E8852F9064093E0A290B0E56E4B5504D18113A7983F48D5388CEC747
                                            Malicious:false
                                            Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1bm1gfd0.v4w.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b35eofy5.2rh.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h0j0r0ga.coo.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hwkahjeg.gvv.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mafaltug.kxg.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ucxesdxz.ono.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vcz4ovjx.hcb.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zghntjoj.vi5.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\tmp20AE.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exe
                                            File Type:XML 1.0 document, ASCII text
                                            Category:dropped
                                            Size (bytes):1587
                                            Entropy (8bit):5.1188657750321855
                                            Encrypted:false
                                            SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNttxvn:cgergYrFdOFzOzN33ODOiDdKrsuTzv
                                            MD5:BF69CCF5A98B2A72CA09573C2366CD1F
                                            SHA1:4D7B96892029F64A6DB740C311C8FCA514F48B60
                                            SHA-256:862CFEA2DF1D12F8ECB138001222F7547C1E9CC887981DB4ADD685D293293841
                                            SHA-512:61FD13BCD3FAD070BBBB096B84BD6F63E74906E31B90F0478DCDC4C5667CA7DCAA048AEFD22B93A0263CFF0CD7FCD3EA1F601C19191808FDCCBA45613DD1906A
                                            Malicious:false
                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                            C:\Users\user\AppData\Local\Temp\tmpEBC.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\REMITTANCE COPY.exe
                                            File Type:XML 1.0 document, ASCII text
                                            Category:dropped
                                            Size (bytes):1587
                                            Entropy (8bit):5.1188657750321855
                                            Encrypted:false
                                            SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNttxvn:cgergYrFdOFzOzN33ODOiDdKrsuTzv
                                            MD5:BF69CCF5A98B2A72CA09573C2366CD1F
                                            SHA1:4D7B96892029F64A6DB740C311C8FCA514F48B60
                                            SHA-256:862CFEA2DF1D12F8ECB138001222F7547C1E9CC887981DB4ADD685D293293841
                                            SHA-512:61FD13BCD3FAD070BBBB096B84BD6F63E74906E31B90F0478DCDC4C5667CA7DCAA048AEFD22B93A0263CFF0CD7FCD3EA1F601C19191808FDCCBA45613DD1906A
                                            Malicious:true
                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                            C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\REMITTANCE COPY.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):1034752
                                            Entropy (8bit):7.317508099841458
                                            Encrypted:false
                                            SSDEEP:12288:RP/xe5TVvwYuP9Ap5Dkq4zxe4wgU8io31Y2/G3O8eqMvS:RPZehyYRkPs4RUo+eqM
                                            MD5:A33320345206B3021EB274E26392B642
                                            SHA1:FF70BF20C4AA62F509A336F35273941CDC7A065A
                                            SHA-256:EB5262F8A8A005E32DE9C99CCC53DBE005836C4A56916CEF8D9D32FF2F87A80C
                                            SHA-512:27B44D691DE48EA95B5C3722558C193FD373D3556C2B3F713F216BC66792A0E4A9BE5A5CC05ECAAB7BC1BE1313B3E616207C3DCE442995EA4C99E81AE20B9FCE
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 45%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y."f..............0.................. ........@.. ....................... ............@.................................v...O.......................................T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........N...W..........T...`...........................................^..}.....(.......(.....*&..(.....*...0..+.........,..{.......+....,...{....o........( ....*..0..=.........s!...}.....s"...}.....s#...}.....($.....{........s%...o&.....{.....s'...o(.....{.....o).....{....r...po*.....{.... o....<s+...o,.....{.....o-.....{....r...po......{.... -....js%...o&.....{....r:..po*.....{.....K..s+...o,.....{.....o-.....{....rD..po......{.....o/.....{...........s0...o1.....{.....o2..

                                            C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exe:Zone.Identifier

                                            Download File
                                            Process:C:\Users\user\Desktop\REMITTANCE COPY.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:false
                                            Preview:[ZoneTransfer]....ZoneId=0

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.317508099841458
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Windows Screen Saver (13104/52) 0.07%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            File name:REMITTANCE COPY.exe
                                            File size:1'034'752 bytes
                                            MD5:a33320345206b3021eb274e26392b642
                                            SHA1:ff70bf20c4aa62f509a336f35273941cdc7a065a
                                            SHA256:eb5262f8a8a005e32de9c99ccc53dbe005836c4a56916cef8d9d32ff2f87a80c
                                            SHA512:27b44d691de48ea95b5c3722558c193fd373d3556c2b3f713f216bc66792a0e4a9be5a5cc05ecaab7bc1be1313b3e616207c3dce442995ea4c99e81ae20b9fce
                                            SSDEEP:12288:RP/xe5TVvwYuP9Ap5Dkq4zxe4wgU8io31Y2/G3O8eqMvS:RPZehyYRkPs4RUo+eqM
                                            TLSH:7125F23D1CBD2A3B9176D2AACFE98467F440D07B3A116D7A94D383958346A9378C313E
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y."f..............0.................. ........@.. ....................... ............@................................

                                            File Icon

                                            Icon Hash:00928e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x4fdeca
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x66221059 [Fri Apr 19 06:34:01 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xfde760x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xfe0000x5f0.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1000000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xfc1b40x54.text
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000xfbed00xfc000e81d8824f698ab5a18b40a97b2e87c8aFalse0.7940470377604166data7.3230788156481825IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0xfe0000x5f00x600b1f8853e271222538589f170ad59096aFalse0.439453125data4.185028299892696IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x1000000xc0x200c5d1fbdc47df8e6fa1575471b166ff68False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_VERSION0xfe0900x360data0.4363425925925926
                                            RT_MANIFEST0xfe4000x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            04/19/24-15:37:03.080820TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49705587192.168.2.5135.181.124.14
                                            04/19/24-15:37:03.080820TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49705587192.168.2.5135.181.124.14
                                            04/19/24-15:37:03.080820TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249705587192.168.2.5135.181.124.14
                                            04/19/24-15:37:06.758919TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49707587192.168.2.5135.181.124.14
                                            04/19/24-15:37:06.758919TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49707587192.168.2.5135.181.124.14
                                            04/19/24-15:37:06.759029TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49707587192.168.2.5135.181.124.14
                                            04/19/24-15:37:03.080820TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49705587192.168.2.5135.181.124.14
                                            04/19/24-15:37:03.080820TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49705587192.168.2.5135.181.124.14
                                            04/19/24-15:37:06.759029TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49707587192.168.2.5135.181.124.14
                                            04/19/24-15:37:06.759029TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49707587192.168.2.5135.181.124.14
                                            04/19/24-15:37:06.759029TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249707587192.168.2.5135.181.124.14
                                            04/19/24-15:37:03.080820TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49705587192.168.2.5135.181.124.14

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Apr 19, 2024 15:36:53.750207901 CEST49674443192.168.2.523.1.237.91
                                            Apr 19, 2024 15:36:53.750211000 CEST49675443192.168.2.523.1.237.91
                                            Apr 19, 2024 15:36:53.844011068 CEST49673443192.168.2.523.1.237.91
                                            Apr 19, 2024 15:36:59.873749971 CEST4970480192.168.2.5208.95.112.1
                                            Apr 19, 2024 15:36:59.990077019 CEST8049704208.95.112.1192.168.2.5
                                            Apr 19, 2024 15:36:59.990191936 CEST4970480192.168.2.5208.95.112.1
                                            Apr 19, 2024 15:37:00.002115011 CEST4970480192.168.2.5208.95.112.1
                                            Apr 19, 2024 15:37:00.119029045 CEST8049704208.95.112.1192.168.2.5
                                            Apr 19, 2024 15:37:00.172079086 CEST4970480192.168.2.5208.95.112.1
                                            Apr 19, 2024 15:37:01.300911903 CEST49705587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:01.515311003 CEST58749705135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:01.515521049 CEST49705587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:01.759924889 CEST58749705135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:01.760236979 CEST49705587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:01.992990017 CEST58749705135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:01.994138956 CEST49705587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:02.208657980 CEST58749705135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:02.209110975 CEST49705587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:02.429721117 CEST58749705135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:02.430109024 CEST49705587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:02.644608021 CEST58749705135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:02.647412062 CEST49705587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:02.864917994 CEST58749705135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:02.865119934 CEST49705587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:03.079758883 CEST58749705135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:03.079809904 CEST58749705135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:03.080820084 CEST49705587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:03.080820084 CEST49705587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:03.080820084 CEST49705587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:03.080820084 CEST49705587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:03.295521975 CEST58749705135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:03.295566082 CEST58749705135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:03.297044992 CEST58749705135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:03.375283957 CEST49674443192.168.2.523.1.237.91
                                            Apr 19, 2024 15:37:03.515805006 CEST49675443192.168.2.523.1.237.91
                                            Apr 19, 2024 15:37:03.515836000 CEST49673443192.168.2.523.1.237.91
                                            Apr 19, 2024 15:37:03.515852928 CEST49705587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:03.673706055 CEST4970680192.168.2.5208.95.112.1
                                            Apr 19, 2024 15:37:03.791265965 CEST8049706208.95.112.1192.168.2.5
                                            Apr 19, 2024 15:37:03.791369915 CEST4970680192.168.2.5208.95.112.1
                                            Apr 19, 2024 15:37:03.791930914 CEST4970680192.168.2.5208.95.112.1
                                            Apr 19, 2024 15:37:03.909940958 CEST8049706208.95.112.1192.168.2.5
                                            Apr 19, 2024 15:37:04.015778065 CEST4970680192.168.2.5208.95.112.1
                                            Apr 19, 2024 15:37:04.594326019 CEST49705587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:04.595159054 CEST4970480192.168.2.5208.95.112.1
                                            Apr 19, 2024 15:37:04.816757917 CEST4434970323.1.237.91192.168.2.5
                                            Apr 19, 2024 15:37:04.816860914 CEST49703443192.168.2.523.1.237.91
                                            Apr 19, 2024 15:37:04.880052090 CEST49707587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:05.110373974 CEST58749707135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:05.110487938 CEST49707587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:05.360605955 CEST58749707135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:05.360819101 CEST49707587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:05.594892979 CEST58749707135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:05.595257044 CEST49707587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:05.825525999 CEST58749707135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:05.825808048 CEST49707587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:06.060626030 CEST58749707135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:06.060911894 CEST49707587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:06.291445971 CEST58749707135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:06.291680098 CEST49707587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:06.525691032 CEST58749707135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:06.527839899 CEST49707587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:06.758265018 CEST58749707135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:06.758315086 CEST58749707135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:06.758919001 CEST49707587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:06.759028912 CEST49707587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:06.759072065 CEST49707587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:06.759082079 CEST49707587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:06.989304066 CEST58749707135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:06.989355087 CEST58749707135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:06.990902901 CEST58749707135.181.124.14192.168.2.5
                                            Apr 19, 2024 15:37:07.031364918 CEST49707587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:37:15.058809042 CEST49703443192.168.2.523.1.237.91
                                            Apr 19, 2024 15:37:15.058912992 CEST49703443192.168.2.523.1.237.91
                                            Apr 19, 2024 15:37:15.059448004 CEST49713443192.168.2.523.1.237.91
                                            Apr 19, 2024 15:37:15.059480906 CEST4434971323.1.237.91192.168.2.5
                                            Apr 19, 2024 15:37:15.059696913 CEST49713443192.168.2.523.1.237.91
                                            Apr 19, 2024 15:37:15.059993982 CEST49713443192.168.2.523.1.237.91
                                            Apr 19, 2024 15:37:15.060008049 CEST4434971323.1.237.91192.168.2.5
                                            Apr 19, 2024 15:37:15.210827112 CEST4434970323.1.237.91192.168.2.5
                                            Apr 19, 2024 15:37:15.211078882 CEST4434970323.1.237.91192.168.2.5
                                            Apr 19, 2024 15:37:15.383584976 CEST4434971323.1.237.91192.168.2.5
                                            Apr 19, 2024 15:37:15.383686066 CEST49713443192.168.2.523.1.237.91
                                            Apr 19, 2024 15:37:34.524358034 CEST4434971323.1.237.91192.168.2.5
                                            Apr 19, 2024 15:37:34.524435997 CEST49713443192.168.2.523.1.237.91
                                            Apr 19, 2024 15:37:48.369088888 CEST8049706208.95.112.1192.168.2.5
                                            Apr 19, 2024 15:37:48.369328976 CEST4970680192.168.2.5208.95.112.1
                                            Apr 19, 2024 15:37:54.890860081 CEST4970680192.168.2.5208.95.112.1
                                            Apr 19, 2024 15:37:55.008399963 CEST8049706208.95.112.1192.168.2.5
                                            Apr 19, 2024 15:38:44.906992912 CEST49707587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:38:45.218017101 CEST49707587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:38:45.530556917 CEST49707587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:38:46.139906883 CEST49707587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:38:47.343096018 CEST49707587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:38:49.749281883 CEST49707587192.168.2.5135.181.124.14
                                            Apr 19, 2024 15:38:54.561737061 CEST49707587192.168.2.5135.181.124.14

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Apr 19, 2024 15:36:59.751559019 CEST6145253192.168.2.51.1.1.1
                                            Apr 19, 2024 15:36:59.856821060 CEST53614521.1.1.1192.168.2.5
                                            Apr 19, 2024 15:37:01.169792891 CEST6285953192.168.2.51.1.1.1
                                            Apr 19, 2024 15:37:01.298609018 CEST53628591.1.1.1192.168.2.5

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Apr 19, 2024 15:36:59.751559019 CEST192.168.2.51.1.1.10x39eaStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                            Apr 19, 2024 15:37:01.169792891 CEST192.168.2.51.1.1.10x15c8Standard query (0)mail.tabcoeng.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Apr 19, 2024 15:36:59.856821060 CEST1.1.1.1192.168.2.50x39eaNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                            Apr 19, 2024 15:37:01.298609018 CEST1.1.1.1192.168.2.50x15c8No error (0)mail.tabcoeng.com135.181.124.14A (IP address)IN (0x0001)false
                                            Apr 19, 2024 15:37:14.768645048 CEST1.1.1.1192.168.2.50x842bNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                            Apr 19, 2024 15:37:14.768645048 CEST1.1.1.1192.168.2.50x842bNo error (0)fp2e7a.wpc.phicdn.net192.229.211.108A (IP address)IN (0x0001)false
                                            Apr 19, 2024 15:37:14.802597046 CEST1.1.1.1192.168.2.50xa7e5No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                            Apr 19, 2024 15:37:14.802597046 CEST1.1.1.1192.168.2.50xa7e5No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                            Apr 19, 2024 15:37:28.011826992 CEST1.1.1.1192.168.2.50x21cfNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                            Apr 19, 2024 15:37:28.011826992 CEST1.1.1.1192.168.2.50x21cfNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                            Apr 19, 2024 15:38:16.103334904 CEST1.1.1.1192.168.2.50xc737No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                            Apr 19, 2024 15:38:16.103334904 CEST1.1.1.1192.168.2.50xc737No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • ip-api.com

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.549704208.95.112.1803040C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                            TimestampBytes transferredDirectionData
                                            Apr 19, 2024 15:37:00.002115011 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                            Host: ip-api.com
                                            Connection: Keep-Alive
                                            Apr 19, 2024 15:37:00.119029045 CEST174INHTTP/1.1 200 OK
                                            Date: Fri, 19 Apr 2024 13:36:59 GMT
                                            Content-Type: text/plain; charset=utf-8
                                            Content-Length: 5
                                            Access-Control-Allow-Origin: *
                                            X-Ttl: 60
                                            X-Rl: 44
                                            Data Raw: 74 72 75 65 0a
                                            Data Ascii: true


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.549706208.95.112.180736C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                            TimestampBytes transferredDirectionData
                                            Apr 19, 2024 15:37:03.791930914 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                            Host: ip-api.com
                                            Connection: Keep-Alive
                                            Apr 19, 2024 15:37:03.909940958 CEST174INHTTP/1.1 200 OK
                                            Date: Fri, 19 Apr 2024 13:37:02 GMT
                                            Content-Type: text/plain; charset=utf-8
                                            Content-Length: 5
                                            Access-Control-Allow-Origin: *
                                            X-Ttl: 56
                                            X-Rl: 43
                                            Data Raw: 74 72 75 65 0a
                                            Data Ascii: true


                                            SMTP Packets

                                            TimestampSource PortDest PortSource IPDest IPCommands
                                            Apr 19, 2024 15:37:01.759924889 CEST58749705135.181.124.14192.168.2.5220 14.tabcoeng.com ESMTP Exim 4.96-58-g4e9ed49f8 Fri, 19 Apr 2024 09:36:58 -0400
                                            Apr 19, 2024 15:37:01.760236979 CEST49705587192.168.2.5135.181.124.14EHLO 965969
                                            Apr 19, 2024 15:37:01.992990017 CEST58749705135.181.124.14192.168.2.5250-14.tabcoeng.com Hello 965969 [81.181.57.52]
                                            250-SIZE 52428800
                                            250-8BITMIME
                                            250-PIPELINING
                                            250-PIPECONNECT
                                            250-AUTH PLAIN LOGIN
                                            250-STARTTLS
                                            250 HELP
                                            Apr 19, 2024 15:37:01.994138956 CEST49705587192.168.2.5135.181.124.14AUTH login dGFiY29AdGFiY29lbmcuY29t
                                            Apr 19, 2024 15:37:02.208657980 CEST58749705135.181.124.14192.168.2.5334 UGFzc3dvcmQ6
                                            Apr 19, 2024 15:37:02.429721117 CEST58749705135.181.124.14192.168.2.5235 Authentication succeeded
                                            Apr 19, 2024 15:37:02.430109024 CEST49705587192.168.2.5135.181.124.14MAIL FROM:<tabco@tabcoeng.com>
                                            Apr 19, 2024 15:37:02.644608021 CEST58749705135.181.124.14192.168.2.5250 OK
                                            Apr 19, 2024 15:37:02.647412062 CEST49705587192.168.2.5135.181.124.14RCPT TO:<cash@mpdxb-ae.com>
                                            Apr 19, 2024 15:37:02.864917994 CEST58749705135.181.124.14192.168.2.5250 Accepted
                                            Apr 19, 2024 15:37:02.865119934 CEST49705587192.168.2.5135.181.124.14DATA
                                            Apr 19, 2024 15:37:03.079809904 CEST58749705135.181.124.14192.168.2.5354 Enter message, ending with "." on a line by itself
                                            Apr 19, 2024 15:37:03.080820084 CEST49705587192.168.2.5135.181.124.14.
                                            Apr 19, 2024 15:37:03.297044992 CEST58749705135.181.124.14192.168.2.5250 OK id=1rxoP7-009jEu-1w
                                            Apr 19, 2024 15:37:05.360605955 CEST58749707135.181.124.14192.168.2.5220 14.tabcoeng.com ESMTP Exim 4.96-58-g4e9ed49f8 Fri, 19 Apr 2024 09:37:02 -0400
                                            Apr 19, 2024 15:37:05.360819101 CEST49707587192.168.2.5135.181.124.14EHLO 965969
                                            Apr 19, 2024 15:37:05.594892979 CEST58749707135.181.124.14192.168.2.5250-14.tabcoeng.com Hello 965969 [81.181.57.52]
                                            250-SIZE 52428800
                                            250-8BITMIME
                                            250-PIPELINING
                                            250-PIPECONNECT
                                            250-AUTH PLAIN LOGIN
                                            250-STARTTLS
                                            250 HELP
                                            Apr 19, 2024 15:37:05.595257044 CEST49707587192.168.2.5135.181.124.14AUTH login dGFiY29AdGFiY29lbmcuY29t
                                            Apr 19, 2024 15:37:05.825525999 CEST58749707135.181.124.14192.168.2.5334 UGFzc3dvcmQ6
                                            Apr 19, 2024 15:37:06.060626030 CEST58749707135.181.124.14192.168.2.5235 Authentication succeeded
                                            Apr 19, 2024 15:37:06.060911894 CEST49707587192.168.2.5135.181.124.14MAIL FROM:<tabco@tabcoeng.com>
                                            Apr 19, 2024 15:37:06.291445971 CEST58749707135.181.124.14192.168.2.5250 OK
                                            Apr 19, 2024 15:37:06.291680098 CEST49707587192.168.2.5135.181.124.14RCPT TO:<cash@mpdxb-ae.com>
                                            Apr 19, 2024 15:37:06.525691032 CEST58749707135.181.124.14192.168.2.5250 Accepted
                                            Apr 19, 2024 15:37:06.527839899 CEST49707587192.168.2.5135.181.124.14DATA
                                            Apr 19, 2024 15:37:06.758315086 CEST58749707135.181.124.14192.168.2.5354 Enter message, ending with "." on a line by itself
                                            Apr 19, 2024 15:37:06.759082079 CEST49707587192.168.2.5135.181.124.14.
                                            Apr 19, 2024 15:37:06.990902901 CEST58749707135.181.124.14192.168.2.5250 OK id=1rxoPB-009jF1-0t
                                            Apr 19, 2024 15:38:44.906992912 CEST49707587192.168.2.5135.181.124.14QUIT
                                            Apr 19, 2024 15:38:45.218017101 CEST49707587192.168.2.5135.181.124.14QUIT
                                            Apr 19, 2024 15:38:45.530556917 CEST49707587192.168.2.5135.181.124.14QUIT
                                            Apr 19, 2024 15:38:46.139906883 CEST49707587192.168.2.5135.181.124.14QUIT
                                            Apr 19, 2024 15:38:47.343096018 CEST49707587192.168.2.5135.181.124.14QUIT
                                            Apr 19, 2024 15:38:49.749281883 CEST49707587192.168.2.5135.181.124.14QUIT
                                            Apr 19, 2024 15:38:54.561737061 CEST49707587192.168.2.5135.181.124.14QUIT

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:15:36:55
                                            Start date:19/04/2024
                                            Path:C:\Users\user\Desktop\REMITTANCE COPY.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\REMITTANCE COPY.exe"
                                            Imagebase:0x420000
                                            File size:1'034'752 bytes
                                            MD5 hash:A33320345206B3021EB274E26392B642
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2052332128.0000000003A75000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2052332128.0000000003A75000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:15:36:56
                                            Start date:19/04/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REMITTANCE COPY.exe"
                                            Imagebase:0xc40000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:15:36:57
                                            Start date:19/04/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:15:36:57
                                            Start date:19/04/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exe"
                                            Imagebase:0xc40000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:15:36:57
                                            Start date:19/04/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:15:36:57
                                            Start date:19/04/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CNqCubHKvlzbGo" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC.tmp"
                                            Imagebase:0x390000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:15:36:57
                                            Start date:19/04/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:15:36:58
                                            Start date:19/04/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                            Imagebase:0xc90000
                                            File size:262'432 bytes
                                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2076423787.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2076423787.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2072537987.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2072537987.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2076423787.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2076423787.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:9
                                            Start time:15:37:00
                                            Start date:19/04/2024
                                            Path:C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Roaming\CNqCubHKvlzbGo.exe
                                            Imagebase:0x830000
                                            File size:1'034'752 bytes
                                            MD5 hash:A33320345206B3021EB274E26392B642
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2096737807.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2096737807.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 45%, ReversingLabs
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:10
                                            Start time:15:37:00
                                            Start date:19/04/2024
                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                            Imagebase:0x7ff6ef0c0000
                                            File size:496'640 bytes
                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                            Has elevated privileges:true
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:11
                                            Start time:15:37:02
                                            Start date:19/04/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CNqCubHKvlzbGo" /XML "C:\Users\user\AppData\Local\Temp\tmp20AE.tmp"
                                            Imagebase:0x390000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:12
                                            Start time:15:37:02
                                            Start date:19/04/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:13
                                            Start time:15:37:02
                                            Start date:19/04/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                            Imagebase:0xa40000
                                            File size:262'432 bytes
                                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.3251502190.0000000002F64000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.3251502190.0000000002F5E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.3251502190.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.3251502190.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:moderate
                                            Has exited:false

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:10.8%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:3.1%
                                              Total number of Nodes:194
                                              Total number of Limit Nodes:8
                                              execution_graph 27078 8049b86 27080 80499dd 27078->27080 27079 80499b7 27080->27079 27083 804c9b0 27080->27083 27101 804c9c0 27080->27101 27084 804c9da 27083->27084 27085 804c9e2 27084->27085 27119 804d5c5 27084->27119 27124 804cdbb 27084->27124 27129 804d25b 27084->27129 27134 804d35a 27084->27134 27138 804d058 27084->27138 27143 804d1f8 27084->27143 27148 804d07f 27084->27148 27156 804cfbd 27084->27156 27160 804ccf0 27084->27160 27166 804cf96 27084->27166 27171 804d7d4 27084->27171 27176 804d6b4 27084->27176 27182 804d3a9 27084->27182 27187 804ce0f 27084->27187 27193 804d222 27084->27193 27085->27080 27102 804c9da 27101->27102 27103 804c9e2 27102->27103 27104 804d5c5 2 API calls 27102->27104 27105 804d222 2 API calls 27102->27105 27106 804ce0f 2 API calls 27102->27106 27107 804d3a9 2 API calls 27102->27107 27108 804d6b4 2 API calls 27102->27108 27109 804d7d4 2 API calls 27102->27109 27110 804cf96 2 API calls 27102->27110 27111 804ccf0 2 API calls 27102->27111 27112 804cfbd 2 API calls 27102->27112 27113 804d07f 4 API calls 27102->27113 27114 804d1f8 2 API calls 27102->27114 27115 804d058 2 API calls 27102->27115 27116 804d35a 2 API calls 27102->27116 27117 804d25b 2 API calls 27102->27117 27118 804cdbb 2 API calls 27102->27118 27103->27080 27104->27103 27105->27103 27106->27103 27107->27103 27108->27103 27109->27103 27110->27103 27111->27103 27112->27103 27113->27103 27114->27103 27115->27103 27116->27103 27117->27103 27118->27103 27120 804d5d0 27119->27120 27197 8049200 27120->27197 27201 8049208 27120->27201 27121 804d7fa 27125 804cdc7 27124->27125 27205 8049544 27125->27205 27209 8049550 27125->27209 27130 804d261 27129->27130 27213 80492c0 27130->27213 27217 80492c8 27130->27217 27131 804d293 27136 80492c0 WriteProcessMemory 27134->27136 27137 80492c8 WriteProcessMemory 27134->27137 27135 804cf51 27135->27085 27136->27135 27137->27135 27139 804d065 27138->27139 27221 8048c42 27139->27221 27225 8048c48 27139->27225 27140 804d86b 27144 804d21b 27143->27144 27146 80492c0 WriteProcessMemory 27144->27146 27147 80492c8 WriteProcessMemory 27144->27147 27145 804d60c 27146->27145 27147->27145 27149 804d13f 27148->27149 27229 8048cf0 27149->27229 27233 8048cf8 27149->27233 27150 804d15a 27154 8048c42 ResumeThread 27150->27154 27155 8048c48 ResumeThread 27150->27155 27151 804d86b 27154->27151 27155->27151 27237 80493b1 27156->27237 27241 80493b8 27156->27241 27157 804cf51 27157->27085 27162 804cd33 27160->27162 27161 804ce39 27161->27085 27162->27161 27164 8049544 CreateProcessA 27162->27164 27165 8049550 CreateProcessA 27162->27165 27163 804cf1f 27163->27085 27164->27163 27165->27163 27167 804cfa8 27166->27167 27169 8049200 VirtualAllocEx 27167->27169 27170 8049208 VirtualAllocEx 27167->27170 27168 804d7fa 27169->27168 27170->27168 27172 804d7dc 27171->27172 27174 8049200 VirtualAllocEx 27172->27174 27175 8049208 VirtualAllocEx 27172->27175 27173 804d7fa 27174->27173 27175->27173 27177 804d272 27176->27177 27178 804d7ae 27177->27178 27180 80492c0 WriteProcessMemory 27177->27180 27181 80492c8 WriteProcessMemory 27177->27181 27178->27085 27179 804d293 27180->27179 27181->27179 27183 804d3af 27182->27183 27185 8048c42 ResumeThread 27183->27185 27186 8048c48 ResumeThread 27183->27186 27184 804d86b 27185->27184 27186->27184 27189 804cdc7 27187->27189 27188 804ce39 27188->27085 27189->27188 27191 8049544 CreateProcessA 27189->27191 27192 8049550 CreateProcessA 27189->27192 27190 804cf1f 27190->27085 27191->27190 27192->27190 27195 8048cf0 Wow64SetThreadContext 27193->27195 27196 8048cf8 Wow64SetThreadContext 27193->27196 27194 804d23c 27194->27085 27195->27194 27196->27194 27198 8049248 VirtualAllocEx 27197->27198 27200 8049285 27198->27200 27200->27121 27202 8049248 VirtualAllocEx 27201->27202 27204 8049285 27202->27204 27204->27121 27206 8049550 CreateProcessA 27205->27206 27208 804979b 27206->27208 27210 80495d9 CreateProcessA 27209->27210 27212 804979b 27210->27212 27214 8049310 WriteProcessMemory 27213->27214 27216 8049367 27214->27216 27216->27131 27218 8049310 WriteProcessMemory 27217->27218 27220 8049367 27218->27220 27220->27131 27222 8048c88 ResumeThread 27221->27222 27224 8048cb9 27222->27224 27224->27140 27226 8048c88 ResumeThread 27225->27226 27228 8048cb9 27226->27228 27228->27140 27230 8048d3d Wow64SetThreadContext 27229->27230 27232 8048d85 27230->27232 27232->27150 27234 8048d3d Wow64SetThreadContext 27233->27234 27236 8048d85 27234->27236 27236->27150 27238 8049403 ReadProcessMemory 27237->27238 27240 8049447 27238->27240 27240->27157 27242 8049403 ReadProcessMemory 27241->27242 27244 8049447 27242->27244 27244->27157 27306 f3d300 DuplicateHandle 27307 f3d396 27306->27307 27245 8049ae1 27246 804996c 27245->27246 27247 80499b7 27246->27247 27248 804c9b0 12 API calls 27246->27248 27249 804c9c0 12 API calls 27246->27249 27248->27246 27249->27246 27250 f3d0b8 27251 f3d0fe GetCurrentProcess 27250->27251 27253 f3d150 GetCurrentThread 27251->27253 27254 f3d149 27251->27254 27255 f3d186 27253->27255 27256 f3d18d GetCurrentProcess 27253->27256 27254->27253 27255->27256 27257 f3d1c3 27256->27257 27258 f3d1eb GetCurrentThreadId 27257->27258 27259 f3d21c 27258->27259 27260 f3ad38 27264 f3ae21 27260->27264 27273 f3ae30 27260->27273 27261 f3ad47 27265 f3ae41 27264->27265 27266 f3ae64 27264->27266 27265->27266 27282 f3b0b9 27265->27282 27286 f3b11c 27265->27286 27291 f3b0c8 27265->27291 27266->27261 27267 f3ae5c 27267->27266 27268 f3b068 GetModuleHandleW 27267->27268 27269 f3b095 27268->27269 27269->27261 27274 f3ae41 27273->27274 27275 f3ae64 27273->27275 27274->27275 27279 f3b0b9 LoadLibraryExW 27274->27279 27280 f3b0c8 LoadLibraryExW 27274->27280 27281 f3b11c LoadLibraryExW 27274->27281 27275->27261 27276 f3ae5c 27276->27275 27277 f3b068 GetModuleHandleW 27276->27277 27278 f3b095 27277->27278 27278->27261 27279->27276 27280->27276 27281->27276 27283 f3b0c8 27282->27283 27284 f3b101 27283->27284 27295 f3a870 27283->27295 27284->27267 27287 f3b122 27286->27287 27288 f3b0c1 27286->27288 27289 f3a870 LoadLibraryExW 27288->27289 27290 f3b101 27288->27290 27289->27290 27290->27267 27292 f3b0dc 27291->27292 27293 f3b101 27292->27293 27294 f3a870 LoadLibraryExW 27292->27294 27293->27267 27294->27293 27296 f3b2a8 LoadLibraryExW 27295->27296 27298 f3b321 27296->27298 27298->27284 27308 f34668 27309 f3467a 27308->27309 27310 f34686 27309->27310 27312 f34778 27309->27312 27313 f3479d 27312->27313 27317 f34888 27313->27317 27321 f34878 27313->27321 27319 f348af 27317->27319 27318 f3498c 27318->27318 27319->27318 27325 f3449c 27319->27325 27323 f348af 27321->27323 27322 f3498c 27323->27322 27324 f3449c CreateActCtxA 27323->27324 27324->27322 27326 f35918 CreateActCtxA 27325->27326 27328 f359db 27326->27328 27299 804dbe8 27300 804dd73 27299->27300 27302 804dc0e 27299->27302 27302->27300 27303 804ad04 27302->27303 27304 804de68 PostMessageW 27303->27304 27305 804ded4 27304->27305 27305->27302

                                              Executed Functions

                                              Function 0804CCF0 Relevance: .2, Instructions: 172COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2058283180.0000000008040000.00000040.00000800.00020000.00000000.sdmp, Offset: 08040000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8040000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d4088cc4f39cc7a4533f10418553447630c38826bba3bdf39ead2a041dda2c5f
                                              • Instruction ID: a1f688e7f1bf95c6ecb39d429b6bc37229d656762779177e8a96b4a7672af3f0
                                              • Opcode Fuzzy Hash: d4088cc4f39cc7a4533f10418553447630c38826bba3bdf39ead2a041dda2c5f
                                              • Instruction Fuzzy Hash: F36117B1D45619CBEB24CF6ACC407EDFBB6BF89301F0491AAD409A7251EB745A86CF40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00F3D0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 294 f3d0b8-f3d147 GetCurrentProcess 298 f3d150-f3d184 GetCurrentThread 294->298 299 f3d149-f3d14f 294->299 300 f3d186-f3d18c 298->300 301 f3d18d-f3d1c1 GetCurrentProcess 298->301 299->298 300->301 303 f3d1c3-f3d1c9 301->303 304 f3d1ca-f3d1e5 call f3d287 301->304 303->304 307 f3d1eb-f3d21a GetCurrentThreadId 304->307 308 f3d223-f3d285 307->308 309 f3d21c-f3d222 307->309 309->308
                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 00F3D136
                                              • GetCurrentThread.KERNEL32 ref: 00F3D173
                                              • GetCurrentProcess.KERNEL32 ref: 00F3D1B0
                                              • GetCurrentThreadId.KERNEL32 ref: 00F3D209
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2051456670.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_f30000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 701160a2ba2aafb41d78ac18279d3269d26a1651d3976cb0b19df9ccf6ee8470
                                              • Instruction ID: 1ad29d6c39bd09279c7a2fc468d7c22e3844a037d0196b5da4e9f35cb383f9b3
                                              • Opcode Fuzzy Hash: 701160a2ba2aafb41d78ac18279d3269d26a1651d3976cb0b19df9ccf6ee8470
                                              • Instruction Fuzzy Hash: A55156B09003098FEB14DFAAD948B9EBBF1FF48324F208459E519A7361D774A944CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08049544 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 338 8049544-80495e5 341 80495e7-80495f1 338->341 342 804961e-804963e 338->342 341->342 343 80495f3-80495f5 341->343 347 8049677-80496a6 342->347 348 8049640-804964a 342->348 345 80495f7-8049601 343->345 346 8049618-804961b 343->346 349 8049605-8049614 345->349 350 8049603 345->350 346->342 356 80496df-8049799 CreateProcessA 347->356 357 80496a8-80496b2 347->357 348->347 352 804964c-804964e 348->352 349->349 351 8049616 349->351 350->349 351->346 353 8049650-804965a 352->353 354 8049671-8049674 352->354 358 804965c 353->358 359 804965e-804966d 353->359 354->347 370 80497a2-8049828 356->370 371 804979b-80497a1 356->371 357->356 360 80496b4-80496b6 357->360 358->359 359->359 361 804966f 359->361 362 80496b8-80496c2 360->362 363 80496d9-80496dc 360->363 361->354 365 80496c4 362->365 366 80496c6-80496d5 362->366 363->356 365->366 366->366 367 80496d7 366->367 367->363 381 8049838-804983c 370->381 382 804982a-804982e 370->382 371->370 384 804984c-8049850 381->384 385 804983e-8049842 381->385 382->381 383 8049830 382->383 383->381 386 8049860-8049864 384->386 387 8049852-8049856 384->387 385->384 388 8049844 385->388 390 8049876-804987d 386->390 391 8049866-804986c 386->391 387->386 389 8049858 387->389 388->384 389->386 392 8049894 390->392 393 804987f-804988e 390->393 391->390 395 8049895 392->395 393->392 395->395
                                              APIs
                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 08049786
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2058283180.0000000008040000.00000040.00000800.00020000.00000000.sdmp, Offset: 08040000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8040000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 272498cd53403487bb33842d6d56349e07896169b9f6204e516c24e6f8fcd8fb
                                              • Instruction ID: 6e3a65d8c999acefe732281e2446a44c2fd3cdd93404460e1d1321607d872c24
                                              • Opcode Fuzzy Hash: 272498cd53403487bb33842d6d56349e07896169b9f6204e516c24e6f8fcd8fb
                                              • Instruction Fuzzy Hash: F1A14CB1D00219DFDB20CF69C845BEEBBF2AF44315F1481B9E819A7260DB749986CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08049550 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 396 8049550-80495e5 398 80495e7-80495f1 396->398 399 804961e-804963e 396->399 398->399 400 80495f3-80495f5 398->400 404 8049677-80496a6 399->404 405 8049640-804964a 399->405 402 80495f7-8049601 400->402 403 8049618-804961b 400->403 406 8049605-8049614 402->406 407 8049603 402->407 403->399 413 80496df-8049799 CreateProcessA 404->413 414 80496a8-80496b2 404->414 405->404 409 804964c-804964e 405->409 406->406 408 8049616 406->408 407->406 408->403 410 8049650-804965a 409->410 411 8049671-8049674 409->411 415 804965c 410->415 416 804965e-804966d 410->416 411->404 427 80497a2-8049828 413->427 428 804979b-80497a1 413->428 414->413 417 80496b4-80496b6 414->417 415->416 416->416 418 804966f 416->418 419 80496b8-80496c2 417->419 420 80496d9-80496dc 417->420 418->411 422 80496c4 419->422 423 80496c6-80496d5 419->423 420->413 422->423 423->423 424 80496d7 423->424 424->420 438 8049838-804983c 427->438 439 804982a-804982e 427->439 428->427 441 804984c-8049850 438->441 442 804983e-8049842 438->442 439->438 440 8049830 439->440 440->438 443 8049860-8049864 441->443 444 8049852-8049856 441->444 442->441 445 8049844 442->445 447 8049876-804987d 443->447 448 8049866-804986c 443->448 444->443 446 8049858 444->446 445->441 446->443 449 8049894 447->449 450 804987f-804988e 447->450 448->447 452 8049895 449->452 450->449 452->452
                                              APIs
                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 08049786
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2058283180.0000000008040000.00000040.00000800.00020000.00000000.sdmp, Offset: 08040000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8040000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: a421af763dbdcfd329d9e1767642251d24a289edf55439fa7a26f5b8131ddf01
                                              • Instruction ID: 77ec1096422429e2aa1481add7e369a3ab2af7a3f0d9089e177f4295d5879537
                                              • Opcode Fuzzy Hash: a421af763dbdcfd329d9e1767642251d24a289edf55439fa7a26f5b8131ddf01
                                              • Instruction Fuzzy Hash: 8D914CB1D00219DFDB20CF69C845BEEBBF2AF48315F148179E819A7260DB749986CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00F3590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 561 f3590c-f359d9 CreateActCtxA 563 f359e2-f35a3c 561->563 564 f359db-f359e1 561->564 571 f35a4b-f35a4f 563->571 572 f35a3e-f35a41 563->572 564->563 573 f35a51-f35a5d 571->573 574 f35a60 571->574 572->571 573->574 575 f35a61 574->575 575->575
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 00F359C9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2051456670.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_f30000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 6021d77f9999f33e0c060a2cf737a4527a447251a87a9bceb1a267cb89573c75
                                              • Instruction ID: 8132139cb5513acf552fb5947618ccf0b5d528c1d7cda43f6ac3acbe55431440
                                              • Opcode Fuzzy Hash: 6021d77f9999f33e0c060a2cf737a4527a447251a87a9bceb1a267cb89573c75
                                              • Instruction Fuzzy Hash: 5041EFB1C00619CFDB24CFA9C884BDDBBB5BF88724F20816AD408AB251DB75694ACF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00F3449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 577 f3449c-f359d9 CreateActCtxA 580 f359e2-f35a3c 577->580 581 f359db-f359e1 577->581 588 f35a4b-f35a4f 580->588 589 f35a3e-f35a41 580->589 581->580 590 f35a51-f35a5d 588->590 591 f35a60 588->591 589->588 590->591 592 f35a61 591->592 592->592
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 00F359C9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2051456670.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_f30000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: e38b7f3a437c23a4a2b471a5fea7e0f057e4d0949b06693929a9636e2c2967e4
                                              • Instruction ID: bd496aa65baaf9c4a5ac3d190fca26e17919dca570bbe7b4b63df846b4325dcc
                                              • Opcode Fuzzy Hash: e38b7f3a437c23a4a2b471a5fea7e0f057e4d0949b06693929a9636e2c2967e4
                                              • Instruction Fuzzy Hash: 9841DFB1C00B1DCBDB24DFA9C884B9DBBF5BF88724F20816AD408AB251DB756945DF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080492C0 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 594 80492c0-8049316 596 8049326-8049365 WriteProcessMemory 594->596 597 8049318-8049324 594->597 599 8049367-804936d 596->599 600 804936e-804939e 596->600 597->596 599->600
                                              APIs
                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 08049358
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2058283180.0000000008040000.00000040.00000800.00020000.00000000.sdmp, Offset: 08040000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8040000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 44d88b1bbde34c280f800b9f7125fb727ab28247cb2787f9352c414641d08294
                                              • Instruction ID: 83dbb57ba8a1307da598142b0ff52b4c89c5311b88f93a99bd8b0aaab5f3137f
                                              • Opcode Fuzzy Hash: 44d88b1bbde34c280f800b9f7125fb727ab28247cb2787f9352c414641d08294
                                              • Instruction Fuzzy Hash: DE2148B59002499FCB10CFA9C985BEEBFF5FF48310F14842AE919A7251C7749945DF60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080492C8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 604 80492c8-8049316 606 8049326-8049365 WriteProcessMemory 604->606 607 8049318-8049324 604->607 609 8049367-804936d 606->609 610 804936e-804939e 606->610 607->606 609->610
                                              APIs
                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 08049358
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2058283180.0000000008040000.00000040.00000800.00020000.00000000.sdmp, Offset: 08040000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8040000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 153765c50257848f75fb39f2ae989ffd83168d84da4678d24227bf83372546b8
                                              • Instruction ID: 04da114d1a671b2c886e21f494f810ce8fe8b0af80c1f844933b76ef2d0e69a0
                                              • Opcode Fuzzy Hash: 153765c50257848f75fb39f2ae989ffd83168d84da4678d24227bf83372546b8
                                              • Instruction Fuzzy Hash: BF2127B59003099FCB10CFAAC985BDEBBF5FF48320F14842AE918A7251D7789955DBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08048CF0 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 614 8048cf0-8048d43 616 8048d45-8048d51 614->616 617 8048d53-8048d83 Wow64SetThreadContext 614->617 616->617 619 8048d85-8048d8b 617->619 620 8048d8c-8048dbc 617->620 619->620
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08048D76
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2058283180.0000000008040000.00000040.00000800.00020000.00000000.sdmp, Offset: 08040000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8040000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 7ad38e765329ecb975ae0f6f981c99917ab78db0d0056f5b636a37133201a658
                                              • Instruction ID: 097d50b02425e918010baefe9a90e6076564befafe7a32fe88dd7027682ef18b
                                              • Opcode Fuzzy Hash: 7ad38e765329ecb975ae0f6f981c99917ab78db0d0056f5b636a37133201a658
                                              • Instruction Fuzzy Hash: 2F2157B1D002098FDB10DFAAC8847EEBBF5EF48320F14842AD418A7241CB799945CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080493B1 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 624 80493b1-8049445 ReadProcessMemory 627 8049447-804944d 624->627 628 804944e-804947e 624->628 627->628
                                              APIs
                                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 08049438
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2058283180.0000000008040000.00000040.00000800.00020000.00000000.sdmp, Offset: 08040000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8040000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: d93dd4ecb34d27938431eb3d483da5e50b95c2eef58b730733e4798a92c1cc59
                                              • Instruction ID: 654bb180a105025e6a1b7788e43dc53d5b362a06f9c4b0a26338a0174a5d6068
                                              • Opcode Fuzzy Hash: d93dd4ecb34d27938431eb3d483da5e50b95c2eef58b730733e4798a92c1cc59
                                              • Instruction Fuzzy Hash: 322107B19002499FCB10CFA9C985AEEBBF5FF48310F54842DE519A7251C7749545DB60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08048CF8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 632 8048cf8-8048d43 634 8048d45-8048d51 632->634 635 8048d53-8048d83 Wow64SetThreadContext 632->635 634->635 637 8048d85-8048d8b 635->637 638 8048d8c-8048dbc 635->638 637->638
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08048D76
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2058283180.0000000008040000.00000040.00000800.00020000.00000000.sdmp, Offset: 08040000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8040000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: bb5f6d288ef35cf90d7909d7a1a478e8ed7ba3ed2fd23df2f20b418cd2c8f13d
                                              • Instruction ID: 2a23e31292112afd5f7b6fc48615c90dd1556b9ceabd5c182163957cf2275f55
                                              • Opcode Fuzzy Hash: bb5f6d288ef35cf90d7909d7a1a478e8ed7ba3ed2fd23df2f20b418cd2c8f13d
                                              • Instruction Fuzzy Hash: 8A2138B1D002098FDB10DFAAC4857AEBBF5EF58320F14842AD419A7241CB789945CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080493B8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 642 80493b8-8049445 ReadProcessMemory 645 8049447-804944d 642->645 646 804944e-804947e 642->646 645->646
                                              APIs
                                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 08049438
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2058283180.0000000008040000.00000040.00000800.00020000.00000000.sdmp, Offset: 08040000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8040000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: a4a90fc386486265eebb16cfba8003f7f2b0184fa68f0d0b77430e640b47bd59
                                              • Instruction ID: 3015570b4d3b6a5fe07718c692fbc357fb7e5ce4a1aa2b070ba9d9348de9ca86
                                              • Opcode Fuzzy Hash: a4a90fc386486265eebb16cfba8003f7f2b0184fa68f0d0b77430e640b47bd59
                                              • Instruction Fuzzy Hash: B92128B1D002499FCB10CFAAC984AEEFBF5FF48320F50842AE918A7250C7749941DBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00F3D300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 650 f3d300-f3d394 DuplicateHandle 651 f3d396-f3d39c 650->651 652 f3d39d-f3d3ba 650->652 651->652
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F3D387
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2051456670.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_f30000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 48182c7219ddd42239b53337f2adce413a775833fe6e41a6dc9a85a71ca0e808
                                              • Instruction ID: 7981e135caba5e3f36ea7beb633985b9543fb2e346667dd3bf7a8488f8392dc0
                                              • Opcode Fuzzy Hash: 48182c7219ddd42239b53337f2adce413a775833fe6e41a6dc9a85a71ca0e808
                                              • Instruction Fuzzy Hash: 9421E2B5D00208DFDB10CFAAD984ADEFBF8EB48320F14801AE918A3310C374A944DFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08049200 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 08049276
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2058283180.0000000008040000.00000040.00000800.00020000.00000000.sdmp, Offset: 08040000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8040000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 521c75da01abe2eea593920c16413b4f8402270a8d947ba6b24bbc2eafc16ecd
                                              • Instruction ID: 1ac88e31c7d403ccf784671b49e392e282810bfc95c37991056a9ab416ad67db
                                              • Opcode Fuzzy Hash: 521c75da01abe2eea593920c16413b4f8402270a8d947ba6b24bbc2eafc16ecd
                                              • Instruction Fuzzy Hash: C91136768002498FCF10DFA9C945AEEBFF5EB88320F148429D519A7250C7759545DFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00F3A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00F3B101,00000800,00000000,00000000), ref: 00F3B312
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2051456670.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_f30000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 827729719514eabf0d8fc09bac776306beccfbf2623d9ea60b237cc73bdae1a7
                                              • Instruction ID: fcbd28a637f3c680722ab27aa9ecfe92d6b6dec8938d3e7d6330f293a4750a14
                                              • Opcode Fuzzy Hash: 827729719514eabf0d8fc09bac776306beccfbf2623d9ea60b237cc73bdae1a7
                                              • Instruction Fuzzy Hash: 8E11F6B6D003499FDB10CF9AD444ADEFBF4EB88320F14852ED919A7211C375A945CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00F3B2A1 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00F3B101,00000800,00000000,00000000), ref: 00F3B312
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2051456670.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_f30000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 214bf97ca3a794f83c2288cff8d797da669729ba9783b6b39ee373fa58c6acd8
                                              • Instruction ID: 72aee17ec9308b3639cff90a24f926ffcb27483c6fdd0a833a79a623ab68b33c
                                              • Opcode Fuzzy Hash: 214bf97ca3a794f83c2288cff8d797da669729ba9783b6b39ee373fa58c6acd8
                                              • Instruction Fuzzy Hash: 6511F3B6D00249DFDB10DF9AC844ADEFBF4EB88320F14842ED929A7201C375A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08049208 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 08049276
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2058283180.0000000008040000.00000040.00000800.00020000.00000000.sdmp, Offset: 08040000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8040000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 19bcfd4b48dab862cbb66d87e102badd1df63bfa0a21dfcd1317685e670f0fe9
                                              • Instruction ID: a9f163de191bcba9845f430bcfd48c9be92d41a7533cafab969d21720aebab99
                                              • Opcode Fuzzy Hash: 19bcfd4b48dab862cbb66d87e102badd1df63bfa0a21dfcd1317685e670f0fe9
                                              • Instruction Fuzzy Hash: B51126769002499FCB10DFAAC944ADFFFF5EF88320F148429E519A7250CB75A944DFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08048C42 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2058283180.0000000008040000.00000040.00000800.00020000.00000000.sdmp, Offset: 08040000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8040000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 6e63fbd3b660ba196df75df14822cbaeab1c0875da44c4654e1eae291f5ab10f
                                              • Instruction ID: a29fc9c171d155299d536f82bac9acc7cae0d8e2a8c91d653e5c2dfbf4bd452f
                                              • Opcode Fuzzy Hash: 6e63fbd3b660ba196df75df14822cbaeab1c0875da44c4654e1eae291f5ab10f
                                              • Instruction Fuzzy Hash: AD1146B1D002488ECB20DFAAC8857AEFBF5EF88324F248429C419A7240CA756945CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08048C48 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2058283180.0000000008040000.00000040.00000800.00020000.00000000.sdmp, Offset: 08040000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8040000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 318cc40841fda1944b916e07dd0ff8e93b44ee8ab0d912aa7d75f3181989288c
                                              • Instruction ID: 4dea0666aa8c2afe8e3e97ef222d948bc215b2af9dc2e58bb9fe8c7f3a5769b6
                                              • Opcode Fuzzy Hash: 318cc40841fda1944b916e07dd0ff8e93b44ee8ab0d912aa7d75f3181989288c
                                              • Instruction Fuzzy Hash: F3113AB1D002498FDB20DFAAC84579EFBF5EF88324F148429D519A7240CB756945CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00F3B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00F3B086
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2051456670.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_f30000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: f2cbe1cc3935fdc8575d66fff92bbb237e88762162422ccd4e37ca084c2cecf8
                                              • Instruction ID: 0a526bac9655b56e084d4bd67079a0c5a6b88f0a6c3ca83c05ed1b4bcd2a4ec9
                                              • Opcode Fuzzy Hash: f2cbe1cc3935fdc8575d66fff92bbb237e88762162422ccd4e37ca084c2cecf8
                                              • Instruction Fuzzy Hash: CB11DFB6C00349CFCB24CF9AC844A9EFBF4EB89324F14841AD529A7211C375A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0804AD04 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0804DEC5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2058283180.0000000008040000.00000040.00000800.00020000.00000000.sdmp, Offset: 08040000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8040000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: e082b038b7478b91ffa1b994a3648f75cfad754a2a8dea7d4995495c9727bf65
                                              • Instruction ID: 6957db79873c158a265f7de07ac088b3dec46d1daddaedbfda2e8e253e02c695
                                              • Opcode Fuzzy Hash: e082b038b7478b91ffa1b994a3648f75cfad754a2a8dea7d4995495c9727bf65
                                              • Instruction Fuzzy Hash: A61103B5800349DFDB20DF9AC885BDEFBF8EB59324F108419E918A7211D375A944CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0804DE61 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0804DEC5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2058283180.0000000008040000.00000040.00000800.00020000.00000000.sdmp, Offset: 08040000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8040000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 67a15f809dd7bf5a02aab145b3bdeea3559816bbf6a31fe03702b67175149b86
                                              • Instruction ID: 17d41ad21d599377f0d9cb914bcf0fb2a95a2b54103b0ff0389954f83303c404
                                              • Opcode Fuzzy Hash: 67a15f809dd7bf5a02aab145b3bdeea3559816bbf6a31fe03702b67175149b86
                                              • Instruction Fuzzy Hash: D31122B58002498FDB20CF9AC884BDEFFF4EB59320F208419D818A7601C375A944CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00F3B019 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00F3B086
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2051456670.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_f30000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: ce68b2d94becae7b4f271827049edb1116d07f5aee91eaf0492e8248e9e52d70
                                              • Instruction ID: d2203ef5e95ee1c4e09ef372594a560ced0de491885ab507096e1f9527e84e07
                                              • Opcode Fuzzy Hash: ce68b2d94becae7b4f271827049edb1116d07f5aee91eaf0492e8248e9e52d70
                                              • Instruction Fuzzy Hash: 93018FB6804309CFCB20DF99D4443DEFBF0AF59324F24865AC169A7292C379654ACF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00D4D3D8 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2051008539.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d4d000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 49c7d19a4261ae00bf01baa168de69fa779a57432c27be6ce2fd0c2c04d8d4f3
                                              • Instruction ID: 21d6164dabdb9fdedd70566b6b0c623ac48e63b9ce6e460df31e3d21df4176f7
                                              • Opcode Fuzzy Hash: 49c7d19a4261ae00bf01baa168de69fa779a57432c27be6ce2fd0c2c04d8d4f3
                                              • Instruction Fuzzy Hash: 052125B5504204DFDB05DF14D9C0B26BF66FB98324F28C56DE90D0B25AC33AE856CAB2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00D5D1D4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2051085701.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d5d000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9e83b12693190d03279f5472766b78828ca76a75c409d9bfa3e662ce3aaed2ce
                                              • Instruction ID: 71a799a63b79d522c201bf389f133f4a531e416517f702f0f6a7ec0572355dbd
                                              • Opcode Fuzzy Hash: 9e83b12693190d03279f5472766b78828ca76a75c409d9bfa3e662ce3aaed2ce
                                              • Instruction Fuzzy Hash: 1421F271504200EFDF25DF14D9C0B26BBA6FB88315F24C96DEC494B296C33AD84ACA75
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00D5D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2051085701.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d5d000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 198e0df018990e5128f2d28c0d34c8b511d421a746e97515594f7a9625185cc7
                                              • Instruction ID: 42e9788951b4221f138772486d6fedd7b3d2b42a67fdb1c93c2db9c726462bb3
                                              • Opcode Fuzzy Hash: 198e0df018990e5128f2d28c0d34c8b511d421a746e97515594f7a9625185cc7
                                              • Instruction Fuzzy Hash: 4521F575504200DFDF25DF18D9C4B16BB66EB84325F24C56DDC494B296C33AD80BCA71
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00D5D005 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2051085701.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d5d000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7e9c0e1416134a6d14b8946c043be42f09a80d10d2bf13c6372daf966b472a07
                                              • Instruction ID: f33d887f2bcb032fb80e1cf7f8bb91a59ffaffe018534532bfd0a8614f37091c
                                              • Opcode Fuzzy Hash: 7e9c0e1416134a6d14b8946c043be42f09a80d10d2bf13c6372daf966b472a07
                                              • Instruction Fuzzy Hash: 44215E755093808FDB12CF24D994715BF72EB46314F28C5EADC498B6A7C33A980ACB72
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00D4D3D3 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2051008539.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d4d000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                              • Instruction ID: 05125e9e9d90930b87e207d51e18d0b55f1e57d5bb41f274f053eddde249f93a
                                              • Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                              • Instruction Fuzzy Hash: 07112676404240CFCF02CF10D5C4B16BF72FB94324F28C2A9D8090B256C33AE85ACBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00D5D1CF Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2051085701.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d5d000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                              • Instruction ID: 7fa567c7e9780cd6450dca1f057851f13ed599f53925f07808ed19b9c81d79a1
                                              • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                              • Instruction Fuzzy Hash: 94118B75504280DFDB16CF14D5C4B15BBA2FB84314F28C6ADDC494B696C33AD84ACB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 0804F840 Relevance: .4, Instructions: 381COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2058283180.0000000008040000.00000040.00000800.00020000.00000000.sdmp, Offset: 08040000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8040000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cf78f07113f21f70abe83853d2e92e0e31b971d6b908703f2c07e8f90abc2de0
                                              • Instruction ID: f795980522177431586be2435884bec0035b92dc90d53e0c240c6b01d2b13626
                                              • Opcode Fuzzy Hash: cf78f07113f21f70abe83853d2e92e0e31b971d6b908703f2c07e8f90abc2de0
                                              • Instruction Fuzzy Hash: 9AD19AB0A412058FDB19DB76C910BAEB7F7AF89302F14846DD145DB291CF38E906CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08048DD0 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2058283180.0000000008040000.00000040.00000800.00020000.00000000.sdmp, Offset: 08040000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8040000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 21d1b73dea91987d954d2435cbe9632c3e5cd2880accd7e34af0ca711dd00cfd
                                              • Instruction ID: 6ee4d4edf6108c2b050df3aafcf84d97a8d684292de3514d0af3ec684e109460
                                              • Opcode Fuzzy Hash: 21d1b73dea91987d954d2435cbe9632c3e5cd2880accd7e34af0ca711dd00cfd
                                              • Instruction Fuzzy Hash: D4E128B4E051198FCB14DFA9C5809AEBBF2FF89301F64C169E415AB356D730A982CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08047FE8 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2058283180.0000000008040000.00000040.00000800.00020000.00000000.sdmp, Offset: 08040000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8040000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a59d94cc1e1dab8f16484b5c8cf73375c8c7afed91a1207f56b6cfd6f14160d2
                                              • Instruction ID: 68409c6649b987290336edc9c6d8cee7f2f11fe92def5ac71357a574f33f3ac8
                                              • Opcode Fuzzy Hash: a59d94cc1e1dab8f16484b5c8cf73375c8c7afed91a1207f56b6cfd6f14160d2
                                              • Instruction Fuzzy Hash: F0E117B4E051198FCB14DFA8C5809AEFBB2BF89305F64C569E405AB356D730A982CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080463A8 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2058283180.0000000008040000.00000040.00000800.00020000.00000000.sdmp, Offset: 08040000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8040000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 15674d98de458bcfea83597106eb4b67ca78031d15d379ffaa62b26afb298d90
                                              • Instruction ID: e4d7713fc38cbaebed5065f229750339b234bc3225ce77675fce6eaa1838e8dc
                                              • Opcode Fuzzy Hash: 15674d98de458bcfea83597106eb4b67ca78031d15d379ffaa62b26afb298d90
                                              • Instruction Fuzzy Hash: BEE16BB4E051198FDB14DFA8C5809AEFBF2FF89301F648169D414AB359E731A982CF60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08048420 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2058283180.0000000008040000.00000040.00000800.00020000.00000000.sdmp, Offset: 08040000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8040000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2a51de6974916072e6808dc2d68b90b54c01b944af41a5fa8de460eb6fe9384e
                                              • Instruction ID: 97b8a3bc76510e95b0fd885058f4e7081fa554366f755be57736e484715aa674
                                              • Opcode Fuzzy Hash: 2a51de6974916072e6808dc2d68b90b54c01b944af41a5fa8de460eb6fe9384e
                                              • Instruction Fuzzy Hash: 04E118B4E051198FCB14DFA8C5809AEBBF2FF88305F64C569D815AB355D730A982CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080467E0 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2058283180.0000000008040000.00000040.00000800.00020000.00000000.sdmp, Offset: 08040000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8040000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 75ab6041ff25b7891265181bac96242dd227158ddc657f3d8436d1ee7742cd6e
                                              • Instruction ID: 7eca7b4002ab310b3901b437562e0ef14e7133aac31c9a255a206ccf1dae6458
                                              • Opcode Fuzzy Hash: 75ab6041ff25b7891265181bac96242dd227158ddc657f3d8436d1ee7742cd6e
                                              • Instruction Fuzzy Hash: 5EE137B4E051198FDB14DFA8C5809AEFBF2FF89301F648169D414AB355E731A982CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00F3DC74 Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2051456670.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_f30000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e19a55b5ef118e6c6208cb3718180cb4c9844d806d621f23a3291b33da8cc73f
                                              • Instruction ID: e2c63882ddc884f7a6fb07c1a362dd7c98848cf6a3a6ced97a755ac971b6d818
                                              • Opcode Fuzzy Hash: e19a55b5ef118e6c6208cb3718180cb4c9844d806d621f23a3291b33da8cc73f
                                              • Instruction Fuzzy Hash: 03A17A32E002158FCF09DFB5D9805AEB7B2FF84320B15857AE805AB265DB75E915DB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08047FD8 Relevance: .1, Instructions: 131COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2058283180.0000000008040000.00000040.00000800.00020000.00000000.sdmp, Offset: 08040000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8040000_REMITTANCE COPY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d8ce18de9ea85bf41d7bc9f0a09ae9cde5ecaf0b74178bf2a9cbd7d0a1098281
                                              • Instruction ID: e609ad8cdf7e0e6fbab418e37c10b091ce405fe3fb6151e38583e76f958981d6
                                              • Opcode Fuzzy Hash: d8ce18de9ea85bf41d7bc9f0a09ae9cde5ecaf0b74178bf2a9cbd7d0a1098281
                                              • Instruction Fuzzy Hash: 5C512AB4E052198FCB14DFA9C5809AEFBF2BF89305F24C569D419AB316D7309942CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Execution Graph

                                              Execution Coverage:10.6%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:100%
                                              Total number of Nodes:3
                                              Total number of Limit Nodes:0
                                              execution_graph 29244 15170a8 29245 15170ec CheckRemoteDebuggerPresent 29244->29245 29246 151712e 29245->29246

                                              Executed Functions

                                              Function 069C66A8 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 125 69c66a8-69c66c9 126 69c66cb-69c66ce 125->126 127 69c66f4-69c66f7 126->127 128 69c66d0-69c66ef 126->128 129 69c66fd-69c671c 127->129 130 69c6e98-69c6e9a 127->130 128->127 138 69c671e-69c6721 129->138 139 69c6735-69c673f 129->139 131 69c6e9c 130->131 132 69c6ea1-69c6ea4 130->132 131->132 132->126 135 69c6eaa-69c6eb3 132->135 138->139 140 69c6723-69c6733 138->140 143 69c6745-69c6754 139->143 140->143 251 69c6756 call 69c6ec8 143->251 252 69c6756 call 69c6ec1 143->252 144 69c675b-69c6760 145 69c676d-69c6a4a 144->145 146 69c6762-69c6768 144->146 167 69c6e8a-69c6e97 145->167 168 69c6a50-69c6aff 145->168 146->135 177 69c6b28 168->177 178 69c6b01-69c6b26 168->178 179 69c6b31-69c6b38 177->179 178->179 181 69c6b3f-69c6b44 179->181 182 69c6b4a-69c6b6c 181->182 183 69c6e71-69c6e7d 181->183 182->183 186 69c6b72-69c6b7c 182->186 183->168 184 69c6e83 183->184 184->167 186->183 187 69c6b82-69c6b8d 186->187 187->183 188 69c6b93-69c6c69 187->188 200 69c6c6b-69c6c6d 188->200 201 69c6c77-69c6ca7 188->201 200->201 205 69c6ca9-69c6cab 201->205 206 69c6cb5-69c6cc1 201->206 205->206 207 69c6d21-69c6d25 206->207 208 69c6cc3-69c6cc7 206->208 209 69c6d2b-69c6d67 207->209 210 69c6e62-69c6e6b 207->210 208->207 211 69c6cc9-69c6cf3 208->211 221 69c6d69-69c6d6b 209->221 222 69c6d75-69c6d83 209->222 210->183 210->188 218 69c6cf5-69c6cf7 211->218 219 69c6d01-69c6d1e 211->219 218->219 219->207 221->222 225 69c6d9a-69c6da5 222->225 226 69c6d85-69c6d90 222->226 229 69c6dbd-69c6dce 225->229 230 69c6da7-69c6dad 225->230 226->225 231 69c6d92 226->231 235 69c6de6-69c6df2 229->235 236 69c6dd0-69c6dd6 229->236 232 69c6daf 230->232 233 69c6db1-69c6db3 230->233 231->225 232->229 233->229 240 69c6e0a-69c6e5b 235->240 241 69c6df4-69c6dfa 235->241 237 69c6dd8 236->237 238 69c6dda-69c6ddc 236->238 237->235 238->235 240->210 242 69c6dfc 241->242 243 69c6dfe-69c6e00 241->243 242->240 243->240 251->144 252->144
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $eq$$eq$$eq$$eq$$eq$$eq
                                              • API String ID: 0-220072568
                                              • Opcode ID: 928fa14a564b6e36b8a99b52197e71d106e313e1adc7c102f6bdc7044926fcde
                                              • Instruction ID: e9209e15940db727fedb07e458eef7e6d077b7b8b98c6d717b87dcef82be610d
                                              • Opcode Fuzzy Hash: 928fa14a564b6e36b8a99b52197e71d106e313e1adc7c102f6bdc7044926fcde
                                              • Instruction Fuzzy Hash: 7F324F30E1061A8BCB15EF74C99459DF7B6FFC9300F60C66AD409AB264EF30A985CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069CEC58 Relevance: 8.0, Strings: 6, Instructions: 475COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 253 69cec58-69cec7a 254 69cec7c-69cec7f 253->254 255 69ceca1-69ceca4 254->255 256 69cec81-69cec9c 254->256 257 69cecbe-69cecc1 255->257 258 69ceca6-69cecad 255->258 256->255 261 69ced00-69ced03 257->261 262 69cecc3-69cecd8 257->262 259 69ceffc-69cf036 258->259 260 69cecb3-69cecb9 258->260 271 69cf038-69cf03b 259->271 260->257 264 69ced0d-69ced10 261->264 265 69ced05-69ced0a 261->265 262->259 272 69cecde-69cecfb 262->272 268 69ced2a-69ced2d 264->268 269 69ced12-69ced19 264->269 265->264 274 69cee12-69cee15 268->274 275 69ced33-69ced36 268->275 269->259 273 69ced1f-69ced25 269->273 276 69cf2a7-69cf2aa 271->276 277 69cf041-69cf069 271->277 272->261 273->268 278 69cedca-69cedcd 274->278 279 69cee17 274->279 280 69ced38-69ced3f 275->280 281 69ced60-69ced63 275->281 284 69cf2ac-69cf2c8 276->284 285 69cf2cd-69cf2cf 276->285 339 69cf06b-69cf06e 277->339 340 69cf073-69cf0b7 277->340 278->259 283 69cedd3-69cedda 278->283 289 69cee1c-69cee1f 279->289 280->259 282 69ced45-69ced55 280->282 286 69ced65-69ced7a 281->286 287 69ceda2-69ceda5 281->287 298 69ceece-69ceed1 282->298 312 69ced5b 282->312 290 69ceddf-69cede2 283->290 284->285 292 69cf2d6-69cf2d9 285->292 293 69cf2d1 285->293 286->259 313 69ced80-69ced9d 286->313 294 69cedac-69cedaf 287->294 295 69ceda7-69ceda9 287->295 296 69cee2f-69cee32 289->296 297 69cee21-69cee28 289->297 301 69cedf4-69cedf7 290->301 302 69cede4-69cedef 290->302 292->271 305 69cf2df-69cf2e8 292->305 293->292 306 69cedc5-69cedc8 294->306 307 69cedb1-69cedba 294->307 295->294 296->298 299 69cee38-69cee3b 296->299 308 69cee2a 297->308 309 69cee02-69cee08 297->309 317 69ceed6-69ceed9 298->317 310 69cee3d-69cee46 299->310 311 69cee4b-69cee4e 299->311 301->298 318 69cedfd-69cee00 301->318 302->301 306->278 306->290 315 69cef78-69cef81 307->315 316 69cedc0 307->316 308->296 319 69cee0d-69cee10 309->319 310->311 321 69cee60-69cee63 311->321 322 69cee50 311->322 312->281 313->287 315->259 320 69cef83-69cef8a 315->320 316->306 325 69ceedb-69ceee1 317->325 326 69ceee6-69ceee9 317->326 318->309 318->319 319->274 319->289 331 69cef8f-69cef92 320->331 327 69cee65-69cee81 321->327 328 69cee86-69cee89 321->328 338 69cee58-69cee5b 322->338 325->326 332 69cef0f-69cef12 326->332 333 69ceeeb-69ceef2 326->333 327->328 342 69cee8b-69cee92 328->342 343 69ceeb3-69ceeb6 328->343 336 69cef94-69cef9d 331->336 337 69cefa2-69cefa5 331->337 334 69cef14-69cef6e call 69c9bc0 332->334 335 69cef73-69cef76 332->335 333->259 341 69ceef8-69cef08 333->341 334->335 335->315 335->331 336->337 337->298 348 69cefab-69cefae 337->348 338->321 339->305 372 69cf29c-69cf2a6 340->372 373 69cf0bd-69cf0c6 340->373 341->342 361 69cef0a 341->361 342->259 345 69cee98-69ceea8 342->345 346 69ceeb8-69ceebb 343->346 347 69ceec0-69ceec3 343->347 345->280 363 69ceeae 345->363 346->347 347->307 350 69ceec9-69ceecc 347->350 351 69cefc4-69cefc7 348->351 352 69cefb0-69cefb7 348->352 350->298 350->317 359 69cefcf-69cefd2 351->359 360 69cefc9-69cefca 351->360 352->259 358 69cefb9-69cefbf 352->358 358->351 365 69cefdf-69cefe1 359->365 366 69cefd4-69cefda 359->366 360->359 361->332 363->343 367 69cefe8-69cefeb 365->367 368 69cefe3 365->368 366->365 367->254 369 69ceff1-69ceffb 367->369 368->367 374 69cf0cc-69cf138 call 69c9bc0 373->374 375 69cf292-69cf297 373->375 387 69cf13e-69cf143 374->387 388 69cf232-69cf247 374->388 375->372 389 69cf15f 387->389 390 69cf145-69cf14b 387->390 388->375 394 69cf161-69cf167 389->394 392 69cf14d-69cf14f 390->392 393 69cf151-69cf153 390->393 395 69cf15d 392->395 393->395 396 69cf17c-69cf189 394->396 397 69cf169-69cf16f 394->397 395->394 404 69cf18b-69cf191 396->404 405 69cf1a1-69cf1ae 396->405 398 69cf21d-69cf22c 397->398 399 69cf175 397->399 398->387 398->388 399->396 400 69cf1e4-69cf1f1 399->400 401 69cf1b0-69cf1bd 399->401 410 69cf209-69cf216 400->410 411 69cf1f3-69cf1f9 400->411 413 69cf1bf-69cf1c5 401->413 414 69cf1d5-69cf1e2 401->414 408 69cf195-69cf197 404->408 409 69cf193 404->409 405->398 408->405 409->405 410->398 415 69cf1fd-69cf1ff 411->415 416 69cf1fb 411->416 417 69cf1c9-69cf1cb 413->417 418 69cf1c7 413->418 414->398 415->410 416->410 417->414 418->414
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $eq$$eq$$eq$$eq$$eq$$eq
                                              • API String ID: 0-220072568
                                              • Opcode ID: 6f700d8751fcfc0af9032e4caa88b802e511f095c0806a7eee21a6524330a719
                                              • Instruction ID: 6a387640d3d3ea326e625b8a8635474df4d973575d73a6cd09c527bb7f9c3395
                                              • Opcode Fuzzy Hash: 6f700d8751fcfc0af9032e4caa88b802e511f095c0806a7eee21a6524330a719
                                              • Instruction Fuzzy Hash: 84028070E102198FDBA4CF68D5906ADB7B6FF85320F24892EE416DB655DB30DC85CB82
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069CB398 Relevance: 3.0, Strings: 2, Instructions: 487COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 794 69cb398-69cb3b6 795 69cb3b8-69cb3bb 794->795 796 69cb3bd-69cb3cb 795->796 797 69cb3d2-69cb3d5 795->797 805 69cb3cd 796->805 806 69cb43e-69cb454 796->806 798 69cb3f6-69cb3f9 797->798 799 69cb3d7-69cb3f1 797->799 801 69cb41c-69cb41f 798->801 802 69cb3fb-69cb417 798->802 799->798 803 69cb42c-69cb42e 801->803 804 69cb421-69cb42b 801->804 802->801 808 69cb435-69cb438 803->808 809 69cb430 803->809 805->797 813 69cb66f-69cb679 806->813 814 69cb45a-69cb463 806->814 808->795 808->806 809->808 816 69cb469-69cb486 814->816 817 69cb67a-69cb680 814->817 828 69cb65c-69cb669 816->828 829 69cb48c-69cb4b4 816->829 820 69cb602-69cb627 817->820 821 69cb682-69cb689 817->821 822 69cb628-69cb63e 820->822 821->822 823 69cb68b-69cb68c 821->823 832 69cb64a-69cb656 822->832 825 69cb68e-69cb6af 823->825 826 69cb649 823->826 831 69cb6b1-69cb6b4 825->831 826->832 828->813 828->814 829->828 836 69cb4ba-69cb4c3 829->836 834 69cb6b6-69cb6d2 831->834 835 69cb6d7-69cb6da 831->835 832->828 832->836 834->835 840 69cb90f-69cb912 835->840 841 69cb6e0-69cb6ef 835->841 836->817 838 69cb4c9-69cb4e5 836->838 838->832 853 69cb4eb-69cb515 838->853 844 69cb9bd-69cb9bf 840->844 845 69cb918-69cb924 840->845 856 69cb70e-69cb752 841->856 857 69cb6f1-69cb70c 841->857 847 69cb9c6-69cb9c9 844->847 848 69cb9c1 844->848 855 69cb92f-69cb931 845->855 847->831 852 69cb9cf-69cb9d8 847->852 848->847 880 69cb51b-69cb543 853->880 881 69cb640-69cb645 853->881 858 69cb949-69cb94d 855->858 859 69cb933-69cb939 855->859 868 69cb758-69cb769 856->868 869 69cb8e3-69cb8f8 856->869 857->856 863 69cb94f-69cb959 858->863 864 69cb95b 858->864 860 69cb93d-69cb93f 859->860 861 69cb93b 859->861 860->858 861->858 867 69cb960-69cb962 863->867 864->867 871 69cb964-69cb967 867->871 872 69cb973-69cb9ac 867->872 876 69cb8ce-69cb8dd 868->876 877 69cb76f-69cb78c 868->877 869->840 871->852 872->841 894 69cb9b2-69cb9bc 872->894 876->868 876->869 877->876 890 69cb792-69cb888 call 69c9bc0 877->890 880->881 892 69cb549-69cb577 880->892 881->826 931 69cb88a-69cb894 890->931 932 69cb896 890->932 892->881 899 69cb57d-69cb586 892->899 899->881 900 69cb58c-69cb5be 899->900 907 69cb5c9-69cb5e5 900->907 908 69cb5c0-69cb5c4 900->908 907->832 911 69cb5e7-69cb5fa call 69c9bc0 907->911 908->881 910 69cb5c6 908->910 910->907 911->820 933 69cb89b-69cb89d 931->933 932->933 933->876 934 69cb89f-69cb8a4 933->934 935 69cb8a6-69cb8b0 934->935 936 69cb8b2 934->936 937 69cb8b7-69cb8b9 935->937 936->937 937->876 938 69cb8bb-69cb8c7 937->938 938->876
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $eq$$eq
                                              • API String ID: 0-2246304398
                                              • Opcode ID: 5f0cdbb09a5208c8679eb9a8408ab85b29b6a0dbf650d0bafdc2e5060b822752
                                              • Instruction ID: b8588dbbe68e11aa9c2410e63246d97c92f7bc4ba4aa8477999acd8000b88847
                                              • Opcode Fuzzy Hash: 5f0cdbb09a5208c8679eb9a8408ab85b29b6a0dbf650d0bafdc2e5060b822752
                                              • Instruction Fuzzy Hash: 8D02C230B006098FDB54DF64D591AAEB7B6FF84320F248829D405DB799DB35EC45CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C0040 Relevance: 2.8, Instructions: 2759COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ccf62dabab50dd760a8718e0d220c02392598a7d0f51d613ad09415618989fb4
                                              • Instruction ID: 60c8974b8665780d1b93f14983747127db9e98452dbfc40b48bd13261d33aa0d
                                              • Opcode Fuzzy Hash: ccf62dabab50dd760a8718e0d220c02392598a7d0f51d613ad09415618989fb4
                                              • Instruction Fuzzy Hash: E053E631D10B1A8EDB51EB68C8809A9F7B1FF99310F11D79AE45977121EB70AAC4CF81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C33C0 Relevance: 2.2, Instructions: 2239COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 039445ec613a597cc36e7d82c75b203f14fb5ac60d3fd2712d2fb4184513ee05
                                              • Instruction ID: 92ddc90fc41869cf0737290c7df4a2517c84ea76807a05d1114a5ce75e2b76fe
                                              • Opcode Fuzzy Hash: 039445ec613a597cc36e7d82c75b203f14fb5ac60d3fd2712d2fb4184513ee05
                                              • Instruction Fuzzy Hash: 18331E31D10B198ECB11EF68C8905ADF7B1FF99310F15C79AE459A7221EB70AAC5CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C0006 Relevance: 2.2, Instructions: 2162COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a4d2d0548dfb684319963542d5568a30fbbc23fb8cb14cca78e46dd2cbe437d1
                                              • Instruction ID: 2fb374cb0e21ba4947f3c718eafa49c468dd8d7c348aecb899a77df6bad483d7
                                              • Opcode Fuzzy Hash: a4d2d0548dfb684319963542d5568a30fbbc23fb8cb14cca78e46dd2cbe437d1
                                              • Instruction Fuzzy Hash: 6233E331D10B1A8ECB51EB68C8849A9F7B1FF99310F11D79AE45977121FB70AAC4CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 015170A8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2556 15170a8-151712c CheckRemoteDebuggerPresent 2558 1517135-1517170 2556->2558 2559 151712e-1517134 2556->2559 2559->2558
                                              APIs
                                              • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0151711F
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2075920176.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1510000_MSBuild.jbxd
                                              Similarity
                                              • API ID: CheckDebuggerPresentRemote
                                              • String ID:
                                              • API String ID: 3662101638-0
                                              • Opcode ID: 5207011d09eb5c5a5ae650e183bfd8a188614228071004a3c3c38d10f74c5ffd
                                              • Instruction ID: 76c27f83321bdfcf13ac2d305963b852df98452018c419f810c8a54e6cecd300
                                              • Opcode Fuzzy Hash: 5207011d09eb5c5a5ae650e183bfd8a188614228071004a3c3c38d10f74c5ffd
                                              • Instruction Fuzzy Hash: 632128B18002598FDB10CF9AD884BEEFBF4EF59320F14845AE455A7251D778A944CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C59B8 Relevance: 1.0, Instructions: 1016COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e1d1572fc36c849bf1ec093d991dc732030a0ec9b28b7b4a9695523083a6fb09
                                              • Instruction ID: d6f8bdc579978bfb53aa479b55e03a5a61158c588705691142f6edea6053f610
                                              • Opcode Fuzzy Hash: e1d1572fc36c849bf1ec093d991dc732030a0ec9b28b7b4a9695523083a6fb09
                                              • Instruction Fuzzy Hash: CF926834A002048FDB64DB68C684A6DB7F6FF45320F6588AED409EB765DB35EC85CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C9C10 Relevance: .8, Instructions: 818COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7921b461747f6e3ac8c659f328903d0328063a6c191571f8f8ac49fe52bac164
                                              • Instruction ID: f53794c2cab6713832268b40b70c2be64dc27771994ad2e7c1cfbcff0f0fcafa
                                              • Opcode Fuzzy Hash: 7921b461747f6e3ac8c659f328903d0328063a6c191571f8f8ac49fe52bac164
                                              • Instruction Fuzzy Hash: 5062AF30B002098FDB54DB68D594AADB7F6FF88320F248469E806EB795DB35ED45CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C87E0 Relevance: .6, Instructions: 591COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4f422d693bb6e5b29763ece07bb3a1ba587ee15d0cf65c1d2ce382f64f3812d5
                                              • Instruction ID: 010edf63ae75501ec79b2f2cfd1575fcc920752846dc9a8ec789788ae83f30f8
                                              • Opcode Fuzzy Hash: 4f422d693bb6e5b29763ece07bb3a1ba587ee15d0cf65c1d2ce382f64f3812d5
                                              • Instruction Fuzzy Hash: AE12B431F002159BDB60DB64CA806AEBBB6FF85320F24842ED955DB794DB34EC45CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069CE837 Relevance: .6, Instructions: 590COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cdec6e9f335b311a1718c449bbfe5a1d3829b532b02a208bf4b0f9f3d859714d
                                              • Instruction ID: b22319e8a76f1993e02c0996cdaf0f2564a4bd69bf700ce9c940d4e24dcdf793
                                              • Opcode Fuzzy Hash: cdec6e9f335b311a1718c449bbfe5a1d3829b532b02a208bf4b0f9f3d859714d
                                              • Instruction Fuzzy Hash: F4227F74E102098FDF60DB58D590BAEB7BAEB85320F74842AE406DB795DB34DC81CB52
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069CE2E0 Relevance: 11.6, Strings: 9, Instructions: 390COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 69ce2e0-69ce2fe 1 69ce300-69ce303 0->1 2 69ce314-69ce317 1->2 3 69ce305-69ce309 1->3 4 69ce319-69ce32c 2->4 5 69ce331-69ce334 2->5 6 69ce50c-69ce516 3->6 7 69ce30f 3->7 4->5 8 69ce4fd-69ce506 5->8 9 69ce33a-69ce33d 5->9 7->2 8->6 11 69ce352-69ce35b 8->11 12 69ce34d-69ce350 9->12 13 69ce33f-69ce348 9->13 15 69ce517-69ce54e 11->15 16 69ce361-69ce365 11->16 12->11 14 69ce36a-69ce36d 12->14 13->12 17 69ce36f-69ce374 14->17 18 69ce377-69ce37a 14->18 24 69ce550-69ce553 15->24 16->14 17->18 20 69ce37c-69ce398 18->20 21 69ce39d-69ce3a0 18->21 20->21 22 69ce3b4-69ce3b6 21->22 23 69ce3a2-69ce3af 21->23 25 69ce3bd-69ce3c0 22->25 26 69ce3b8 22->26 23->22 27 69ce555-69ce55f 24->27 28 69ce560-69ce563 24->28 25->1 31 69ce3c6-69ce3ea 25->31 26->25 32 69ce7cc-69ce7cf 28->32 33 69ce569-69ce5a4 28->33 55 69ce4fa 31->55 56 69ce3f0-69ce3ff 31->56 35 69ce7d1-69ce7ed 32->35 36 69ce7f2-69ce7f5 32->36 41 69ce5aa-69ce5b6 33->41 42 69ce797-69ce7aa 33->42 35->36 39 69ce804-69ce807 36->39 40 69ce7f7 call 69ce837 36->40 44 69ce818-69ce81a 39->44 45 69ce809-69ce80d 39->45 50 69ce7fd-69ce7ff 40->50 58 69ce5b8-69ce5d1 41->58 59 69ce5d6-69ce61a 41->59 51 69ce7ac 42->51 47 69ce81c 44->47 48 69ce821-69ce824 44->48 45->33 46 69ce813 45->46 46->44 47->48 48->24 52 69ce82a-69ce834 48->52 50->39 57 69ce7ad 51->57 55->8 61 69ce417-69ce452 call 69c9bc0 56->61 62 69ce401-69ce407 56->62 57->57 58->51 75 69ce61c-69ce62e 59->75 76 69ce636-69ce675 59->76 80 69ce46a-69ce481 61->80 81 69ce454-69ce45a 61->81 64 69ce409 62->64 65 69ce40b-69ce40d 62->65 64->61 65->61 75->76 82 69ce75c-69ce771 76->82 83 69ce67b-69ce756 call 69c9bc0 76->83 92 69ce499-69ce4aa 80->92 93 69ce483-69ce489 80->93 84 69ce45c 81->84 85 69ce45e-69ce460 81->85 82->42 83->82 84->80 85->80 99 69ce4ac-69ce4b2 92->99 100 69ce4c2-69ce4f3 92->100 95 69ce48d-69ce48f 93->95 96 69ce48b 93->96 95->92 96->92 102 69ce4b4 99->102 103 69ce4b6-69ce4b8 99->103 100->55 102->100 103->100
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: W$$eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
                                              • API String ID: 0-2051485347
                                              • Opcode ID: 7fcba54cbeb6d8ac921020dbc644d3946014f1199af060005d9a82cefff9a7fc
                                              • Instruction ID: 29e94240dbfddc43ffb71bd666d0e2707a57641e09f56f9b4cf9ff67c4c6cb4e
                                              • Opcode Fuzzy Hash: 7fcba54cbeb6d8ac921020dbc644d3946014f1199af060005d9a82cefff9a7fc
                                              • Instruction Fuzzy Hash: 71E18D30E1020A8FDF65DF68D5906AEB7B6FF85310F20892DD406DB755DB74A846CB82
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069CC768 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 421 69cc768-69cc78d 422 69cc78f-69cc792 421->422 423 69cc7b8-69cc7bb 422->423 424 69cc794-69cc7b3 422->424 425 69cd07b-69cd07d 423->425 426 69cc7c1-69cc7d6 423->426 424->423 428 69cd07f 425->428 429 69cd084-69cd087 425->429 433 69cc7ee-69cc804 426->433 434 69cc7d8-69cc7de 426->434 428->429 429->422 430 69cd08d-69cd097 429->430 438 69cc80f-69cc811 433->438 435 69cc7e0 434->435 436 69cc7e2-69cc7e4 434->436 435->433 436->433 439 69cc829-69cc89a 438->439 440 69cc813-69cc819 438->440 451 69cc89c-69cc8bf 439->451 452 69cc8c6-69cc8e2 439->452 441 69cc81d-69cc81f 440->441 442 69cc81b 440->442 441->439 442->439 451->452 457 69cc90e-69cc929 452->457 458 69cc8e4-69cc907 452->458 463 69cc92b-69cc94d 457->463 464 69cc954-69cc96f 457->464 458->457 463->464 469 69cc99a-69cc9a4 464->469 470 69cc971-69cc993 464->470 471 69cc9b4-69cca2e 469->471 472 69cc9a6-69cc9af 469->472 470->469 478 69cca7b-69cca90 471->478 479 69cca30-69cca4e 471->479 472->430 478->425 483 69cca6a-69cca79 479->483 484 69cca50-69cca5f 479->484 483->478 483->479 484->483
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $eq$$eq$$eq$$eq
                                              • API String ID: 0-812946093
                                              • Opcode ID: c612f04d0f25a065ba400588f6cf0ebb8aa33de312d107e00e516a885993b91a
                                              • Instruction ID: 87cf6971ab6654f51a66a7ff67d380ddf7a291174133813e19ed87f249ad1bc1
                                              • Opcode Fuzzy Hash: c612f04d0f25a065ba400588f6cf0ebb8aa33de312d107e00e516a885993b91a
                                              • Instruction Fuzzy Hash: 4D916230F1061A8FDB54EF65D9607AEB7B6EFC5210F108569D409EB398EB30DC868B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C7DB0 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 748 69c7db0-69c7dd4 749 69c7dd6-69c7dd9 748->749 750 69c7ddf-69c7ed7 749->750 751 69c84b8-69c84bb 749->751 771 69c7edd-69c7f2a call 69c8658 750->771 772 69c7f5a-69c7f61 750->772 752 69c84dc-69c84de 751->752 753 69c84bd-69c84d7 751->753 755 69c84e5-69c84e8 752->755 756 69c84e0 752->756 753->752 755->749 758 69c84ee-69c84fb 755->758 756->755 785 69c7f30-69c7f4c 771->785 773 69c7fe5-69c7fee 772->773 774 69c7f67-69c7fd7 772->774 773->758 791 69c7fd9 774->791 792 69c7fe2 774->792 788 69c7f4e 785->788 789 69c7f57 785->789 788->789 789->772 791->792 792->773
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: fjq$XPjq$\Ojq
                                              • API String ID: 0-216941231
                                              • Opcode ID: b79936faa8c5097f4417a460d7b9ff2f3f6131353ca9b7eaa7d17e0c4521494f
                                              • Instruction ID: a0f59e002e0728cc46acf95a3e9f6a50704f9430077defd3d9d4bf2b688113de
                                              • Opcode Fuzzy Hash: b79936faa8c5097f4417a460d7b9ff2f3f6131353ca9b7eaa7d17e0c4521494f
                                              • Instruction Fuzzy Hash: B0616F70F002199FEB549FA5C9547AEBAB6FF88310F20842EE505EB395DE758C058F91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069CC758 Relevance: 2.7, Strings: 2, Instructions: 170COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1538 69cc758-69cc78d 1539 69cc78f-69cc792 1538->1539 1540 69cc7b8-69cc7bb 1539->1540 1541 69cc794-69cc7b3 1539->1541 1542 69cd07b-69cd07d 1540->1542 1543 69cc7c1-69cc7d6 1540->1543 1541->1540 1545 69cd07f 1542->1545 1546 69cd084-69cd087 1542->1546 1550 69cc7ee-69cc804 1543->1550 1551 69cc7d8-69cc7de 1543->1551 1545->1546 1546->1539 1547 69cd08d-69cd097 1546->1547 1555 69cc80f-69cc811 1550->1555 1552 69cc7e0 1551->1552 1553 69cc7e2-69cc7e4 1551->1553 1552->1550 1553->1550 1556 69cc829-69cc89a 1555->1556 1557 69cc813-69cc819 1555->1557 1568 69cc89c-69cc8bf 1556->1568 1569 69cc8c6-69cc8e2 1556->1569 1558 69cc81d-69cc81f 1557->1558 1559 69cc81b 1557->1559 1558->1556 1559->1556 1568->1569 1574 69cc90e-69cc929 1569->1574 1575 69cc8e4-69cc907 1569->1575 1580 69cc92b-69cc94d 1574->1580 1581 69cc954-69cc96f 1574->1581 1575->1574 1580->1581 1586 69cc99a-69cc9a4 1581->1586 1587 69cc971-69cc993 1581->1587 1588 69cc9b4-69cca2e 1586->1588 1589 69cc9a6-69cc9af 1586->1589 1587->1586 1595 69cca7b-69cca90 1588->1595 1596 69cca30-69cca4e 1588->1596 1589->1547 1595->1542 1600 69cca6a-69cca79 1596->1600 1601 69cca50-69cca5f 1596->1601 1600->1595 1600->1596 1601->1600
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $eq$$eq
                                              • API String ID: 0-2246304398
                                              • Opcode ID: 66da9e1ccd523e6e3ff0c6f41da1a23c45d7945d5c8ef4ee52b42c8ab4611b87
                                              • Instruction ID: baad53eb54d685fc5fbe815f8a1f935e7ca40effeb3884be38c1f58d79e2e34c
                                              • Opcode Fuzzy Hash: 66da9e1ccd523e6e3ff0c6f41da1a23c45d7945d5c8ef4ee52b42c8ab4611b87
                                              • Instruction Fuzzy Hash: AC517430B1011A9FDB54EB74EA60BAE77F6EF89210F14856DD409E7398EA31DC41CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 015170A0 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2550 15170a0-151712c CheckRemoteDebuggerPresent 2552 1517135-1517170 2550->2552 2553 151712e-1517134 2550->2553 2553->2552
                                              APIs
                                              • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0151711F
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2075920176.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1510000_MSBuild.jbxd
                                              Similarity
                                              • API ID: CheckDebuggerPresentRemote
                                              • String ID:
                                              • API String ID: 3662101638-0
                                              • Opcode ID: 77eaf464c2c9dd0acd2e6a851ef54067eba6ba1b11c7b6d4f2be28423f33e706
                                              • Instruction ID: cfc5ca5cb77e503625f23f7feff4d400ce983890767a9d1e0fb964a66a4091b8
                                              • Opcode Fuzzy Hash: 77eaf464c2c9dd0acd2e6a851ef54067eba6ba1b11c7b6d4f2be28423f33e706
                                              • Instruction Fuzzy Hash: 6E2169B2800259CFDB10CFA9D884BEEFBF4EF59320F24846AD455A7251D7789945CF60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C7DA0 Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: XPjq
                                              • API String ID: 0-4216394854
                                              • Opcode ID: 407a72dcbac26f1fbbcf6dc6617749e33a099a7bc42db22b32f21cacb7050db7
                                              • Instruction ID: 97631315e622dde33c194ee1d38e787e21573d1ad317cd202b10393e7484ebc9
                                              • Opcode Fuzzy Hash: 407a72dcbac26f1fbbcf6dc6617749e33a099a7bc42db22b32f21cacb7050db7
                                              • Instruction Fuzzy Hash: 79417F74B002099FDB55DFA5C854BAEBBF6FF88300F20852AE505AB3A5DB749C058F91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C5840 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PHeq
                                              • API String ID: 0-2873676430
                                              • Opcode ID: 7286f2d5cbe4986d95015d331cfacb02bfa432cc19ef611a6b7fd0de10f37609
                                              • Instruction ID: 5746a18ff751ea52d0136b580c2e1a6f06f96c757ad7992792a12a1875126b81
                                              • Opcode Fuzzy Hash: 7286f2d5cbe4986d95015d331cfacb02bfa432cc19ef611a6b7fd0de10f37609
                                              • Instruction Fuzzy Hash: 6F31E0B0B002058FCB55AB34D52466F7BABEF89620F64486CD406EB3A9EE31EC45C7D1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069CB90E Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $eq
                                              • API String ID: 0-731066626
                                              • Opcode ID: d944131af0ccdd359ffd0daa03dd6ac65794bc50e5e480b104c531d83b2050f9
                                              • Instruction ID: 591c00f8686dad98a52b5c6d9bbaad794c7d5a2199cc042eec1f2796efd97f96
                                              • Opcode Fuzzy Hash: d944131af0ccdd359ffd0daa03dd6ac65794bc50e5e480b104c531d83b2050f9
                                              • Instruction Fuzzy Hash: 91F0A036A18219CFDFA44F41EAA22657369AB60278B2404AACE01D796CC331C904CA92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C7C99 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \Ojq
                                              • API String ID: 0-1665755004
                                              • Opcode ID: 7dee43a3fb7e98856e607428996980472c1893c8f787bfbfaa4840e1ee2de0c8
                                              • Instruction ID: 8b0c1832cabe7fc270fd634a8e5e04ac7160fe62cd085846173182676289ec6b
                                              • Opcode Fuzzy Hash: 7dee43a3fb7e98856e607428996980472c1893c8f787bfbfaa4840e1ee2de0c8
                                              • Instruction Fuzzy Hash: C3F0F870A5012AEFDB14DF94E859BAEBBB6FF88710F20451AE402AB394CB741C05CF81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C74E0 Relevance: .2, Instructions: 247COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9db9bda26e475392f1a69c13b3663e6ca6807f399796a39cb000ed8ecd86e270
                                              • Instruction ID: 812165a44971901a7b3e30cd9a7212efb0d4368a6dc38d24da1dd0a244f0e095
                                              • Opcode Fuzzy Hash: 9db9bda26e475392f1a69c13b3663e6ca6807f399796a39cb000ed8ecd86e270
                                              • Instruction Fuzzy Hash: B7916F30B106098BDF54DBB9D6907AEB7B6EF85310F248429D50ADF398EB34DC428B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C9408 Relevance: .2, Instructions: 229COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7afad912e5d6dc0d3e13f6d69f9dff39c0c76c45ba913215156baccdcab1cd43
                                              • Instruction ID: 678b0c0804a91cd68bebae712a409815fe788aecbb1c412bdb70bdce5249c322
                                              • Opcode Fuzzy Hash: 7afad912e5d6dc0d3e13f6d69f9dff39c0c76c45ba913215156baccdcab1cd43
                                              • Instruction Fuzzy Hash: 5461A171F005214FCB559B6ED88066FBADBAFD4220B254439E80EDB364DE69DD0287D2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C7800 Relevance: .2, Instructions: 222COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cb43b5260457fa518c225ba157b4d1778e564f45e7f883a18deee0b517a23795
                                              • Instruction ID: c411722ea59c2408cc77f44904fde5c6995b09ab152e9bda0621e89b4317e581
                                              • Opcode Fuzzy Hash: cb43b5260457fa518c225ba157b4d1778e564f45e7f883a18deee0b517a23795
                                              • Instruction Fuzzy Hash: D4914D70E006198FDF60DFA8C890B9DB7B1FF89310F208699D549BB295DB70AA85CF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C7818 Relevance: .2, Instructions: 210COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bd8cab9014b6d1779901bbbb6640e9c9ccc88840030a0af3db84a2af89c1686b
                                              • Instruction ID: 001e2c6a9bb73e71a2a413abb79ab22146dcf16ed343fb49d1e3345a24455a77
                                              • Opcode Fuzzy Hash: bd8cab9014b6d1779901bbbb6640e9c9ccc88840030a0af3db84a2af89c1686b
                                              • Instruction Fuzzy Hash: 03913E74E0061A8BDF60DFA8C880B9DB7B1FF89310F208599D549BB295DB70AA85CF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C8658 Relevance: .1, Instructions: 136COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1c44828f9b434abeddd63a2aad275868b2e811cc39f0edd5924992d6ee986fab
                                              • Instruction ID: 61180e75c98fa191f21142dc0df0960c00d137e949b694ded862d9a078822f02
                                              • Opcode Fuzzy Hash: 1c44828f9b434abeddd63a2aad275868b2e811cc39f0edd5924992d6ee986fab
                                              • Instruction Fuzzy Hash: 31418275E006059FDB60CFA9DA80AAFFBBAFB84320F20492ED115D7650D330E9459B92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C56F0 Relevance: .1, Instructions: 101COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ccf54db675ba8b4cdca61511760cad39e43ea3a1df17d49481606d67f58879b4
                                              • Instruction ID: 0fe562976bf5924c88cb58b302e69689a35b1cf0785631ea9d32d0b846388592
                                              • Opcode Fuzzy Hash: ccf54db675ba8b4cdca61511760cad39e43ea3a1df17d49481606d67f58879b4
                                              • Instruction Fuzzy Hash: 20319034E102059BCB55CF64C994A9EB7B6FF89310F21C51DE806EB750EB70AC82CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C5700 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9ee264f7a6e30a38ee5dfaedefcf8dc02c81dfc8274666281d4a4d0a60721c36
                                              • Instruction ID: dd7353345b02c55a5eecfada8437f05e50457c0bbd855884df6c18de4afb2c49
                                              • Opcode Fuzzy Hash: 9ee264f7a6e30a38ee5dfaedefcf8dc02c81dfc8274666281d4a4d0a60721c36
                                              • Instruction Fuzzy Hash: 88318034E10606DBCB59CFA4C994A9EB7F6EF89310F21C529E806E7754EB70AC41CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C70E8 Relevance: .1, Instructions: 81COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 92a0d3450818ca849f6dc829c7d086dc6a22d83e70682a494df3d34a2a8aaf33
                                              • Instruction ID: 8021af28214f57c289afdc3496e44c41c89a1e5ad955a057e22dea8fea7bf70f
                                              • Opcode Fuzzy Hash: 92a0d3450818ca849f6dc829c7d086dc6a22d83e70682a494df3d34a2a8aaf33
                                              • Instruction Fuzzy Hash: 43217C75F112199FDB40DFA9D991AAEBBF5EB48360F148029E905EB394DB31D9008FA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C70F8 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ebf27d3bddcf252b1e4bb1afe3afc5cfe0fc6613b40f8094ea250121126a4f1b
                                              • Instruction ID: e6828c7c9d68be0da57412e1c00454291cd2e7f27d69d145391adcc46281e7f5
                                              • Opcode Fuzzy Hash: ebf27d3bddcf252b1e4bb1afe3afc5cfe0fc6613b40f8094ea250121126a4f1b
                                              • Instruction Fuzzy Hash: 67218B71F112199FDB40DFA9DA90AAEB7F5EB48220F148029E901EB394EB30DD008B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C743F Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: acf150400a9a59409ea5629548e65a4ca71dd18e32c07d3c0a8e377dbd5aae07
                                              • Instruction ID: 9a4f72f08ed60550119432cffe6153e5f226a448f6af7b3a3429ddeacff0bfdd
                                              • Opcode Fuzzy Hash: acf150400a9a59409ea5629548e65a4ca71dd18e32c07d3c0a8e377dbd5aae07
                                              • Instruction Fuzzy Hash: FC01B130B041104FDB6196BC94607ABBBEBDBDA721F24853EE50ACB795D925CC064791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C7208 Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9f206123e630a985389687aa94f3fed9be4ee1caca4eb76b894231f6a13930f7
                                              • Instruction ID: 019ac6cc4710794bb722aeb3dc84bb78520c06e71b171595960aa9469a844b26
                                              • Opcode Fuzzy Hash: 9f206123e630a985389687aa94f3fed9be4ee1caca4eb76b894231f6a13930f7
                                              • Instruction Fuzzy Hash: 62116131F105294BDF5496A8D9246AE73EEEBC9221F104539E906EB358EE35DC028BE1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069CD919 Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d9e9cde59810f70792856f9115d0c21aa1d1109d1f90bcfc898a345af5e03629
                                              • Instruction ID: 0a2c1e3ae61034f5466ae21a3aa12a0035b57e092669d0f345d71f2173e70c8f
                                              • Opcode Fuzzy Hash: d9e9cde59810f70792856f9115d0c21aa1d1109d1f90bcfc898a345af5e03629
                                              • Instruction Fuzzy Hash: 7A0124707012110FC751AB38D9B0B6BB7DADF86720F20853DE44EC7355DA25DC058382
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C6EC1 Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cf9ebbb669e6d84b27c0e308aea70d48ed145d22924f9670de5012a153087dbe
                                              • Instruction ID: 1e5b6c3472f9629b6fc975a257d275594e71aa96ba0445e27600a5479b191ae8
                                              • Opcode Fuzzy Hash: cf9ebbb669e6d84b27c0e308aea70d48ed145d22924f9670de5012a153087dbe
                                              • Instruction Fuzzy Hash: CD21C2B5D01259AFDB10CF9AD884ADEFFF8FB48320F10812AE518A7241C375A954CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C71F8 Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b0e531207c8a3ff49ffa96262297bb84c03b5c59bbf8da0e52cffb1858d1b913
                                              • Instruction ID: 3ac8f181dae5df82b293ba1366e4d56cc06574ea8d89b19cd29b77a900124ee0
                                              • Opcode Fuzzy Hash: b0e531207c8a3ff49ffa96262297bb84c03b5c59bbf8da0e52cffb1858d1b913
                                              • Instruction Fuzzy Hash: 6C018472F104154BDF5495A8A9306FB73EF9BC8221F20403AE50AE7758EE24CC024BD2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C6EC8 Relevance: .1, Instructions: 52COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 458c251dd6b674b4e801695f5801840690c565f05615f9bbddb6a42c8374867f
                                              • Instruction ID: 504c8e7ea7291c159dea494996f953cdc336b53f60a2d5a16569ecc8c6aa7812
                                              • Opcode Fuzzy Hash: 458c251dd6b674b4e801695f5801840690c565f05615f9bbddb6a42c8374867f
                                              • Instruction Fuzzy Hash: 6811D3B5D002599FCB10CF9AD884ADEFBF8FB48320F10812AE518A7200C3746944CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C7450 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 46930b2350c00234eb06f62db32ae330a54206ca21d9ab2ae5f0d7e5aac730a8
                                              • Instruction ID: 64c8613dd6e5b1ff2fff8740361a740572ae97207371af034f32d6332bfbb7ea
                                              • Opcode Fuzzy Hash: 46930b2350c00234eb06f62db32ae330a54206ca21d9ab2ae5f0d7e5aac730a8
                                              • Instruction Fuzzy Hash: C101A930B004144BDB659ABD9460B6AB7DFCBC9630F20883EE60ECB784ED25DC024782
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069CD928 Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 596de02cb22e22b813c189f74741e3e0b658b2f3b9db3f6bbe0957a1a0078c1f
                                              • Instruction ID: ad5c8adc4b8bf6dfca96b7b52aed7a4dbab7be6008c0863e6791fba3878a63e0
                                              • Opcode Fuzzy Hash: 596de02cb22e22b813c189f74741e3e0b658b2f3b9db3f6bbe0957a1a0078c1f
                                              • Instruction Fuzzy Hash: ED01AF74B111154BDB65EB68D5B0B2AB3DADF89620F20893DE10ED7358EA25EC068782
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069C9A91 Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eb36a10c1b24f47496e14d87e60db58a6d32d1bd47af77d8f4522fd9227b63a1
                                              • Instruction ID: af3fbed920b5f518329843511a4b0edbed729b50ac2d692b621c118bf7d2a9ed
                                              • Opcode Fuzzy Hash: eb36a10c1b24f47496e14d87e60db58a6d32d1bd47af77d8f4522fd9227b63a1
                                              • Instruction Fuzzy Hash: 47E09270D19208AFDF50DB748A0179B7BBDEB82324F3184ADE485CB642E636CE0187D2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 069CACB8 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
                                              • API String ID: 0-2049195972
                                              • Opcode ID: 7915fbfd5862dc7f76d151ccc045d4ef50931449488fcf95f8f468f4e032129b
                                              • Instruction ID: ea4d54d368549547024778a42f0e2ed90e1613e20c2cba13b1b3192eb29d0285
                                              • Opcode Fuzzy Hash: 7915fbfd5862dc7f76d151ccc045d4ef50931449488fcf95f8f468f4e032129b
                                              • Instruction Fuzzy Hash: 41124D30E0121ACFDB64DF65C954AAEB7B6FF88310F20856DD409AB269DB309D85CF81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069CDF48 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
                                              • API String ID: 0-1110479544
                                              • Opcode ID: 9b8692c4744dc4e10c78f4a1a7728ec9724fb1d91a69df2434d17328aed1eff6
                                              • Instruction ID: 92e2fa5a96e4e89898b3c89308691e15cceb5083ad683ab1a730131ad756a4f9
                                              • Opcode Fuzzy Hash: 9b8692c4744dc4e10c78f4a1a7728ec9724fb1d91a69df2434d17328aed1eff6
                                              • Instruction Fuzzy Hash: A191A030A1020ADFEB65DF64D994BAE7BB6BF84310F20852DE40297694DB749D41CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069CA6B8 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: .5}q$$eq$$eq$$eq$$eq$$eq$$eq
                                              • API String ID: 0-1622854337
                                              • Opcode ID: 6acc7669e0ad39ecffc7ee005adbc4b60de0675aa88fdff174aeeebf46be5cd1
                                              • Instruction ID: 663420b29cb4ed4553702d269e6cee1990c8822549dc8e45f7fa11818e96027b
                                              • Opcode Fuzzy Hash: 6acc7669e0ad39ecffc7ee005adbc4b60de0675aa88fdff174aeeebf46be5cd1
                                              • Instruction Fuzzy Hash: C6F13D30B1020ECFDB55EB64D594A6EB7B2FF84310F24856DD4169B399CB35AC82CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069CB9F0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $eq$$eq$$eq$$eq
                                              • API String ID: 0-812946093
                                              • Opcode ID: f4e0909bd27482274a5473a3e1a9ddc108966d9fc06a6481b76b888053f63f59
                                              • Instruction ID: 739d0304bcee8365b3dcea6647096c14c6bea363ca3876ccc174ba6b0f40f0d6
                                              • Opcode Fuzzy Hash: f4e0909bd27482274a5473a3e1a9ddc108966d9fc06a6481b76b888053f63f59
                                              • Instruction Fuzzy Hash: 0EB14C70A002098FDB65DF68D59169EB7B6FF84310F24882ED406DB7A8DB75DC86CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069CBE08 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LReq$LReq$$eq$$eq
                                              • API String ID: 0-731573373
                                              • Opcode ID: 272649c84ce39fb31e4d82e4f85ecc9dee128dff8a16d763d62aade5e19ad243
                                              • Instruction ID: 348d2c6dd8efa66a548228baaa6eae1569dd033d97062496207feeae24f44f5d
                                              • Opcode Fuzzy Hash: 272649c84ce39fb31e4d82e4f85ecc9dee128dff8a16d763d62aade5e19ad243
                                              • Instruction Fuzzy Hash: DD51D030B00205DFDB54EB24D9A1A6EB7A6FF84710F14896DE516DB3A9DA30EC44CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069CE2D1 Relevance: 5.2, Strings: 4, Instructions: 163COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2085648397.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_69c0000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $eq$$eq$$eq$$eq
                                              • API String ID: 0-812946093
                                              • Opcode ID: 7c946578a60ec071447ecb6cc2f10ccf99e3493c329c0f843055efcbb9e07872
                                              • Instruction ID: 3d60715c0be043a138cdbc719f325030c6a87b08da381fef964ce7d57a250861
                                              • Opcode Fuzzy Hash: 7c946578a60ec071447ecb6cc2f10ccf99e3493c329c0f843055efcbb9e07872
                                              • Instruction Fuzzy Hash: CA51AF30A102059BDF65DB68D5906AEB7BAFF85320F24892DE417DB794DB30EC41CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Execution Graph

                                              Execution Coverage:8.5%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:54
                                              Total number of Limit Nodes:2
                                              execution_graph 24242 2ab4668 24243 2ab467a 24242->24243 24244 2ab4686 24243->24244 24246 2ab4778 24243->24246 24247 2ab479d 24246->24247 24251 2ab4888 24247->24251 24255 2ab4878 24247->24255 24253 2ab48af 24251->24253 24252 2ab498c 24252->24252 24253->24252 24259 2ab449c 24253->24259 24257 2ab48af 24255->24257 24256 2ab498c 24257->24256 24258 2ab449c CreateActCtxA 24257->24258 24258->24256 24260 2ab5918 CreateActCtxA 24259->24260 24262 2ab59cf 24260->24262 24263 2abd0b8 24264 2abd0fe 24263->24264 24268 2abd298 24264->24268 24271 2abd287 24264->24271 24265 2abd1eb 24270 2abd2c6 24268->24270 24276 2abc9a0 24268->24276 24270->24265 24272 2abd292 24271->24272 24275 2abd24b 24271->24275 24273 2abc9a0 DuplicateHandle 24272->24273 24274 2abd2c6 24273->24274 24274->24265 24275->24265 24277 2abd300 DuplicateHandle 24276->24277 24278 2abd396 24277->24278 24278->24270 24279 2abad38 24280 2abad47 24279->24280 24283 2abae21 24279->24283 24291 2abae30 24279->24291 24284 2abae41 24283->24284 24285 2abae64 24283->24285 24284->24285 24299 2abb0b9 24284->24299 24303 2abb0c8 24284->24303 24285->24280 24286 2abae5c 24286->24285 24287 2abb068 GetModuleHandleW 24286->24287 24288 2abb095 24287->24288 24288->24280 24292 2abae41 24291->24292 24293 2abae64 24291->24293 24292->24293 24297 2abb0b9 LoadLibraryExW 24292->24297 24298 2abb0c8 LoadLibraryExW 24292->24298 24293->24280 24294 2abb068 GetModuleHandleW 24296 2abb095 24294->24296 24295 2abae5c 24295->24293 24295->24294 24296->24280 24297->24295 24298->24295 24300 2abb0dc 24299->24300 24301 2abb101 24300->24301 24307 2aba870 24300->24307 24301->24286 24304 2abb0dc 24303->24304 24305 2aba870 LoadLibraryExW 24304->24305 24306 2abb101 24304->24306 24305->24306 24306->24286 24308 2abb2a8 LoadLibraryExW 24307->24308 24310 2abb321 24308->24310 24310->24301

                                              Executed Functions

                                              Function 051F7790 Relevance: 4.0, Strings: 3, Instructions: 293COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1215 51f7790-51f77aa 1218 51f77ac-51f77ae 1215->1218 1219 51f77b1 1215->1219 1218->1219 1220 51f77b3-51f77ba 1219->1220 1221 51f7741-51f7743 1219->1221 1223 51f77bc-51f77be 1220->1223 1224 51f77c1-51f77da 1220->1224 1222 51fe978-51fe9ed 1221->1222 1231 51fe9ef-51fe9f5 1222->1231 1232 51fe9f6-51fea13 1222->1232 1223->1224 1227 51f77dc-51f77e0 1224->1227 1228 51f77e1-51f7813 1224->1228 1227->1228 1233 51f781a-51f7890 1228->1233 1234 51f7815 1228->1234 1231->1232 1241 51f7893 1233->1241 1234->1233 1242 51f789a-51f78b6 1241->1242 1243 51f78bf-51f78c0 1242->1243 1244 51f78b8 1242->1244 1245 51f7a0e-51f7a7e 1243->1245 1249 51f78c5-51f78da 1243->1249 1244->1241 1244->1245 1246 51f78dc-51f791b 1244->1246 1247 51f7967-51f7991 1244->1247 1248 51f7996-51f79cc 1244->1248 1244->1249 1250 51f79f2-51f7a09 1244->1250 1251 51f79d1-51f79ed 1244->1251 1252 51f7920-51f7924 1244->1252 1253 51f7950-51f7962 1244->1253 1267 51f7a80 call 51f90dc 1245->1267 1268 51f7a80 call 51f9064 1245->1268 1269 51f7a80 call 51f95a3 1245->1269 1270 51f7a80 call 51f8ad2 1245->1270 1271 51f7a80 call 51f8ae0 1245->1271 1246->1242 1247->1242 1248->1242 1249->1242 1250->1242 1251->1242 1254 51f7937-51f793e 1252->1254 1255 51f7926-51f7935 1252->1255 1253->1242 1258 51f7945-51f794b 1254->1258 1255->1258 1258->1242 1266 51f7a86-51f7a90 1266->1222 1267->1266 1268->1266 1269->1266 1270->1266 1271->1266
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Teeq$Teeq$)"
                                              • API String ID: 0-1356520842
                                              • Opcode ID: a99e48754e334801a740424854c98dcc73536628fae30a307a31b149465c12aa
                                              • Instruction ID: 0e498a1848835bd0fd916a317be0bf1adac90d5684561a8ec5934aac7736cd12
                                              • Opcode Fuzzy Hash: a99e48754e334801a740424854c98dcc73536628fae30a307a31b149465c12aa
                                              • Instruction Fuzzy Hash: CFC148B1E052488FDB04CFAAD884ADEFBF2FF89310F14846AD515AB295D734A945CF60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F77F0 Relevance: 4.0, Strings: 3, Instructions: 201COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1272 51f77f0-51f7813 1273 51f781a-51f7890 1272->1273 1274 51f7815 1272->1274 1279 51f7893 1273->1279 1274->1273 1280 51f789a-51f78b6 1279->1280 1281 51f78bf-51f78c0 1280->1281 1282 51f78b8 1280->1282 1283 51f7a0e-51f7a7e 1281->1283 1287 51f78c5-51f78da 1281->1287 1282->1279 1282->1283 1284 51f78dc-51f791b 1282->1284 1285 51f7967-51f7991 1282->1285 1286 51f7996-51f79cc 1282->1286 1282->1287 1288 51f79f2-51f7a09 1282->1288 1289 51f79d1-51f79ed 1282->1289 1290 51f7920-51f7924 1282->1290 1291 51f7950-51f7962 1282->1291 1312 51f7a80 call 51f90dc 1283->1312 1313 51f7a80 call 51f9064 1283->1313 1314 51f7a80 call 51f95a3 1283->1314 1315 51f7a80 call 51f8ad2 1283->1315 1316 51f7a80 call 51f8ae0 1283->1316 1284->1280 1285->1280 1286->1280 1287->1280 1288->1280 1289->1280 1292 51f7937-51f793e 1290->1292 1293 51f7926-51f7935 1290->1293 1291->1280 1296 51f7945-51f794b 1292->1296 1293->1296 1296->1280 1304 51f7a86-51fe9ed 1308 51fe9ef-51fe9f5 1304->1308 1309 51fe9f6-51fea13 1304->1309 1308->1309 1312->1304 1313->1304 1314->1304 1315->1304 1316->1304
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Teeq$Teeq$)"
                                              • API String ID: 0-1356520842
                                              • Opcode ID: 859abe4f16cae6e2776313ca175c5fcb780ca117101936c958e0333d81fd920a
                                              • Instruction ID: f09aa11a1a72ae8010abf7b86d08512f25c13270d1370b673a4d86f2d82840c1
                                              • Opcode Fuzzy Hash: 859abe4f16cae6e2776313ca175c5fcb780ca117101936c958e0333d81fd920a
                                              • Instruction Fuzzy Hash: 3381D474E012098FDB48CFAAD9849EEFBB2FF88310F24942AD516AB254D7345945CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F994D Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: tIh
                                              • API String ID: 0-443931868
                                              • Opcode ID: 303380a3ba431971edc7accb1c86ba1c91ef9e3284546b6cab89a74902c44125
                                              • Instruction ID: 2906c8389c75c2c9bb75bc9487a9013a33ad1cdf5795211ea52a7f6094b9b6eb
                                              • Opcode Fuzzy Hash: 303380a3ba431971edc7accb1c86ba1c91ef9e3284546b6cab89a74902c44125
                                              • Instruction Fuzzy Hash: 73D19070D0524ADFCB08DF95C8849AEFBB2FF88300B15D565D516AB254D734EA82CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F9990 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: tIh
                                              • API String ID: 0-443931868
                                              • Opcode ID: e6b80868a2d09ecca5b2133a0b095b2119f23386bfc83481e26f2571c06fb889
                                              • Instruction ID: a3f391a9a57480cdd2bbe724d4817438e8a2bf5c4df1ffdb1337454aa9acb374
                                              • Opcode Fuzzy Hash: e6b80868a2d09ecca5b2133a0b095b2119f23386bfc83481e26f2571c06fb889
                                              • Instruction Fuzzy Hash: 79D16C70E0520ADFDB08DF99C4849AEFBB2FF88340B11D555D516AB364D734AA82CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051FC9E8 Relevance: .2, Instructions: 231COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 24fd6543d8e7921ed3a7d8758288f19a9f8fcc7eafed7a6b1f0a9fd4026a3ae5
                                              • Instruction ID: 14ab6812ceed1acaf7014045ca8e9c057443083e2604bf23c36435498bd2348d
                                              • Opcode Fuzzy Hash: 24fd6543d8e7921ed3a7d8758288f19a9f8fcc7eafed7a6b1f0a9fd4026a3ae5
                                              • Instruction Fuzzy Hash: 7F914870D1A20CDFDB18CFA9D58099DFBB2FB89314F24A42AE106BB264D7349941DF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051FC9D9 Relevance: .2, Instructions: 224COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4f73293837db38d20fca3e80e8bba6abdd0a5487996d9eebbc7e2444cc79b16b
                                              • Instruction ID: 6a2bff5f361ff430377928a296163b82b142b2dbe503f94a8084424e20af4718
                                              • Opcode Fuzzy Hash: 4f73293837db38d20fca3e80e8bba6abdd0a5487996d9eebbc7e2444cc79b16b
                                              • Instruction Fuzzy Hash: 15915870D1A208DFDB08CFA9D58099DFBB2FF89300F24A42AE106B7264D7349941DF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051FC6D0 Relevance: .2, Instructions: 204COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0ba93219166e16bd62d28f10f732b18d4fbba138085d5b19ce56a835b8f311d3
                                              • Instruction ID: 8edc0ccff6f2ddaf14dd576479d5cab5eba21065f0eba9e686c4d1c996766f6d
                                              • Opcode Fuzzy Hash: 0ba93219166e16bd62d28f10f732b18d4fbba138085d5b19ce56a835b8f311d3
                                              • Instruction Fuzzy Hash: B7810374E09219DFDB04DFA9D9809EEFBB2FB88300F10AA5AD506B7254D7349942CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051FC6C1 Relevance: .2, Instructions: 202COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 48c3702f222db0badbde3f6b7c38afa2dfe47aaafc7ef52aaba4ff311092d7a2
                                              • Instruction ID: 43668a20f0539d7822c1f6a02358d75e0f2799dce598938735fe1214589c72f1
                                              • Opcode Fuzzy Hash: 48c3702f222db0badbde3f6b7c38afa2dfe47aaafc7ef52aaba4ff311092d7a2
                                              • Instruction Fuzzy Hash: 89812374E05219CFDB04DFA9C9809EEFBB2FB88300F00AA2AD501A7254D7389942CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F8AE0 Relevance: .1, Instructions: 66COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 519c1563974d952e76c7e79f604eab5f642c3bdabf00398c03748c558fcf79de
                                              • Instruction ID: 4a7743afcfb07c74d4662bdfc97e9cdc32de5fc35c9a6ce5de802f03cd368620
                                              • Opcode Fuzzy Hash: 519c1563974d952e76c7e79f604eab5f642c3bdabf00398c03748c558fcf79de
                                              • Instruction Fuzzy Hash: 4E21F8B1E016189BEB18CF9BD8446DEFBF3AFC8310F14C07AD509A6258DB741A86CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F8AD2 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5a89250a026cef82e6834c1f16249588ee749399e46a14e80b87806dfc0a13d9
                                              • Instruction ID: bfb5edf711e844774f9c2a7f673ed52f3825d8921cef21cae1fc70ce09734d80
                                              • Opcode Fuzzy Hash: 5a89250a026cef82e6834c1f16249588ee749399e46a14e80b87806dfc0a13d9
                                              • Instruction Fuzzy Hash: D121CAB1E016589BEB18CF9BC94569EFBF3AFC8310F14C179D409A6258DB741A86CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F49EE Relevance: 16.6, Strings: 13, Instructions: 371COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 294 51f49ee-51f49f3 295 51f4a4d 294->295 296 51f49f5-51f4a1e call 51f4318 294->296 297 51f4a4e 295->297 298 51f4a37-51f4a45 295->298 306 51f516f 296->306 307 51f4a24-51f4a30 296->307 301 51f4a4f-51f4a64 297->301 303 51f4a46-51f4a4c 298->303 305 51f4a6d-51f4a6f 301->305 303->295 303->298 308 51f4a87-51f4a8a 305->308 309 51f4a71-51f4a77 305->309 306->306 310 51f4984-51f4987 307->310 323 51f4a94-51f4aa3 308->323 313 51f4a7b-51f4a7d 309->313 314 51f4a79 309->314 311 51f4989 310->311 312 51f4990-51f49a2 310->312 311->303 311->312 315 51f4c5f-51f4c73 311->315 316 51f4d1b-51f4d30 311->316 317 51f4bba-51f4bc2 311->317 318 51f4b19-51f4b42 311->318 319 51f4a35 311->319 320 51f49b5-51f49c3 311->320 321 51f4bf5-51f4c4e call 51f303c 311->321 322 51f4c75-51f4ca7 311->322 311->323 324 51f4ab3-51f4ae2 311->324 325 51f4caf-51f4cb5 311->325 326 51f4b6c-51f4b7f 311->326 327 51f4bc7-51f4bcb 311->327 328 51f4b47-51f4b55 311->328 329 51f49c6-51f49c8 311->329 330 51f49a4-51f49a8 311->330 331 51f4d41-51f4d45 311->331 312->310 313->308 314->308 363 51f4c53-51f4c56 315->363 360 51f4d35-51f4d38 316->360 317->310 318->310 319->298 320->329 321->363 322->325 368 51f4aa9-51f4aae 323->368 369 51f5045-51f5054 323->369 396 51f4ae6-51f4af2 324->396 397 51f4ae4 324->397 336 51f4cbb-51f4cc7 325->336 337 51f4cb7-51f4cb9 325->337 326->306 366 51f4b85-51f4ba3 326->366 338 51f4bee-51f4bf3 327->338 339 51f4bcd-51f4bd7 327->339 328->306 332 51f4b5b-51f4b67 328->332 340 51f49ca-51f49d0 329->340 341 51f49e4 329->341 334 51f49ae-51f49b3 330->334 335 51f5163-51f516c 330->335 343 51f4d47-51f4d50 331->343 344 51f4d66 331->344 332->310 334->310 350 51f4cc9-51f4d08 336->350 337->350 353 51f4be9 338->353 339->306 352 51f4bdd-51f4be4 339->352 355 51f49d6-51f49d8 340->355 356 51f49d2-51f49d4 340->356 359 51f49e6-51f49ed 341->359 361 51f4d57-51f4d5a 343->361 362 51f4d52-51f4d55 343->362 347 51f4d69-51f4d6b 344->347 364 51f4d6d 347->364 365 51f4d74-51f4d79 347->365 404 51f4d0a 350->404 405 51f4d14-51f4d19 350->405 352->353 353->310 370 51f49e2 355->370 356->370 359->294 360->331 371 51f4d3a 360->371 372 51f4d64 361->372 362->372 363->315 384 51f4c58 363->384 373 51f4d72 364->373 365->373 366->306 375 51f4ba9-51f4bb5 366->375 368->310 386 51f505b-51f5068 369->386 387 51f5056-51f5059 369->387 370->359 371->331 371->369 380 51f4d7b-51f4d88 371->380 381 51f4fc6-51f4fd0 371->381 382 51f50d5-51f50ff 371->382 383 51f4d90 371->383 372->347 373->360 375->310 380->383 381->306 385 51f4fd6-51f4fe2 381->385 411 51f5145-51f514a 382->411 412 51f5101-51f510b 382->412 383->381 384->315 384->316 384->322 384->325 384->331 384->380 384->383 389 51f506a-51f509c 386->389 387->389 415 51f509e-51f50a4 389->415 416 51f50b4-51f50be 389->416 401 51f4af4-51f4b14 396->401 397->401 401->310 407 51f4d0f 404->407 405->407 407->363 411->335 417 51f5140 411->417 412->306 414 51f510d-51f511d 412->414 414->306 419 51f511f-51f5132 414->419 420 51f50a8-51f50aa 415->420 421 51f50a6 415->421 416->306 422 51f50c4-51f50d0 416->422 419->306 424 51f5134-51f513e 419->424 420->416 421->416 424->417
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: fjq$ fjq$ fjq$ fjq$ fjq$ fjq$Teeq$XXeq$XXeq$XXeq$XXeq$XXeq$$eq
                                              • API String ID: 0-1770534105
                                              • Opcode ID: 2e8f54f1766ec0c54980d9cf08316d046be227ab4240dba418c6a7a85726e5e2
                                              • Instruction ID: 019a25c7cdbdcf9f3195cea6aadde22975a3a0054a98f002d60e9f050b3bbf29
                                              • Opcode Fuzzy Hash: 2e8f54f1766ec0c54980d9cf08316d046be227ab4240dba418c6a7a85726e5e2
                                              • Instruction Fuzzy Hash: 0DE15D74B04248CFDB14DFA8C454BBEBBB3BF84700F658465E606AB299DB749C81CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F3530 Relevance: 15.5, Strings: 12, Instructions: 484COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Teeq$Teeq$Teeq$Teeq$Teeq$Teeq$Teeq$Teeq$$eq$$eq$$eq$$eq
                                              • API String ID: 0-314014371
                                              • Opcode ID: 7cf6a029dbdfaffec0a4989099f22ad0ccf89ccebaa0fa376e056f3219e216a8
                                              • Instruction ID: 358d59d8e0e2aa52e53e749f7046c33ac959423c33d6b9992261b70294b789dd
                                              • Opcode Fuzzy Hash: 7cf6a029dbdfaffec0a4989099f22ad0ccf89ccebaa0fa376e056f3219e216a8
                                              • Instruction Fuzzy Hash: BE02A074B01208DFDB19DB68D859BBE7AB3BF84710F148925E612AB3D4CB749C81CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F4D93 Relevance: 15.3, Strings: 12, Instructions: 258COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 616 51f4d93 617 51f4d98-51f4d9b 616->617 618 51f4dad-51f4dbc 617->618 619 51f4d9d 617->619 644 51f4dbe-51f4dc4 618->644 645 51f4dd4-51f4e23 618->645 619->618 620 51f514c-51f5160 619->620 621 51f503b-51f5040 619->621 622 51f4e49-51f4e5c 619->622 623 51f4ed8-51f4edc 619->623 624 51f4f27-51f4f3a 619->624 625 51f4fe7-51f4ffa 619->625 626 51f4fc6-51f4fd0 619->626 627 51f5045-51f5054 619->627 628 51f50d5-51f50ff 619->628 629 51f5163-51f516c 619->629 621->617 651 51f4e5e-51f4e70 622->651 652 51f4e72 622->652 632 51f4eff 623->632 633 51f4ede-51f4ee7 623->633 630 51f516f 624->630 650 51f4f40-51f4f48 624->650 648 51f501d-51f5027 625->648 649 51f4ffc-51f5006 625->649 626->630 631 51f4fd6-51f4fe2 626->631 646 51f505b-51f5068 627->646 647 51f5056-51f5059 627->647 684 51f5145-51f514a 628->684 685 51f5101-51f510b 628->685 630->630 636 51f4f02-51f4f22 632->636 642 51f4eee-51f4efb 633->642 643 51f4ee9-51f4eec 633->643 636->617 654 51f4efd 642->654 643->654 655 51f4dc8-51f4dca 644->655 656 51f4dc6 644->656 708 51f4e2b-51f4e35 645->708 653 51f506a-51f509c 646->653 647->653 648->630 662 51f502d-51f5039 648->662 649->630 659 51f500c-51f5013 649->659 660 51f4f6b 650->660 661 51f4f4a-51f4f53 650->661 663 51f4e75-51f4e79 651->663 652->663 701 51f509e-51f50a4 653->701 702 51f50b4-51f50be 653->702 654->636 655->645 656->645 668 51f5018 659->668 671 51f4f6e-51f4f70 660->671 669 51f4f5a-51f4f67 661->669 670 51f4f55-51f4f58 661->670 662->668 672 51f4e7b-51f4e84 663->672 673 51f4e9a 663->673 668->617 676 51f4f69 669->676 670->676 677 51f4f8e 671->677 678 51f4f72-51f4f78 671->678 679 51f4e8b-51f4e8e 672->679 680 51f4e86-51f4e89 672->680 682 51f4e9d-51f4ec1 673->682 676->671 690 51f4f90-51f4f92 677->690 687 51f4f7e-51f4f8a 678->687 688 51f4f7a-51f4f7c 678->688 689 51f4e98 679->689 680->689 682->630 703 51f4ec7-51f4ed3 682->703 684->629 698 51f5140 684->698 685->630 691 51f510d-51f511d 685->691 693 51f4f8c 687->693 688->693 689->682 696 51f4fac-51f4fc1 690->696 697 51f4f94-51f4f9a 690->697 691->630 699 51f511f-51f5132 691->699 693->690 696->617 704 51f4f9e-51f4faa 697->704 705 51f4f9c 697->705 699->630 707 51f5134-51f513e 699->707 709 51f50a8-51f50aa 701->709 710 51f50a6 701->710 702->630 711 51f50c4-51f50d0 702->711 703->617 704->696 705->696 707->698 708->630 712 51f4e3b-51f4e44 708->712 709->702 710->702 712->617
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: fjq$ fjq$ fjq$Teeq$Teeq$XXeq$$eq$$eq$$eq$$eq$$eq$$eq
                                              • API String ID: 0-2906940812
                                              • Opcode ID: 5eb892547c6f8d17f72aaaf47dc312be79cc9081e88c3fbd7ffee1436fd2cae5
                                              • Instruction ID: b648b34c73253e17df11dd89d27a19e8c4b7ce8226e6fab9ca31b9ed7a0a33a1
                                              • Opcode Fuzzy Hash: 5eb892547c6f8d17f72aaaf47dc312be79cc9081e88c3fbd7ffee1436fd2cae5
                                              • Instruction Fuzzy Hash: 5FA16274B04228DFDB28CF98C844A7EB7B3BF84701F268565E6069F295D7749C81CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F4DAC Relevance: 10.2, Strings: 8, Instructions: 240COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 714 51f4dac 715 51f4dad-51f4dbc 714->715 717 51f4dbe-51f4dc4 715->717 718 51f4dd4-51f4e23 715->718 719 51f4dc8-51f4dca 717->719 720 51f4dc6 717->720 724 51f4e2b-51f4e35 718->724 719->718 720->718 725 51f516f 724->725 726 51f4e3b-51f4e44 724->726 725->725 727 51f4d98-51f4d9b 726->727 727->715 728 51f4d9d 727->728 728->715 729 51f514c-51f5160 728->729 730 51f503b-51f5040 728->730 731 51f4e49-51f4e5c 728->731 732 51f4ed8-51f4edc 728->732 733 51f4f27-51f4f3a 728->733 734 51f4fe7-51f4ffa 728->734 735 51f4fc6-51f4fd0 728->735 736 51f5045-51f5054 728->736 737 51f50d5-51f50ff 728->737 738 51f5163-51f516c 728->738 730->727 756 51f4e5e-51f4e70 731->756 757 51f4e72 731->757 740 51f4eff 732->740 741 51f4ede-51f4ee7 732->741 733->725 755 51f4f40-51f4f48 733->755 753 51f501d-51f5027 734->753 754 51f4ffc-51f5006 734->754 735->725 739 51f4fd6-51f4fe2 735->739 751 51f505b-51f5068 736->751 752 51f5056-51f5059 736->752 785 51f5145-51f514a 737->785 786 51f5101-51f510b 737->786 743 51f4f02-51f4f22 740->743 749 51f4eee-51f4efb 741->749 750 51f4ee9-51f4eec 741->750 743->727 758 51f4efd 749->758 750->758 759 51f506a-51f509c 751->759 752->759 753->725 765 51f502d-51f5039 753->765 754->725 762 51f500c-51f5013 754->762 763 51f4f6b 755->763 764 51f4f4a-51f4f53 755->764 767 51f4e75-51f4e79 756->767 757->767 758->743 801 51f509e-51f50a4 759->801 802 51f50b4-51f50be 759->802 774 51f5018 762->774 770 51f4f6e-51f4f70 763->770 775 51f4f5a-51f4f67 764->775 776 51f4f55-51f4f58 764->776 765->774 771 51f4e7b-51f4e84 767->771 772 51f4e9a 767->772 777 51f4f8e 770->777 778 51f4f72-51f4f78 770->778 779 51f4e8b-51f4e8e 771->779 780 51f4e86-51f4e89 771->780 782 51f4e9d-51f4ec1 772->782 774->727 783 51f4f69 775->783 776->783 790 51f4f90-51f4f92 777->790 787 51f4f7e-51f4f8a 778->787 788 51f4f7a-51f4f7c 778->788 789 51f4e98 779->789 780->789 782->725 803 51f4ec7-51f4ed3 782->803 783->770 785->738 798 51f5140 785->798 786->725 792 51f510d-51f511d 786->792 793 51f4f8c 787->793 788->793 789->782 796 51f4fac-51f4fc1 790->796 797 51f4f94-51f4f9a 790->797 792->725 799 51f511f-51f5132 792->799 793->790 796->727 804 51f4f9e-51f4faa 797->804 805 51f4f9c 797->805 799->725 807 51f5134-51f513e 799->807 808 51f50a8-51f50aa 801->808 809 51f50a6 801->809 802->725 810 51f50c4-51f50d0 802->810 803->727 804->796 805->796 807->798 808->802 809->802
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: fjq$ fjq$Teeq$XXeq$$eq$$eq$$eq$$eq
                                              • API String ID: 0-2400119280
                                              • Opcode ID: 0167fbefc8c6965c2b301b9e75a1e7b53365c127b4445aeccbcb200b0c310b11
                                              • Instruction ID: 3d9dc7b938c0509ebaf0608dc3f02da1df32a72b41f395c74b301e80412974d2
                                              • Opcode Fuzzy Hash: 0167fbefc8c6965c2b301b9e75a1e7b53365c127b4445aeccbcb200b0c310b11
                                              • Instruction Fuzzy Hash: F1916075A04218DFDB28CF98C844ABEB7B3FF40701F168566E6069F295D7749C81CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F3E00 Relevance: 10.1, Strings: 8, Instructions: 56COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 812 51f3e00-51f3e16 813 51f3e38-51f3e73 812->813 817 51f3e75-51f3e7c 813->817 818 51f3eaf-51f3ebf 817->818 819 51f3e7e-51f3e8a 817->819 820 51f3e18-51f3e1b 819->820 821 51f3e1d 820->821 822 51f3e24-51f3e36 820->822 821->813 821->817 821->822 824 51f3e8c-51f3e98 821->824 825 51f3e9b-51f3eae 821->825 822->820 824->825
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8iq$8iq$8iq$LReq$LReq$]$$eq$$eq
                                              • API String ID: 0-3448090565
                                              • Opcode ID: f6b8a60c81bd4b88c6bb94d0dcef5494838257fdd8b77962b115d6c37b04177e
                                              • Instruction ID: c72657e3c4d4a9cd94ef877682ae152e7806295134ec6995125eb1dd0276ac57
                                              • Opcode Fuzzy Hash: f6b8a60c81bd4b88c6bb94d0dcef5494838257fdd8b77962b115d6c37b04177e
                                              • Instruction Fuzzy Hash: F0113671E10254EFD754AB7998067AEBFB2EF88310F004D26E615E73C2DB385981CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F3521 Relevance: 9.2, Strings: 7, Instructions: 420COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Teeq$Teeq$Teeq$Teeq$Teeq$$eq$$eq
                                              • API String ID: 0-3195343334
                                              • Opcode ID: edb65d718027f2523182a8ff72be3ef7304dc76d9347c2e8ff855c91d6c281a2
                                              • Instruction ID: d9eb589126a83802f870eb966bf888976a5fd2021cd66d4ddd18a62bd33ccd80
                                              • Opcode Fuzzy Hash: edb65d718027f2523182a8ff72be3ef7304dc76d9347c2e8ff855c91d6c281a2
                                              • Instruction Fuzzy Hash: 8DF1BD74B01204DFEB18DB68D859BBE7AB3BF84711F148925E612AB3D4CB749C81CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02ABAE30 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 195COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1020 2abae30-2abae3f 1021 2abae6b-2abae6f 1020->1021 1022 2abae41-2abae4e call 2ab9838 1020->1022 1024 2abae83-2abaec4 1021->1024 1025 2abae71-2abae7b 1021->1025 1029 2abae50 1022->1029 1030 2abae64 1022->1030 1031 2abaed1-2abaedf 1024->1031 1032 2abaec6-2abaece 1024->1032 1025->1024 1075 2abae56 call 2abb0b9 1029->1075 1076 2abae56 call 2abb0c8 1029->1076 1030->1021 1033 2abaf03-2abaf05 1031->1033 1034 2abaee1-2abaee6 1031->1034 1032->1031 1036 2abaf08-2abaf0f 1033->1036 1037 2abaee8-2abaeef call 2aba814 1034->1037 1038 2abaef1 1034->1038 1035 2abae5c-2abae5e 1035->1030 1039 2abafa0-2abb060 1035->1039 1042 2abaf1c-2abaf23 1036->1042 1043 2abaf11-2abaf19 1036->1043 1040 2abaef3-2abaf01 1037->1040 1038->1040 1070 2abb068-2abb093 GetModuleHandleW 1039->1070 1071 2abb062-2abb065 1039->1071 1040->1036 1044 2abaf30-2abaf39 call 2aba824 1042->1044 1045 2abaf25-2abaf2d 1042->1045 1043->1042 1051 2abaf3b-2abaf43 1044->1051 1052 2abaf46-2abaf4b 1044->1052 1045->1044 1051->1052 1054 2abaf69-2abaf6d 1052->1054 1055 2abaf4d-2abaf54 1052->1055 1059 2abaf73-2abaf76 1054->1059 1055->1054 1056 2abaf56-2abaf66 call 2aba834 call 2aba844 1055->1056 1056->1054 1061 2abaf99-2abaf9f 1059->1061 1062 2abaf78-2abaf96 1059->1062 1062->1061 1072 2abb09c-2abb0b0 1070->1072 1073 2abb095-2abb09b 1070->1073 1071->1070 1073->1072 1075->1035 1076->1035
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02ABB086
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2093654410.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_2ab0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID: ,O$,O
                                              • API String ID: 4139908857-201552661
                                              • Opcode ID: 639504678254f14c6ae742eb1cfd7cd9a0f4a63c8bf3d1da57a98538161bd959
                                              • Instruction ID: e8df084df707e85e6ef1cdb4d1137d042d0b9858a1b2021b0577a6bad7802300
                                              • Opcode Fuzzy Hash: 639504678254f14c6ae742eb1cfd7cd9a0f4a63c8bf3d1da57a98538161bd959
                                              • Instruction Fuzzy Hash: 687138B0A00B058FDB25DF69D58579ABBF5FF48304F00892ED48AD7A42DB35E945CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F342B Relevance: 5.3, Strings: 4, Instructions: 258COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1077 51f342b 1078 51f37e8 1077->1078 1079 51f37b7-51f37ba 1077->1079 1082 51f37eb-51f37ed 1078->1082 1080 51f37bc 1079->1080 1081 51f37c3-51f37c7 1079->1081 1080->1081 1083 51f383e-51f3843 1080->1083 1084 51f380e-51f3812 1080->1084 1085 51f3848 1080->1085 1086 51f38b8-51f38bc 1080->1086 1087 51f38e8-51f38f2 1080->1087 1088 51f3a37-51f3aac 1080->1088 1089 51f3b06-51f3b0b 1080->1089 1090 51f3905 1080->1090 1091 51f3881-51f3885 1080->1091 1081->1078 1092 51f37c9-51f37d2 1081->1092 1093 51f37ef 1082->1093 1094 51f37f6-51f3800 1082->1094 1083->1079 1095 51f3835 1084->1095 1096 51f3814-51f381d 1084->1096 1105 51f384b-51f3870 1085->1105 1107 51f38df 1086->1107 1108 51f38be-51f38c7 1086->1108 1102 51f3908-51f390d 1087->1102 1103 51f38f4-51f3900 1087->1103 1188 51f3aae-51f3ab4 1088->1188 1189 51f3ac4-51f3acc 1088->1189 1097 51f3912-51f3915 1089->1097 1090->1102 1098 51f3887-51f3890 1091->1098 1099 51f38a6 1091->1099 1100 51f37d9-51f37dc 1092->1100 1101 51f37d4-51f37d7 1092->1101 1104 51f37f4 1093->1104 1094->1105 1106 51f3802-51f380c 1094->1106 1121 51f3838 1095->1121 1118 51f381f-51f3822 1096->1118 1119 51f3824-51f3831 1096->1119 1109 51f3927-51f392b 1097->1109 1110 51f3917 1097->1110 1111 51f3897-51f389a 1098->1111 1112 51f3892-51f3895 1098->1112 1115 51f38a9-51f38ab 1099->1115 1113 51f37e6 1100->1113 1101->1113 1102->1097 1122 51f3875-51f3878 1103->1122 1104->1079 1105->1122 1106->1104 1120 51f38e2 1107->1120 1116 51f38ce-51f38db 1108->1116 1117 51f38c9-51f38cc 1108->1117 1128 51f394e 1109->1128 1129 51f392d-51f3936 1109->1129 1110->1088 1110->1089 1110->1109 1123 51f3969-51f396d 1110->1123 1124 51f3bd3-51f3bea 1110->1124 1125 51f3c32-51f3c39 1110->1125 1126 51f3ad1-51f3af0 1110->1126 1127 51f3b10-51f3b14 1110->1127 1131 51f38a4 1111->1131 1112->1131 1113->1082 1132 51f38ad 1115->1132 1133 51f38b1-51f38b6 1115->1133 1134 51f38dd 1116->1134 1117->1134 1135 51f3833 1118->1135 1119->1135 1120->1087 1121->1083 1122->1091 1130 51f387a 1122->1130 1145 51f396f-51f3978 1123->1145 1146 51f3990 1123->1146 1171 51f3bec-51f3bf2 1124->1171 1172 51f3c02 1124->1172 1205 51f3af5 call 51f765c 1126->1205 1206 51f3af5 call 51f767c 1126->1206 1207 51f3af5 call 51f766c 1126->1207 1208 51f3af5 call 51f7639 1126->1208 1209 51f3af5 call 51fe428 1126->1209 1210 51f3af5 call 51fe470 1126->1210 1211 51f3af5 call 51fe3e0 1126->1211 1138 51f3b37 1127->1138 1139 51f3b16-51f3b1f 1127->1139 1142 51f3951-51f395b 1128->1142 1140 51f393d-51f394a 1129->1140 1141 51f3938-51f393b 1129->1141 1130->1086 1130->1087 1130->1088 1130->1089 1130->1090 1130->1091 1130->1109 1130->1123 1130->1124 1130->1125 1130->1126 1130->1127 1131->1115 1144 51f38af 1132->1144 1133->1144 1134->1120 1135->1121 1154 51f3b3a-51f3bbc 1138->1154 1151 51f3b26-51f3b33 1139->1151 1152 51f3b21-51f3b24 1139->1152 1153 51f394c 1140->1153 1141->1153 1162 51f3966 1142->1162 1144->1122 1155 51f397f-51f398c 1145->1155 1156 51f397a-51f397d 1145->1156 1157 51f3993-51f39fc 1146->1157 1160 51f3b35 1151->1160 1152->1160 1153->1142 1154->1102 1203 51f3bc2-51f3bce 1154->1203 1164 51f398e 1155->1164 1156->1164 1195 51f39fe-51f3a04 1157->1195 1196 51f3a14-51f3a21 1157->1196 1160->1154 1162->1123 1164->1157 1174 51f3bf6-51f3bf8 1171->1174 1175 51f3bf4 1171->1175 1212 51f3c04 call 51ffdd8 1172->1212 1213 51f3c04 call 51ffdf0 1172->1213 1214 51f3c04 call 51ffe00 1172->1214 1174->1172 1175->1172 1178 51f3afb-51f3afd call 51fee25 1183 51f3b03 1178->1183 1179 51f3c0a 1184 51f3c11-51f3c1b 1179->1184 1183->1089 1184->1102 1186 51f3c21-51f3c2d 1184->1186 1186->1097 1191 51f3ab8-51f3aba 1188->1191 1192 51f3ab6 1188->1192 1189->1097 1191->1189 1192->1189 1197 51f3a08-51f3a0a 1195->1197 1198 51f3a06 1195->1198 1196->1102 1199 51f3a27-51f3a32 1196->1199 1197->1196 1198->1196 1199->1097 1203->1097 1205->1178 1206->1178 1207->1178 1208->1178 1209->1178 1210->1178 1211->1178 1212->1179 1213->1179 1214->1179
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Teeq$Teeq$$eq$$eq
                                              • API String ID: 0-1316153869
                                              • Opcode ID: ce37bd634eb867477c0514ec82b7a3f5dd9422ce7e8f2b176b9fb15ab6ef2803
                                              • Instruction ID: 6ed71c38ce3d87b7784ea1745f23b0cb2ec4bd1c86ec282fd0bd7ad447e3f4e1
                                              • Opcode Fuzzy Hash: ce37bd634eb867477c0514ec82b7a3f5dd9422ce7e8f2b176b9fb15ab6ef2803
                                              • Instruction Fuzzy Hash: 4AA1AF74B05208EFDB29DB68D859BBD7BB3BF44710F158925E612AB2D0CB748C81CB21
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F3852 Relevance: 2.7, Strings: 2, Instructions: 236COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1394 51f3852-51f3859 1395 51f385b-51f3870 1394->1395 1396 51f3850 1394->1396 1398 51f3875-51f3878 1395->1398 1396->1395 1399 51f387a 1398->1399 1400 51f3881-51f3885 1398->1400 1399->1400 1401 51f3969-51f396d 1399->1401 1402 51f38b8-51f38bc 1399->1402 1403 51f38e8-51f38f2 1399->1403 1404 51f3a37-51f3aac 1399->1404 1405 51f3927-51f392b 1399->1405 1406 51f3b06-51f3b0b 1399->1406 1407 51f3905 1399->1407 1408 51f3bd3-51f3bea 1399->1408 1409 51f3c32-51f3c39 1399->1409 1410 51f3ad1-51f3af0 1399->1410 1411 51f3b10-51f3b14 1399->1411 1412 51f3887-51f3890 1400->1412 1413 51f38a6 1400->1413 1422 51f396f-51f3978 1401->1422 1423 51f3990 1401->1423 1424 51f38df 1402->1424 1425 51f38be-51f38c7 1402->1425 1426 51f3908-51f390d 1403->1426 1427 51f38f4-51f3900 1403->1427 1484 51f3aae-51f3ab4 1404->1484 1485 51f3ac4-51f3acc 1404->1485 1415 51f394e 1405->1415 1416 51f392d-51f3936 1405->1416 1414 51f3912-51f3915 1406->1414 1407->1426 1463 51f3bec-51f3bf2 1408->1463 1464 51f3c02 1408->1464 1501 51f3af5 call 51f765c 1410->1501 1502 51f3af5 call 51f767c 1410->1502 1503 51f3af5 call 51f766c 1410->1503 1504 51f3af5 call 51f7639 1410->1504 1505 51f3af5 call 51fe428 1410->1505 1506 51f3af5 call 51fe470 1410->1506 1507 51f3af5 call 51fe3e0 1410->1507 1417 51f3b37 1411->1417 1418 51f3b16-51f3b1f 1411->1418 1419 51f3897-51f389a 1412->1419 1420 51f3892-51f3895 1412->1420 1421 51f38a9-51f38ab 1413->1421 1414->1405 1428 51f3917 1414->1428 1435 51f3951-51f395b 1415->1435 1429 51f393d-51f394a 1416->1429 1430 51f3938-51f393b 1416->1430 1436 51f3b3a-51f3bbc 1417->1436 1431 51f3b26-51f3b33 1418->1431 1432 51f3b21-51f3b24 1418->1432 1433 51f38a4 1419->1433 1420->1433 1437 51f38ad 1421->1437 1438 51f38b1-51f38b6 1421->1438 1439 51f397f-51f398c 1422->1439 1440 51f397a-51f397d 1422->1440 1443 51f3993-51f39fc 1423->1443 1444 51f38e2 1424->1444 1441 51f38ce-51f38db 1425->1441 1442 51f38c9-51f38cc 1425->1442 1426->1414 1427->1398 1428->1401 1428->1404 1428->1405 1428->1406 1428->1408 1428->1409 1428->1410 1428->1411 1447 51f394c 1429->1447 1430->1447 1448 51f3b35 1431->1448 1432->1448 1433->1421 1456 51f3966 1435->1456 1436->1426 1496 51f3bc2-51f3bce 1436->1496 1449 51f38af 1437->1449 1438->1449 1450 51f398e 1439->1450 1440->1450 1451 51f38dd 1441->1451 1442->1451 1486 51f39fe-51f3a04 1443->1486 1487 51f3a14-51f3a21 1443->1487 1444->1403 1447->1435 1448->1436 1449->1398 1450->1443 1451->1444 1456->1401 1465 51f3bf6-51f3bf8 1463->1465 1466 51f3bf4 1463->1466 1497 51f3c04 call 51ffdd8 1464->1497 1498 51f3c04 call 51ffdf0 1464->1498 1499 51f3c04 call 51ffe00 1464->1499 1465->1464 1466->1464 1470 51f3afb-51f3afd call 51fee25 1475 51f3b03 1470->1475 1471 51f3c0a 1476 51f3c11-51f3c1b 1471->1476 1475->1406 1476->1426 1477 51f3c21-51f3c2d 1476->1477 1477->1414 1491 51f3ab8-51f3aba 1484->1491 1492 51f3ab6 1484->1492 1485->1414 1488 51f3a08-51f3a0a 1486->1488 1489 51f3a06 1486->1489 1487->1426 1490 51f3a27-51f3a32 1487->1490 1488->1487 1489->1487 1490->1414 1491->1485 1492->1485 1496->1414 1497->1471 1498->1471 1499->1471 1501->1470 1502->1470 1503->1470 1504->1470 1505->1470 1506->1470 1507->1470
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $eq$$eq
                                              • API String ID: 0-2246304398
                                              • Opcode ID: c1618ad3c89485995503443ef7ead7ca358be8647e825db10c45c796cf8f6c56
                                              • Instruction ID: b0ea882ad4360e6d121e0b95d91ab47719cabfac6356d0052de3cf6715329dc6
                                              • Opcode Fuzzy Hash: c1618ad3c89485995503443ef7ead7ca358be8647e825db10c45c796cf8f6c56
                                              • Instruction Fuzzy Hash: C5919F74B05208EBEB15DB64D459BBD7BB3BF84710F148929F612AB2D0CB748C81CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F391E Relevance: 2.7, Strings: 2, Instructions: 199COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1508 51f391e-51f3925 1509 51f390d 1508->1509 1510 51f3927-51f392b 1508->1510 1513 51f3912-51f3915 1509->1513 1511 51f394e 1510->1511 1512 51f392d-51f3936 1510->1512 1517 51f3951-51f395b 1511->1517 1515 51f393d-51f394a 1512->1515 1516 51f3938-51f393b 1512->1516 1513->1510 1514 51f3917 1513->1514 1514->1510 1518 51f3969-51f396d 1514->1518 1519 51f3a37-51f3aac 1514->1519 1520 51f3b06-51f3b0b 1514->1520 1521 51f3bd3-51f3bea 1514->1521 1522 51f3c32-51f3c39 1514->1522 1523 51f3ad1-51f3af0 1514->1523 1524 51f3b10-51f3b14 1514->1524 1525 51f394c 1515->1525 1516->1525 1529 51f3966 1517->1529 1530 51f396f-51f3978 1518->1530 1531 51f3990 1518->1531 1572 51f3aae-51f3ab4 1519->1572 1573 51f3ac4-51f3acc 1519->1573 1520->1513 1550 51f3bec-51f3bf2 1521->1550 1551 51f3c02 1521->1551 1586 51f3af5 call 51f765c 1523->1586 1587 51f3af5 call 51f767c 1523->1587 1588 51f3af5 call 51f766c 1523->1588 1589 51f3af5 call 51f7639 1523->1589 1590 51f3af5 call 51fe428 1523->1590 1591 51f3af5 call 51fe470 1523->1591 1592 51f3af5 call 51fe3e0 1523->1592 1526 51f3b37 1524->1526 1527 51f3b16-51f3b1f 1524->1527 1525->1517 1536 51f3b3a-51f3bbc 1526->1536 1532 51f3b26-51f3b33 1527->1532 1533 51f3b21-51f3b24 1527->1533 1529->1518 1539 51f397f-51f398c 1530->1539 1540 51f397a-51f397d 1530->1540 1534 51f3993-51f39fc 1531->1534 1541 51f3b35 1532->1541 1533->1541 1574 51f39fe-51f3a04 1534->1574 1575 51f3a14-51f3a21 1534->1575 1565 51f3908 1536->1565 1584 51f3bc2-51f3bce 1536->1584 1542 51f398e 1539->1542 1540->1542 1541->1536 1542->1534 1552 51f3bf6-51f3bf8 1550->1552 1553 51f3bf4 1550->1553 1593 51f3c04 call 51ffdd8 1551->1593 1594 51f3c04 call 51ffdf0 1551->1594 1595 51f3c04 call 51ffe00 1551->1595 1552->1551 1553->1551 1557 51f3afb-51f3afd call 51fee25 1562 51f3b03 1557->1562 1558 51f3c0a 1563 51f3c11-51f3c1b 1558->1563 1562->1520 1563->1565 1566 51f3c21-51f3c2d 1563->1566 1565->1509 1566->1513 1578 51f3ab8-51f3aba 1572->1578 1579 51f3ab6 1572->1579 1573->1513 1576 51f3a08-51f3a0a 1574->1576 1577 51f3a06 1574->1577 1575->1565 1580 51f3a27-51f3a32 1575->1580 1576->1575 1577->1575 1578->1573 1579->1573 1580->1513 1584->1513 1586->1557 1587->1557 1588->1557 1589->1557 1590->1557 1591->1557 1592->1557 1593->1558 1594->1558 1595->1558
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $eq$$eq
                                              • API String ID: 0-2246304398
                                              • Opcode ID: e5aca7ab1c72bbd7fe65b5e893be70f9040301911c76856b0c7a2b11bd057eb0
                                              • Instruction ID: d157c63e27989626af23b762ad35a8833a0d1e9ac9c710142da46b1dbad5a705
                                              • Opcode Fuzzy Hash: e5aca7ab1c72bbd7fe65b5e893be70f9040301911c76856b0c7a2b11bd057eb0
                                              • Instruction Fuzzy Hash: 97718074B012089BEB159B74D859BAE7AB3BF84710F248425F616AB3C4CB709C81CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F9FD0 Relevance: 2.6, Strings: 2, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1596 51f9fd0-51f9fee 1597 51f9ff5-51f9ffa 1596->1597 1598 51f9ff0 1596->1598 1610 51f9ffd call 51fa0b8 1597->1610 1611 51f9ffd call 51fa0c8 1597->1611 1598->1597 1599 51fa003 1600 51fa00a-51fa026 1599->1600 1601 51fa02f-51fa030 1600->1601 1602 51fa028 1600->1602 1603 51fa09d-51fa0a1 1601->1603 1602->1599 1602->1601 1602->1603 1604 51fa076-51fa098 1602->1604 1605 51fa032-51fa046 1602->1605 1604->1600 1607 51fa059-51fa060 1605->1607 1608 51fa048-51fa057 1605->1608 1609 51fa067-51fa074 1607->1609 1608->1609 1609->1600 1610->1599 1611->1599
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 3H5$3H5
                                              • API String ID: 0-2752242361
                                              • Opcode ID: c3b73fe4ff921d0ce8a664c4cd2b0ff5a7fec0ab8ab48c938ffb0a657027898b
                                              • Instruction ID: 18778e6abc2fd5961601f617bb72047e2e41e4edb098a9e06b003c274ed840a3
                                              • Opcode Fuzzy Hash: c3b73fe4ff921d0ce8a664c4cd2b0ff5a7fec0ab8ab48c938ffb0a657027898b
                                              • Instruction Fuzzy Hash: 1F214AB0D11209DFCB48CFA9D440AAEFBF1FF89300F10C56AD609A7250E7349A45CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02AB449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1612 2ab449c-2ab59d9 CreateActCtxA 1615 2ab59db-2ab59e1 1612->1615 1616 2ab59e2-2ab5a3c 1612->1616 1615->1616 1623 2ab5a4b-2ab5a4f 1616->1623 1624 2ab5a3e-2ab5a41 1616->1624 1625 2ab5a51-2ab5a5d 1623->1625 1626 2ab5a60-2ab5a90 1623->1626 1624->1623 1625->1626 1630 2ab5a42-2ab5a4a 1626->1630 1631 2ab5a92-2ab5b14 1626->1631 1630->1623 1634 2ab59cf-2ab59d9 1630->1634 1634->1615 1634->1616
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 02AB59C9
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2093654410.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_2ab0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 8730840ca7dd4f2721409a09cd0543370768d6dd7ed0f524f4ad323c33b59f1d
                                              • Instruction ID: bc5f504a293a2b54147cbb8e63f756eb3e0dd1ed33773a6c55e506d42a62d9a3
                                              • Opcode Fuzzy Hash: 8730840ca7dd4f2721409a09cd0543370768d6dd7ed0f524f4ad323c33b59f1d
                                              • Instruction Fuzzy Hash: 8141CEB0C0071DCBDB25CFA9C884ADEBBB9BF49304F60816AD509AB251DB756949CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02AB590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 02AB59C9
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2093654410.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_2ab0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 25a4a242c893c46945cd344f198632c794e0fcbc2e448c121c9cda079ff131f6
                                              • Instruction ID: fce9c5f5c76de85e7f6931aae55f39171270c18a75d0a8b71cc6f7bf34d96e4f
                                              • Opcode Fuzzy Hash: 25a4a242c893c46945cd344f198632c794e0fcbc2e448c121c9cda079ff131f6
                                              • Instruction Fuzzy Hash: 45410FB0C00719CADB25CFA9C884BCDFBB5BF4A314F64815AD408BB2A1DB712949CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02ABA858 Relevance: 1.6, APIs: 1, Instructions: 85libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02ABB101,00000800,00000000,00000000), ref: 02ABB312
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2093654410.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_2ab0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 57a6aa18bfbdea23a313316c83df4bc02573dc94a3978654d48e8fc83c880e1e
                                              • Instruction ID: 11c2a17f339abf0d68939516a35eb7275a9d17d3e19f6179d4a08f0c5aed5880
                                              • Opcode Fuzzy Hash: 57a6aa18bfbdea23a313316c83df4bc02573dc94a3978654d48e8fc83c880e1e
                                              • Instruction Fuzzy Hash: BF31E0B68043488FDB12CFAAC8806EEBFF8EF59314F45849AD454A7212C7389505CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02ABC9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02ABD2C6,?,?,?,?,?), ref: 02ABD387
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2093654410.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_2ab0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 4eee2183060357587d8880cbaba7cbe83056067a99b6b3967017b487d07e3a27
                                              • Instruction ID: 931ba3df19d1868ae4b012dda767ce5fbd7b92d00722a27e8ae29da448dff9f0
                                              • Opcode Fuzzy Hash: 4eee2183060357587d8880cbaba7cbe83056067a99b6b3967017b487d07e3a27
                                              • Instruction Fuzzy Hash: 132103B5900208DFDB10CF9AD984ADEBBF8EB48310F14845AE918A3311C378A950CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02ABD2F9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02ABD2C6,?,?,?,?,?), ref: 02ABD387
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2093654410.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_2ab0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 091c91c31b9495d867de56aafb4f05d0023e84a802c6a0c2d74a9c586e945dd6
                                              • Instruction ID: 25f74a5f45caef0987475cc49a8b4d6419d164e44bdca17cea032e9a5511d6ea
                                              • Opcode Fuzzy Hash: 091c91c31b9495d867de56aafb4f05d0023e84a802c6a0c2d74a9c586e945dd6
                                              • Instruction Fuzzy Hash: 8021E0B5900209DFDB11CFAAD985ADEBBF8EB48320F14845AE918B3251C378A954CF60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02ABA870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02ABB101,00000800,00000000,00000000), ref: 02ABB312
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2093654410.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_2ab0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 6baf584d6e76182e293713c458e8a87264e971b9a3ac8cedd047174e4a269732
                                              • Instruction ID: 44f7b3e5abd57e0dea109c56de9bb909c6022d955b2f7e8fc291f4618db763aa
                                              • Opcode Fuzzy Hash: 6baf584d6e76182e293713c458e8a87264e971b9a3ac8cedd047174e4a269732
                                              • Instruction Fuzzy Hash: 911114B6D003498FCB11CF9AC884ADEFBF8EF88314F10846AD919A7601C775A545CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02ABB2A1 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02ABB101,00000800,00000000,00000000), ref: 02ABB312
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2093654410.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_2ab0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: ca84af0bbecccc6347429cce64344ad41c98ebe4a27918c125a1e2511aeba159
                                              • Instruction ID: 548da3ce78e21c6a94d756b766cb6e50f4c473b5ffeae7adb00e39c5f8b98689
                                              • Opcode Fuzzy Hash: ca84af0bbecccc6347429cce64344ad41c98ebe4a27918c125a1e2511aeba159
                                              • Instruction Fuzzy Hash: 961133B68002498FCB11CFAAC984ADEFBF8EF48314F14855AD829A7641C374A545CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02ABB019 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02ABB086
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2093654410.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_2ab0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 4ff6f78cdb0c89995d197314f3185a7b0347464123bb83a9c5afc3201164e0df
                                              • Instruction ID: 98307926f1d413ffa9ca4dda77e8fa9f5bf30306e5eb3700c13e2b98b1393f16
                                              • Opcode Fuzzy Hash: 4ff6f78cdb0c89995d197314f3185a7b0347464123bb83a9c5afc3201164e0df
                                              • Instruction Fuzzy Hash: 081112B6C04349CFDB11CFAAC944BDEFBF4AF48214F14845AC469A7611C379A545CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02ABB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02ABB086
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2093654410.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_2ab0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 913be3ffc60aefcadac33952be51e4102ef190d806f244b717cdacc4b0f5ea6a
                                              • Instruction ID: 0f34090e50d7e37702591b9c23d0fac85eb405c818e8479e4464a150e05ccb18
                                              • Opcode Fuzzy Hash: 913be3ffc60aefcadac33952be51e4102ef190d806f244b717cdacc4b0f5ea6a
                                              • Instruction Fuzzy Hash: 5C1102B6C003498FCB20CF9AC844ADEFBF8EF88214F10841AD829A7611C375A545CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F0C50 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Teeq
                                              • API String ID: 0-348098666
                                              • Opcode ID: 947ec273001afc28bc4c7728cbfd1c8c2011040a750f1aa7416080c17d0ffdb6
                                              • Instruction ID: 99770342f7c628370edd45b9e98d60063eb9ae9f649fc0bf697e7f2ab587e889
                                              • Opcode Fuzzy Hash: 947ec273001afc28bc4c7728cbfd1c8c2011040a750f1aa7416080c17d0ffdb6
                                              • Instruction Fuzzy Hash: 68418F75B012058FCB11DB7998489AEBBF7FFC83247148969E419DB396EF30AD058750
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051FC110 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: O};5
                                              • API String ID: 0-3558557551
                                              • Opcode ID: 9e4548715d1ea52cd383f230447a1c8e672fe83e08faafdb5517cc1e004818ec
                                              • Instruction ID: c2bcd254e24ad7e066dcc9b0927833eff498d1b1202b75c950f5cef947e887ec
                                              • Opcode Fuzzy Hash: 9e4548715d1ea52cd383f230447a1c8e672fe83e08faafdb5517cc1e004818ec
                                              • Instruction Fuzzy Hash: CE41DF70A1A609DFEB44CF95D5848ADFFB1FF89301F54C895D019AB368D730AA64CB10
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051FC120 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: O};5
                                              • API String ID: 0-3558557551
                                              • Opcode ID: e3d90db5ddd241735f06a597fd1de1ebba8f44d28f7f0e0ecf913c8aceb33e00
                                              • Instruction ID: c587eb4f4f407443e8cde7ef1b10170b384c5af91d12e310959d71dec2b9c7fb
                                              • Opcode Fuzzy Hash: e3d90db5ddd241735f06a597fd1de1ebba8f44d28f7f0e0ecf913c8aceb33e00
                                              • Instruction Fuzzy Hash: C641BD70A1A60DDFEB44CF95D5848AEFFB2FB89211F608895D009AB358D730AA64DB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F6470 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: %
                                              • API String ID: 0-2567322570
                                              • Opcode ID: b6143d9f63b6d93b4b32a8e5216997bff4f55a37d647be764eb7b39d8ba56d9a
                                              • Instruction ID: a28a8f9e3c8b4702a8333dde1e64a34aa59db6ea973a251eb4a299d4b06ea27f
                                              • Opcode Fuzzy Hash: b6143d9f63b6d93b4b32a8e5216997bff4f55a37d647be764eb7b39d8ba56d9a
                                              • Instruction Fuzzy Hash: 1F21BFB1A04219CBD724EFA9D9502BAF7B2FB40700F004636A616E7295D334ED81D7A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F9FC2 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 3H5
                                              • API String ID: 0-3899204960
                                              • Opcode ID: cd597e6a5a9f8364f9118bdf88a49b92860dba706c99c3fe10924b15d1552ad8
                                              • Instruction ID: 139dbe46532e58a979e45a0a7ae7dca95b409ffd672f7084722d554d4316f788
                                              • Opcode Fuzzy Hash: cd597e6a5a9f8364f9118bdf88a49b92860dba706c99c3fe10924b15d1552ad8
                                              • Instruction Fuzzy Hash: 5C216DB0D11609DFDB18CFA9D580AAEFBF1FF89310F24C5AAD108AB250D7349A45CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051FEE25 Relevance: .2, Instructions: 171COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c9294947a48517c0c29fff0b873fcbedc3c6048593958565b9b78847227a8027
                                              • Instruction ID: cc5e02f51eab09622650ce3ae231ae49f1f3cc0b200a5a3c0b16152c4f435178
                                              • Opcode Fuzzy Hash: c9294947a48517c0c29fff0b873fcbedc3c6048593958565b9b78847227a8027
                                              • Instruction Fuzzy Hash: 01519E74E012099FDB54DFA4C8487BEBBB2BF44311F208226FA55A73D1DB749982CB52
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051FBFB8 Relevance: .1, Instructions: 120COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ab036b49b036d87da6eec1aff4c3daa585746ca61408f02864293df68fbb18f7
                                              • Instruction ID: 18dce1e46f6995b9e76305133b89f21e54f0640a47d4be73c2ca67211fabe0ab
                                              • Opcode Fuzzy Hash: ab036b49b036d87da6eec1aff4c3daa585746ca61408f02864293df68fbb18f7
                                              • Instruction Fuzzy Hash: 4141A1B491A7848FD306CF69D490948BFB0EF8A211F1A85D6D484DF3B3D734A999CB12
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051FC298 Relevance: .1, Instructions: 109COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 84af049bc76af6d70fc563498cc1a6dbbb80b0c1b76424e4bc6494faaf3d7409
                                              • Instruction ID: 9ebc85a9565e130dc26ea976a474ffd8d0d6058866542b18a9b8ea1099f1a0e6
                                              • Opcode Fuzzy Hash: 84af049bc76af6d70fc563498cc1a6dbbb80b0c1b76424e4bc6494faaf3d7409
                                              • Instruction Fuzzy Hash: 47418BB5E0520A9FDB04CFD5D8429EEBBB6FF89310F149525E505BB250D7709A81CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051FC2A8 Relevance: .1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ef6251c28e662abdeaf98f4927e39a88b5ba2c415d46cebe48ae34871013a204
                                              • Instruction ID: c25e6b83a05fe8e4568ac4d0604308966e78597df338e79ef2b23efbddf9da0d
                                              • Opcode Fuzzy Hash: ef6251c28e662abdeaf98f4927e39a88b5ba2c415d46cebe48ae34871013a204
                                              • Instruction Fuzzy Hash: 36417B75E0520A9FCB04CFD5D8419EEBBB6FF89310F109525E505BB250D7709A81CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F1064 Relevance: .1, Instructions: 99COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 89e08116abae265200f790d797c87e7cb2c116673a6ced7a2bfd20ca779ef8ed
                                              • Instruction ID: fdc8021d5d47f64e74394444cffb5f656377e333f8e925b57562d0287c4ced28
                                              • Opcode Fuzzy Hash: 89e08116abae265200f790d797c87e7cb2c116673a6ced7a2bfd20ca779ef8ed
                                              • Instruction Fuzzy Hash: 7A41E0B1D04309DBDB24CFA9C984ADDFBB5BF48300F24811AD508BB240D7756A4ACF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F1070 Relevance: .1, Instructions: 96COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2b5fefc71f65ed52ffc54a40e49e6ad0117164d80ca114a0b86070ef15c6917c
                                              • Instruction ID: 03ed2b9bb7076458b501507b6fc03814d5a41e3abb0255308dbe9b74de852c5c
                                              • Opcode Fuzzy Hash: 2b5fefc71f65ed52ffc54a40e49e6ad0117164d80ca114a0b86070ef15c6917c
                                              • Instruction Fuzzy Hash: 4841CFB1D04709DBDB24CFAAC984ADDFBB5BF48304F24802AD509BB254D7756A4ACF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F0F68 Relevance: .1, Instructions: 80COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 82dbbcd29817c87ae1a3e989c09de251e50e9efe34b642a66fe2cc3cb1109004
                                              • Instruction ID: f4a53f16428b199de5dca8f2e822e5f976984178166493c737be678f9fca484a
                                              • Opcode Fuzzy Hash: 82dbbcd29817c87ae1a3e989c09de251e50e9efe34b642a66fe2cc3cb1109004
                                              • Instruction Fuzzy Hash: DA21D3716042048FC701DF78C8489DBBBE6EF8531471488AAE506DB796EF71E905CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051FFE00 Relevance: .1, Instructions: 77COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 49ffb8df501050d9a4338be586235a6ac86ce1cd457a7f16c060051e441b3f9d
                                              • Instruction ID: a0b7d349b60cfd687137492ade18ca3db68f5cc1fa60fcae254829b42ab7cabe
                                              • Opcode Fuzzy Hash: 49ffb8df501050d9a4338be586235a6ac86ce1cd457a7f16c060051e441b3f9d
                                              • Instruction Fuzzy Hash: 4421B2307452149FD7248E189919B3A7A62BB81701F27E06AE2168F297DBB6CCC3C756
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00E1D3D8 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2092204365.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_e1d000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e9a87cb2f18489f4cf164708cdf670147684468c6d6aaea3ecd7e302807443f4
                                              • Instruction ID: 730fa40711dbdee33109136e5a999d95c3a59b0801a718a583e4664fe9a181e4
                                              • Opcode Fuzzy Hash: e9a87cb2f18489f4cf164708cdf670147684468c6d6aaea3ecd7e302807443f4
                                              • Instruction Fuzzy Hash: B1216A71108204DFDB05DF04DDC0B96BF65FB98324F20C56CE80A5B246C33AE896C7A2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F6461 Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 77b5f1cece20cba3d7fd07f0f5723f1e797a36474fe7c6f8745e34b0f01f854c
                                              • Instruction ID: c95f3660550bd2eb4621f89e80e7eba04bfab5d07788c72f1a9a285a76066790
                                              • Opcode Fuzzy Hash: 77b5f1cece20cba3d7fd07f0f5723f1e797a36474fe7c6f8745e34b0f01f854c
                                              • Instruction Fuzzy Hash: 7321E0B1A00519DBD714EFA9D9816BAF7F2FB40700F004626E626E7285D338EC50DBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051FFDF0 Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0be37c50579b405d2713a6f91a38236cc1285100bc3816cfc2bbdb15aaccaaf4
                                              • Instruction ID: a181013464de5d85c5cc0433106ea3c1dabce1a4a40c9f38677d0d39c89d1132
                                              • Opcode Fuzzy Hash: 0be37c50579b405d2713a6f91a38236cc1285100bc3816cfc2bbdb15aaccaaf4
                                              • Instruction Fuzzy Hash: 9621C132745200DFD7248E64D919B297762FB81701F27A0AAE2158F197C7B6CC83C755
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00E2D1D4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2092303799.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_e2d000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f4928b7e068c12bf02b1c48e5933cf471f9114b9e6469e19a0047be086a6775f
                                              • Instruction ID: 82203a012b13aeb3cc78b45316e61842596b83afd183f9f6ea54e406cf6e5dad
                                              • Opcode Fuzzy Hash: f4928b7e068c12bf02b1c48e5933cf471f9114b9e6469e19a0047be086a6775f
                                              • Instruction Fuzzy Hash: 27212972508204DFDB05DF54EDC0B26BB65FB84318F34C56DDA095B266C336D816CA61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00E2D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2092303799.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_e2d000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9c8b40b0c16f25b589ac5c6981b58312b7ee450efa8af35cf01a626d3e543103
                                              • Instruction ID: b6edcc257f52782a0e69001a11faaa96b2d8411164ee3c8aa7bd4e1b572cb43d
                                              • Opcode Fuzzy Hash: 9c8b40b0c16f25b589ac5c6981b58312b7ee450efa8af35cf01a626d3e543103
                                              • Instruction Fuzzy Hash: 8421F575508240DFCB15DF14ED84F16BB66FB84314F24C56DDA0A5B2A6C33AD807CA61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F76BC Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e99538192c46cef3ec3942831053c95a52c1c7644e326e300f01d4aecf47c614
                                              • Instruction ID: 130f48769a0b0047c5afa1f8b7e9f9824455dd83b75e0647eabcd52bf416cfca
                                              • Opcode Fuzzy Hash: e99538192c46cef3ec3942831053c95a52c1c7644e326e300f01d4aecf47c614
                                              • Instruction Fuzzy Hash: C4110A32E102049FDB04EF69EC44AAE7BBAEFC4320F04C576E514EB255DB30A915CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051FFDD8 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3431ba6465daeed83d47c1cbf34523365c2af7f443b3dbd9cccb2787fb5530c8
                                              • Instruction ID: 9ba592811cd993e72493016d93faf91956928055e9990ae5c5f446a98a4e37a8
                                              • Opcode Fuzzy Hash: 3431ba6465daeed83d47c1cbf34523365c2af7f443b3dbd9cccb2787fb5530c8
                                              • Instruction Fuzzy Hash: 1A21FD30745200DFD7248E14D919B39BA62EB81705F27E0AAE2228F197D7B2CCC3CB16
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F3CE0 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bde560809348596987aeb87aefc98939fd51c9e527a02d23d0a8aa8124434ab6
                                              • Instruction ID: 5a34ef1d083a1ac0fa514602487fd5121d025102a00dbd7b8079e11f671ad711
                                              • Opcode Fuzzy Hash: bde560809348596987aeb87aefc98939fd51c9e527a02d23d0a8aa8124434ab6
                                              • Instruction Fuzzy Hash: 74213679A08610CBC728CB68DC403FAF7A2FB41711F848937E67ACA284D338D8448391
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F766C Relevance: .1, Instructions: 66COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a121b2721fd7651cce43b24c0e639c0aa9c8452e577b3268c72e54de3a0615be
                                              • Instruction ID: 6bd7a9aba9f0a91ee1de6649bd70f83e9dc164e8ed069bd8d860cc03f67c7809
                                              • Opcode Fuzzy Hash: a121b2721fd7651cce43b24c0e639c0aa9c8452e577b3268c72e54de3a0615be
                                              • Instruction Fuzzy Hash: B111EFB1B15344AFDB05DBB8CC09A697BF9EB46200B1448AAE945C3282EB34DD01CB21
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F0DF4 Relevance: .1, Instructions: 66COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b3553767bb03dbdcd76fffdccd1aa4b28d839c7b5b2190196db80f4732e2b071
                                              • Instruction ID: a5f1a1afddb454acbfb990f0378bd5fdaa33a87768bd727280002b1e344baa97
                                              • Opcode Fuzzy Hash: b3553767bb03dbdcd76fffdccd1aa4b28d839c7b5b2190196db80f4732e2b071
                                              • Instruction Fuzzy Hash: 4F31C2B1C11218DFDB20CF99C988B8EBFF5EB08314F24845AE505B7252C7755885CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F0E00 Relevance: .1, Instructions: 64COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6da9084ffd673d44dbf3254f3bfc92e32cac3eba45b63f5c7e1cb8e0dd216d79
                                              • Instruction ID: f94e7783037cef6a39cbb238648bc5c63e5e99227c178d71e0d3a266aa9eba46
                                              • Opcode Fuzzy Hash: 6da9084ffd673d44dbf3254f3bfc92e32cac3eba45b63f5c7e1cb8e0dd216d79
                                              • Instruction Fuzzy Hash: 4421BFB1D01218DFDB20CF99C988B8EBFF5BB48314F24845AE905BB252C7B55885CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00E2D005 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2092303799.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_e2d000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f7e2a50ade64f4ebca7bec09c199c38d35281dae4cc4a188533080c553a585fe
                                              • Instruction ID: b2d04f5b90121d577edeb4d06ba168670e5cd158491de140ec73349b9ae83f9c
                                              • Opcode Fuzzy Hash: f7e2a50ade64f4ebca7bec09c199c38d35281dae4cc4a188533080c553a585fe
                                              • Instruction Fuzzy Hash: D221537550D3808FD712CF24D994B15BF72EB46314F28C5DAD9498B6A7C33A980ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051FC048 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 61e37747f5598deed66edd73517fac44aa7d05717ee3bbbd53b3c1548d57cf75
                                              • Instruction ID: 98ade258ada9d20817bb0e9f0f8f192ce3bfe3b40805e404cd40b0d3a8f3e4ad
                                              • Opcode Fuzzy Hash: 61e37747f5598deed66edd73517fac44aa7d05717ee3bbbd53b3c1548d57cf75
                                              • Instruction Fuzzy Hash: 0321C4B4A11908DFD704CF5AE084899BFF1FF88321F5281D5E8449B365DB31E9A4CB11
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F0F58 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 85b92359aae558382e51aa19a33d84f696a85707bc9f7198afaa0c32319e4f24
                                              • Instruction ID: 8618b21b67d4cab21d9f5b86a4a31650af5e0157d8f14b02377855241bf743d1
                                              • Opcode Fuzzy Hash: 85b92359aae558382e51aa19a33d84f696a85707bc9f7198afaa0c32319e4f24
                                              • Instruction Fuzzy Hash: 62116D716006058FCB11DB78C848AEBBBFAEF84714B148969E516DB365EF31E904CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F3CDA Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3e61ddf4a45893def728f9b236a59240f2b99f94d81f5a5d673c24c1f0629422
                                              • Instruction ID: e2cbce2096a4fe68e5330c515564f8df0585fe3bc0fb890df63fcd58b09ace19
                                              • Opcode Fuzzy Hash: 3e61ddf4a45893def728f9b236a59240f2b99f94d81f5a5d673c24c1f0629422
                                              • Instruction Fuzzy Hash: 7B112775A085148BC724CB69D8417FAF7E6FB44721F888A37E63ACB294C378D844C390
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F0C42 Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2533cb963310cba3aac3f2c5edb2cc660e7c16d751fcb7164d677d5803237164
                                              • Instruction ID: 1a6ddb88b27c02b1e6bcd45617f45204f8d47b50cbf863c76c0bf9068e9c2b47
                                              • Opcode Fuzzy Hash: 2533cb963310cba3aac3f2c5edb2cc660e7c16d751fcb7164d677d5803237164
                                              • Instruction Fuzzy Hash: BF11A379A002154B8B11DF799D48ABFB7F7FFC82507144929E459E3344EF3099058750
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F768E Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 21e5285657d72ea149861873b6007886605feb865b4d2ae3b824670e99a0d47e
                                              • Instruction ID: 2b2c5eeb351919dcdabf24d1e238838433bef3ba67350916083f8c5319cd9a70
                                              • Opcode Fuzzy Hash: 21e5285657d72ea149861873b6007886605feb865b4d2ae3b824670e99a0d47e
                                              • Instruction Fuzzy Hash: F9012B72A141456FDB02EF3DDC109EA7FBEDFC622070481A6E158DB266D630C819C7D4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F76CC Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8fe4edb8117fe8a17877d9fdef4cbe02dd9e24958f7a232bf60eec129fa23199
                                              • Instruction ID: e7198e9f3a607abbeafc143333338264d0a588f6356e859c7259506beaf04832
                                              • Opcode Fuzzy Hash: 8fe4edb8117fe8a17877d9fdef4cbe02dd9e24958f7a232bf60eec129fa23199
                                              • Instruction Fuzzy Hash: 4F2103B59043499FCB10CF9AC984ADEBBF9FB48310F10841AE919A7210D374A954CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00E1D3D3 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2092204365.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_e1d000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                              • Instruction ID: 8a383b2ec92a1e2fff1dc0950a4a58adc126caec51af44c5195d429ce6bf6da3
                                              • Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                              • Instruction Fuzzy Hash: CA112676404240CFCB16CF00D9C4B56BF71FB94324F24C6A9D8091B256C33AE89ACBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F3DF1 Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a45758cd364534be3fa731503523d8ca8198268aa317d64a50e5b8e9d2bb0526
                                              • Instruction ID: b3ebc7cac9a8555add81c4585422732f8bfc7ad134e5e24ab4f7f9f5d652151e
                                              • Opcode Fuzzy Hash: a45758cd364534be3fa731503523d8ca8198268aa317d64a50e5b8e9d2bb0526
                                              • Instruction Fuzzy Hash: EF110271A10154AFDB54AB79DC067AABBB2EF88710F004D25F615E73C2DB346981CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051FE56A Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0f74d28e369aa2dbbfd493bd7e5e971ac5493393a07ba34e71e75e16802738a7
                                              • Instruction ID: dafd00298be58cccbbff62f0c8b1b7cc522ecbe6adeacf59927762082c0d91ce
                                              • Opcode Fuzzy Hash: 0f74d28e369aa2dbbfd493bd7e5e971ac5493393a07ba34e71e75e16802738a7
                                              • Instruction Fuzzy Hash: CF21F6B6800349DFCB10CF9AD984ADEBFF8FB48320F14841AE919A7210D375A554CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00E2D1CF Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2092303799.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_e2d000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                              • Instruction ID: b727ede3594e2321eeba9f1e6c130a8a37946b55db3e7f75e802fac83c67c250
                                              • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                              • Instruction Fuzzy Hash: 3311DD76508284DFDB02CF50D9C4B15FBB1FB84328F24C6ADD9495B2A6C33AD81ACB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F1652 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3b7fa9731800af4f07bbae890b2b98d2061b331b95f7c2b66b2707622d66c514
                                              • Instruction ID: 8247edb6cfbda79f2b9517f40ddc9253034086e7f99c27a15d0685c0b6406dba
                                              • Opcode Fuzzy Hash: 3b7fa9731800af4f07bbae890b2b98d2061b331b95f7c2b66b2707622d66c514
                                              • Instruction Fuzzy Hash: E811E0B5800248DFCB20DF9AD584B9ABBF4EB48320F14841AD519A7240C778A944CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F1658 Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2907d2e54a63c48b3ea9fbd6af16bd52266243763d129c2718473756caf08346
                                              • Instruction ID: f5196ecba12c3551d8c77116a2bbc3aa4c1f63b68d7b838425dfb128edefd479
                                              • Opcode Fuzzy Hash: 2907d2e54a63c48b3ea9fbd6af16bd52266243763d129c2718473756caf08346
                                              • Instruction Fuzzy Hash: 8311F2B5800248CFCB20DF9AC584B9EBBF4EB48320F14841AD519A7340C374A944CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051FA0B8 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 04ea30978ba37ab2fc97dcccbf59ba4407a941b76b33f43fda7fd32987f26016
                                              • Instruction ID: 8934780ceb47567f90d3dbfacd3cbb110e96efd09c04f00c7a21abf3af96b432
                                              • Opcode Fuzzy Hash: 04ea30978ba37ab2fc97dcccbf59ba4407a941b76b33f43fda7fd32987f26016
                                              • Instruction Fuzzy Hash: 50014B75A012089FDB04CFA8C584A9DBFF1EF48322F15C194E9085B3A1DB349A82DF01
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051FE49A Relevance: .0, Instructions: 35COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ccb0f8ddff487bd99425c31555bf6382c9e53eea2e10707d6b9b022c235b7a02
                                              • Instruction ID: 2efd6ad4a42fede1830d3e817ee4e2bf96ecd3098dc370da277dd3b69138711d
                                              • Opcode Fuzzy Hash: ccb0f8ddff487bd99425c31555bf6382c9e53eea2e10707d6b9b022c235b7a02
                                              • Instruction Fuzzy Hash: 1DF09672B001046FDB05DF59D844F6A7BFAEFC4220B04C066E918D7225D730D9108F50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F34B1 Relevance: .0, Instructions: 35COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4447ab1cc8568d5929cc042adc2c2f57fa712af21416b9bcb60c6f4bf2257d07
                                              • Instruction ID: fd493f8dd9c4dc46600bed2144555cc95518272c50b68bd35204db2f9462359b
                                              • Opcode Fuzzy Hash: 4447ab1cc8568d5929cc042adc2c2f57fa712af21416b9bcb60c6f4bf2257d07
                                              • Instruction Fuzzy Hash: 3BF0B4352006145BCB06A729DC85A9EBF6AEFC9320F848955E8455B357CE245D0586A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051FA0C8 Relevance: .0, Instructions: 34COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4953db9ac7743bc64d3978905b32700484883bb133bcd2692f9843eeeef00e14
                                              • Instruction ID: 95fef8f2775ad9039d6d4dd3dbab06fc09b56ca21c8639618bf4a143b76fd333
                                              • Opcode Fuzzy Hash: 4953db9ac7743bc64d3978905b32700484883bb133bcd2692f9843eeeef00e14
                                              • Instruction Fuzzy Hash: 0401B674E01208AFDB44DFA9C589A9DBFF5AF48310F15C0A4E9089B361DA34DA80DF40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F34C0 Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d56882de0703d01eef897b719414c9e9b2f2f0cf85cd4c5d9fdd3ba70eda23ee
                                              • Instruction ID: e7b40281ccd5dac69d2f4c4ecbcc29ac63bc420c2adace5e270423bd0bc8a2f2
                                              • Opcode Fuzzy Hash: d56882de0703d01eef897b719414c9e9b2f2f0cf85cd4c5d9fdd3ba70eda23ee
                                              • Instruction Fuzzy Hash: 2CF0377530061457C706A669EC8489FBF5BFFC4361B808915F9195B3578F305D4586A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F0EFF Relevance: .0, Instructions: 24COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 02d77eb642e0d59b363716289970a412009203527f006a211d8c0e3b389eb1e7
                                              • Instruction ID: 0ff3c61f9ed1c1540498e25175e6d50df0f378ab41b4fecca05ae29d571456ff
                                              • Opcode Fuzzy Hash: 02d77eb642e0d59b363716289970a412009203527f006a211d8c0e3b389eb1e7
                                              • Instruction Fuzzy Hash: FCF06575A11209EFCB00EFB4E841B5C7FB5EB04310F2045A5F805E3385EA356F509B60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F48F8 Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c4066265b231a875b04af54625f824cedd21964403a6b3da8db93eb1bf5220d4
                                              • Instruction ID: 143ffe087265c544d03a8f7d8d119ca8d7259ea3f666f19fa99acbe5d3eff7a5
                                              • Opcode Fuzzy Hash: c4066265b231a875b04af54625f824cedd21964403a6b3da8db93eb1bf5220d4
                                              • Instruction Fuzzy Hash: 75E0DFE031A3549FDB034A204860A223A35BBEAA00F5250A6C8C1CB2D2DF218945C773
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F0F10 Relevance: .0, Instructions: 19COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7700f93f188480e89e4336c099d9f0aeb04ec7b6459a18ff19566b61fe278c43
                                              • Instruction ID: 0f0a4eb0643c51df8e406d014213fc9253017675a9dfcf6ef116df927b591fb1
                                              • Opcode Fuzzy Hash: 7700f93f188480e89e4336c099d9f0aeb04ec7b6459a18ff19566b61fe278c43
                                              • Instruction Fuzzy Hash: CDE08670A11209EFCB00FFA4E40195C7BB9EB44310F1085A5E805E3384EB362F509B60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F90DC Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 26505a598c0d42a73c8d66a2952d3c110463d17b572cb7d17929bc4ecbf64c30
                                              • Instruction ID: d3d3e2a70261d6351988fab8628f3510c33f12711ee708eff8ec0979936e4635
                                              • Opcode Fuzzy Hash: 26505a598c0d42a73c8d66a2952d3c110463d17b572cb7d17929bc4ecbf64c30
                                              • Instruction Fuzzy Hash: 14E046B551B344CFC768EBA0C0829987B76FF48361B212099E0039A2A8CB35E982CF10
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F9064 Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 677f5fb469f386a103c96462200b97006ca383c5910d72845c59d0f516cace49
                                              • Instruction ID: 04efa8c62ef75044bcb087937b8fedc4a23d2ebe9f2cc488e089db49d1feed59
                                              • Opcode Fuzzy Hash: 677f5fb469f386a103c96462200b97006ca383c5910d72845c59d0f516cace49
                                              • Instruction Fuzzy Hash: 2CE08C75913344DFCB68DFA0C495589BB71FF44350B1010A5E8168F2A9D7368A82CF20
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F95A3 Relevance: .0, Instructions: 15COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 35f731ba1e82027f1e5860bdca0fcce678442e5fbb85d6796873c2c829c5a6d1
                                              • Instruction ID: ffd55a5539b61b8e38547a3c69713c0b3ecd8f19a20e73bf8b2b4afc9040531e
                                              • Opcode Fuzzy Hash: 35f731ba1e82027f1e5860bdca0fcce678442e5fbb85d6796873c2c829c5a6d1
                                              • Instruction Fuzzy Hash: 5EE0C2B0C56268DFCB68DF65C9857DDBBB0AB08350F0008CA828667290E7310AE0CF14
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F6430 Relevance: .0, Instructions: 13COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2030a65f43350065467322c426cbe04e84c5c9645e1297e97e52c76de7e8e028
                                              • Instruction ID: 8f5c5ed734c55c315f3b2b40576e62b0a07e0663f90d1935c3b1505a900ce9ac
                                              • Opcode Fuzzy Hash: 2030a65f43350065467322c426cbe04e84c5c9645e1297e97e52c76de7e8e028
                                              • Instruction Fuzzy Hash: 95C012222615144FE340A751D453B153A92F3C8305F948410A501C61C4CA2D8C41CB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F68A0 Relevance: .0, Instructions: 13COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 27620ced5d31e6301cf18a50e6e6a28c902a72b04d447a69053c5e39f45193f2
                                              • Instruction ID: a84f5172aff35037fd368cd559f7eb59306144adbd8e6ee770a78a3c759075d9
                                              • Opcode Fuzzy Hash: 27620ced5d31e6301cf18a50e6e6a28c902a72b04d447a69053c5e39f45193f2
                                              • Instruction Fuzzy Hash: DAC012704173089BE750DAB4A449755BAACD705232F004165E50983150DA7505809B75
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051F6F0D Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c3133f4faed7b88bb3361000a76cc65715a36bc61b2d837b4c0f2f93f58f6132
                                              • Instruction ID: f736098f90c225b8a8b3481b0ad64b0620a411a3e433cbd76ba18d74a35398cc
                                              • Opcode Fuzzy Hash: c3133f4faed7b88bb3361000a76cc65715a36bc61b2d837b4c0f2f93f58f6132
                                              • Instruction Fuzzy Hash: 3FD017709121198FCB94DF28D880B8CBBB6FF44200F10EA99E00AE7165DA705E89CF04
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051FE470 Relevance: .0, Instructions: 8COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2099321204.00000000051F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_51f0000_CNqCubHKvlzbGo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bed5a2d4ff87d0e74b1cf53295a5b1d66d4fde2448414dd5fe45ad5221fe0c3d
                                              • Instruction ID: 11beb685e9f691e88729c12474927110ca79e5b223a267506c35a2abe4545e76
                                              • Opcode Fuzzy Hash: bed5a2d4ff87d0e74b1cf53295a5b1d66d4fde2448414dd5fe45ad5221fe0c3d
                                              • Instruction Fuzzy Hash: 05C08CA7A583C05EE30283A48C0AA097F609F63710708808BE3A0450D2C2240494CB23
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Execution Graph

                                              Execution Coverage:10.6%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:17
                                              Total number of Limit Nodes:1
                                              execution_graph 33222 6bc2e38 33223 6bc2e60 33222->33223 33226 6bc2e8c 33222->33226 33224 6bc2e69 33223->33224 33227 6bc22c4 33223->33227 33228 6bc22cf 33227->33228 33229 6bc3183 33228->33229 33231 6bc22e0 33228->33231 33229->33226 33232 6bc31b8 OleInitialize 33231->33232 33233 6bc321c 33232->33233 33233->33229 33238 13270a8 33239 13270ec CheckRemoteDebuggerPresent 33238->33239 33240 132712e 33239->33240 33234 6bc0c70 33235 6bc0cb9 33234->33235 33236 6bc0cb2 33234->33236 33236->33235 33237 6bc0d0a CallWindowProcW 33236->33237 33237->33235

                                              Executed Functions

                                              Function 067759C8 Relevance: 9.0, Strings: 6, Instructions: 1483COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $eq$$eq$$eq$$eq$$eq$$eq
                                              • API String ID: 0-220072568
                                              • Opcode ID: 4a7cb9c8da690b011f2c71cffe209f0e3c74dfe69c06aa159cd9d07ee6c73f37
                                              • Instruction ID: ca20b5a9e74bf652094307358491b0f10f71b4329ec84e144b895b1abe0efb3e
                                              • Opcode Fuzzy Hash: 4a7cb9c8da690b011f2c71cffe209f0e3c74dfe69c06aa159cd9d07ee6c73f37
                                              • Instruction Fuzzy Hash: 08D24A30E10609CFDF64DB68C594AADB7B2FF89314F64C569D409AB265EB34ED81CB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0677E848 Relevance: 8.3, Strings: 6, Instructions: 781COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $eq$$eq$$eq$$eq$$eq$$eq
                                              • API String ID: 0-220072568
                                              • Opcode ID: 85937a345b28e92877cb8263f50817471f93d8b6acae9d700c186277b659d825
                                              • Instruction ID: 01830a2f162fe9f7d4dc5b584c5dcb0aad373f967cf4712b2bb80c7282c217ef
                                              • Opcode Fuzzy Hash: 85937a345b28e92877cb8263f50817471f93d8b6acae9d700c186277b659d825
                                              • Instruction Fuzzy Hash: 39527D74E102098FDFA4CB68D5946BEB7B2EB85310F608866E415EB395DB34EC81CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0677B398 Relevance: 3.0, Strings: 2, Instructions: 478COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1249 677b398-677b3b6 1250 677b3b8-677b3bb 1249->1250 1251 677b3d2-677b3d5 1250->1251 1252 677b3bd-677b3cb 1250->1252 1253 677b3d7-677b3f1 1251->1253 1254 677b3f6-677b3f9 1251->1254 1260 677b43e-677b454 1252->1260 1261 677b3cd 1252->1261 1253->1254 1256 677b41c-677b41f 1254->1256 1257 677b3fb-677b417 1254->1257 1258 677b421-677b42b 1256->1258 1259 677b42c-677b42e 1256->1259 1257->1256 1263 677b435-677b438 1259->1263 1264 677b430 1259->1264 1269 677b66f-677b679 1260->1269 1270 677b45a-677b463 1260->1270 1261->1251 1263->1250 1263->1260 1264->1263 1271 677b67a-677b680 1270->1271 1272 677b469-677b486 1270->1272 1276 677b602-677b63e 1271->1276 1277 677b682 1271->1277 1286 677b65c-677b669 1272->1286 1287 677b48c-677b4b4 1272->1287 1294 677b64a-677b656 1276->1294 1278 677b684-677b686 1277->1278 1279 677b68a 1277->1279 1281 677b68e-677b68f 1278->1281 1282 677b688-677b689 1278->1282 1283 677b692-677b6af 1279->1283 1284 677b68b-677b68c 1279->1284 1281->1283 1282->1279 1288 677b703-677b70c 1282->1288 1290 677b6b1-677b6b4 1283->1290 1284->1281 1289 677b649 1284->1289 1286->1269 1286->1270 1287->1286 1297 677b4ba-677b4c3 1287->1297 1304 677b6f1-677b701 1288->1304 1305 677b70e-677b752 1288->1305 1289->1294 1292 677b6d7-677b6da 1290->1292 1293 677b6b6-677b6d2 1290->1293 1298 677b6e0-677b6ef 1292->1298 1299 677b90f-677b912 1292->1299 1293->1292 1294->1286 1294->1297 1297->1271 1303 677b4c9-677b4e5 1297->1303 1298->1304 1298->1305 1300 677b9bd-677b9bf 1299->1300 1301 677b918-677b924 1299->1301 1309 677b9c6-677b9c9 1300->1309 1310 677b9c1 1300->1310 1312 677b92f-677b931 1301->1312 1303->1294 1320 677b4eb-677b515 1303->1320 1304->1288 1321 677b8e3-677b8f8 1305->1321 1322 677b758-677b769 1305->1322 1309->1290 1315 677b9cf-677b9d8 1309->1315 1310->1309 1318 677b933-677b939 1312->1318 1319 677b949-677b94d 1312->1319 1324 677b93d-677b93f 1318->1324 1325 677b93b 1318->1325 1326 677b94f-677b959 1319->1326 1327 677b95b 1319->1327 1344 677b640-677b645 1320->1344 1345 677b51b-677b543 1320->1345 1321->1299 1335 677b76f-677b78c 1322->1335 1336 677b8ce-677b8dd 1322->1336 1324->1319 1325->1319 1330 677b960-677b962 1326->1330 1327->1330 1333 677b964-677b967 1330->1333 1334 677b973-677b9ac 1330->1334 1333->1315 1334->1298 1354 677b9b2-677b9bc 1334->1354 1335->1336 1346 677b792-677b888 call 6779bc0 1335->1346 1336->1321 1336->1322 1344->1289 1345->1344 1353 677b549-677b577 1345->1353 1391 677b896 1346->1391 1392 677b88a-677b894 1346->1392 1353->1344 1360 677b57d-677b586 1353->1360 1360->1344 1361 677b58c-677b5be 1360->1361 1369 677b5c0-677b5c4 1361->1369 1370 677b5c9-677b5e5 1361->1370 1369->1344 1371 677b5c6 1369->1371 1370->1294 1372 677b5e7-677b5fa call 6779bc0 1370->1372 1371->1370 1372->1276 1393 677b89b-677b89d 1391->1393 1392->1393 1393->1336 1394 677b89f-677b8a4 1393->1394 1395 677b8a6-677b8b0 1394->1395 1396 677b8b2 1394->1396 1397 677b8b7-677b8b9 1395->1397 1396->1397 1397->1336 1398 677b8bb-677b8c7 1397->1398 1398->1336
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $eq$$eq
                                              • API String ID: 0-2246304398
                                              • Opcode ID: 58df3a3ce48aa567ef62970585a7a6f0d7ef5e69a99606a05f4b6d12d39a1a29
                                              • Instruction ID: 415e4ade7f594dea7ceb84db6ba51671f8f130e79965948ca0d3434ca802e894
                                              • Opcode Fuzzy Hash: 58df3a3ce48aa567ef62970585a7a6f0d7ef5e69a99606a05f4b6d12d39a1a29
                                              • Instruction Fuzzy Hash: 0702AF30B0021A8FDF54DF68D594A6EB7A2FF85700F148529E515EB399EB34ED82CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06770040 Relevance: 2.8, Instructions: 2761COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cd13a968958c2921d60d12969a535e3b41dc7d592c986321cda305aa57750602
                                              • Instruction ID: 4d9ac123782d21509a8744f0db0fe7ed143d5b0e018c00d7f8e17827f0ab3b80
                                              • Opcode Fuzzy Hash: cd13a968958c2921d60d12969a535e3b41dc7d592c986321cda305aa57750602
                                              • Instruction Fuzzy Hash: B153E531D10B1A8EDB51EB68C8809A9F7B1FF99300F51D79AE45977121EB70AAC4CF81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 067732F8 Relevance: 2.3, Instructions: 2315COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4ecc33288d6a4c936e0d35d94cd748bcff980214c444f417f9a1dfb86b0e7726
                                              • Instruction ID: 0a7251fddd5105c4a53e9a1852cfe59a92fc734ee224b1a938cc57681caa9f61
                                              • Opcode Fuzzy Hash: 4ecc33288d6a4c936e0d35d94cd748bcff980214c444f417f9a1dfb86b0e7726
                                              • Instruction Fuzzy Hash: 50332E31D10B198EDB11EF68C8805ADF7B1FF99300F15C79AE459A7225EB70AAC5CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06770007 Relevance: 2.2, Instructions: 2163COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a1be22ee54eb27ee4950edf3821b5f91d899ec127c2290ec32a29ad387037b54
                                              • Instruction ID: 012f571608e08b9016b23fe42dcf0f7a5d4ac5031e450926e8fe8246ae31c26e
                                              • Opcode Fuzzy Hash: a1be22ee54eb27ee4950edf3821b5f91d899ec127c2290ec32a29ad387037b54
                                              • Instruction Fuzzy Hash: A833D331D10B1A8ACB51EB68C8845A9F7B1FF9A300F51D79AE45977121FB70AAC4CF81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06779C10 Relevance: .8, Instructions: 814COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e1307b4058a5428f0411403d5897fac83a213419807e2b938a876659d0da6026
                                              • Instruction ID: f524e3120f079ed25a3be9c1b17036709040c6e6ac1acd0298d2d75b965e38a6
                                              • Opcode Fuzzy Hash: e1307b4058a5428f0411403d5897fac83a213419807e2b938a876659d0da6026
                                              • Instruction Fuzzy Hash: A6629B30B112048FEF54DB68D594AADB7F2EF89314F248569E406EB394EB35ED81CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 067787E0 Relevance: .6, Instructions: 586COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dbf6889de2c29661429efe4a6b3c0c14ec360459929b563ed5aadc8b4196f17c
                                              • Instruction ID: 845d8a412d6858ef7169bb18a0346e730e142e873f9a50ab7bfc9965e9685473
                                              • Opcode Fuzzy Hash: dbf6889de2c29661429efe4a6b3c0c14ec360459929b563ed5aadc8b4196f17c
                                              • Instruction Fuzzy Hash: 7912B271F102159FDF64DB64C88867EB7A2FB85310F24843AE815AB395DB34EC45CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0677E2E0 Relevance: 11.6, Strings: 9, Instructions: 391COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 677e2e0-677e2fe 1 677e300-677e303 0->1 2 677e305-677e309 1->2 3 677e314-677e317 1->3 4 677e30f 2->4 5 677e50c-677e516 2->5 6 677e331-677e334 3->6 7 677e319-677e32c 3->7 4->3 8 677e4fd-677e506 6->8 9 677e33a-677e33d 6->9 7->6 8->5 13 677e352-677e35b 8->13 11 677e33f-677e348 9->11 12 677e34d-677e350 9->12 11->12 12->13 14 677e36a-677e36d 12->14 15 677e517-677e52a 13->15 16 677e361-677e365 13->16 17 677e377-677e37a 14->17 18 677e36f-677e374 14->18 24 677e532-677e54e 15->24 25 677e52c-677e52d 15->25 16->14 20 677e39d-677e3a0 17->20 21 677e37c-677e398 17->21 18->17 22 677e3b4-677e3b6 20->22 23 677e3a2-677e3af 20->23 21->20 27 677e3bd-677e3c0 22->27 28 677e3b8 22->28 23->22 26 677e550-677e553 24->26 25->24 30 677e555-677e55f 26->30 31 677e560-677e563 26->31 27->1 33 677e3c6-677e3ea 27->33 28->27 34 677e7cc-677e7cf 31->34 35 677e569-677e5a4 31->35 54 677e3f0-677e3ff 33->54 55 677e4fa 33->55 38 677e7f2-677e7f5 34->38 39 677e7d1-677e7ed 34->39 45 677e797-677e7aa 35->45 46 677e5aa-677e5b6 35->46 40 677e7f7 38->40 41 677e804-677e807 38->41 39->38 126 677e7f7 call 677e837 40->126 127 677e7f7 call 677e848 40->127 43 677e809-677e80d 41->43 44 677e818-677e81a 41->44 43->35 50 677e813 43->50 51 677e821-677e824 44->51 52 677e81c 44->52 53 677e7ac 45->53 59 677e5d6-677e61a 46->59 60 677e5b8-677e5d1 46->60 49 677e7fd-677e7ff 49->41 50->44 51->26 58 677e82a-677e834 51->58 52->51 61 677e7ad 53->61 63 677e417-677e452 call 6779bc0 54->63 64 677e401-677e407 54->64 55->8 77 677e636-677e675 59->77 78 677e61c-677e62e 59->78 60->53 61->61 80 677e454-677e45a 63->80 81 677e46a-677e481 63->81 66 677e40b-677e40d 64->66 67 677e409 64->67 66->63 67->63 86 677e75c-677e771 77->86 87 677e67b-677e756 call 6779bc0 77->87 78->77 84 677e45e-677e460 80->84 85 677e45c 80->85 94 677e483-677e489 81->94 95 677e499-677e4aa 81->95 84->81 85->81 86->45 87->86 97 677e48d-677e48f 94->97 98 677e48b 94->98 101 677e4c2-677e4f3 95->101 102 677e4ac-677e4b2 95->102 97->95 98->95 101->55 103 677e4b6-677e4b8 102->103 104 677e4b4 102->104 103->101 104->101 126->49 127->49
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: W$$eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
                                              • API String ID: 0-2051485347
                                              • Opcode ID: 4b6423bd50ac9224c922615e0e02c001c32f847a6fcdd7fb6a2154b68c08e7b1
                                              • Instruction ID: cb710b605ce981337b6723ffa6e32f61d6ed003f4c3208082e6953a271adbca2
                                              • Opcode Fuzzy Hash: 4b6423bd50ac9224c922615e0e02c001c32f847a6fcdd7fb6a2154b68c08e7b1
                                              • Instruction Fuzzy Hash: 7BE18F30F1020A8FDF55DFA8D5906AEBBB2FF85304F608969E405EB355DB709886CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0677C768 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 874 677c768-677c78d 875 677c78f-677c792 874->875 876 677c794-677c7b3 875->876 877 677c7b8-677c7bb 875->877 876->877 878 677c7c1-677c7d6 877->878 879 677d07b-677d07d 877->879 885 677c7ee-677c804 878->885 886 677c7d8-677c7de 878->886 881 677d084-677d087 879->881 882 677d07f 879->882 881->875 884 677d08d-677d097 881->884 882->881 891 677c80f-677c811 885->891 888 677c7e2-677c7e4 886->888 889 677c7e0 886->889 888->885 889->885 892 677c813-677c819 891->892 893 677c829-677c89a 891->893 894 677c81d-677c81f 892->894 895 677c81b 892->895 904 677c8c6-677c8e2 893->904 905 677c89c-677c8bf 893->905 894->893 895->893 910 677c8e4-677c907 904->910 911 677c90e-677c929 904->911 905->904 910->911 916 677c954-677c96f 911->916 917 677c92b-677c94d 911->917 922 677c971-677c993 916->922 923 677c99a-677c9a4 916->923 917->916 922->923 924 677c9a6-677c9af 923->924 925 677c9b4-677ca2e 923->925 924->884 931 677ca30-677ca4e 925->931 932 677ca7b-677ca90 925->932 936 677ca50-677ca5f 931->936 937 677ca6a-677ca79 931->937 932->879 936->937 937->931 937->932
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $eq$$eq$$eq$$eq
                                              • API String ID: 0-812946093
                                              • Opcode ID: f63119cb481ac4e89c63534404a8406686bf0c616a598573279fb527b6402881
                                              • Instruction ID: c408fc98d40c76164334b4896e5286d5038ee9d3965680497f1dec06f9902389
                                              • Opcode Fuzzy Hash: f63119cb481ac4e89c63534404a8406686bf0c616a598573279fb527b6402881
                                              • Instruction Fuzzy Hash: F8914F30F1061A8FDF55DB64D9607AEB7B6EF89300F508569D419EB398EF30AC418B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06777DB0 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1202 6777db0-6777dd4 1203 6777dd6-6777dd9 1202->1203 1204 6777ddf-6777ed7 1203->1204 1205 67784b8-67784bb 1203->1205 1225 6777edd-6777f25 1204->1225 1226 6777f5a-6777f61 1204->1226 1206 67784bd-67784d7 1205->1206 1207 67784dc-67784de 1205->1207 1206->1207 1209 67784e5-67784e8 1207->1209 1210 67784e0 1207->1210 1209->1203 1212 67784ee-67784fb 1209->1212 1210->1209 1247 6777f2a call 6778668 1225->1247 1248 6777f2a call 6778658 1225->1248 1227 6777f67-6777fd7 1226->1227 1228 6777fe5-6777fee 1226->1228 1245 6777fe2 1227->1245 1246 6777fd9 1227->1246 1228->1212 1239 6777f30-6777f4c 1242 6777f57 1239->1242 1243 6777f4e 1239->1243 1242->1226 1243->1242 1245->1228 1246->1245 1247->1239 1248->1239
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: fjq$XPjq$\Ojq
                                              • API String ID: 0-216941231
                                              • Opcode ID: 1ead421b26e0ba70de712f7b9cfd22a9df968618ab65377446f727b850f56596
                                              • Instruction ID: 91e67ad5407b8506b79f84e36635fe83da9af40ccce094e97351f90ca305bc8c
                                              • Opcode Fuzzy Hash: 1ead421b26e0ba70de712f7b9cfd22a9df968618ab65377446f727b850f56596
                                              • Instruction Fuzzy Hash: 9F617F30F102199FEF549FA4C9547AEBAB6FF88300F20802AE51AAB395DF744D45CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0677C758 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2002 677c758-677c75a 2003 677c762 2002->2003 2004 677c75c 2002->2004 2005 677c764 2003->2005 2006 677c76a-677c78d 2003->2006 2004->2003 2005->2006 2007 677c78f-677c792 2006->2007 2008 677c794-677c7b3 2007->2008 2009 677c7b8-677c7bb 2007->2009 2008->2009 2010 677c7c1-677c7d6 2009->2010 2011 677d07b-677d07d 2009->2011 2017 677c7ee-677c804 2010->2017 2018 677c7d8-677c7de 2010->2018 2013 677d084-677d087 2011->2013 2014 677d07f 2011->2014 2013->2007 2016 677d08d-677d097 2013->2016 2014->2013 2023 677c80f-677c811 2017->2023 2020 677c7e2-677c7e4 2018->2020 2021 677c7e0 2018->2021 2020->2017 2021->2017 2024 677c813-677c819 2023->2024 2025 677c829-677c89a 2023->2025 2026 677c81d-677c81f 2024->2026 2027 677c81b 2024->2027 2036 677c8c6-677c8e2 2025->2036 2037 677c89c-677c8bf 2025->2037 2026->2025 2027->2025 2042 677c8e4-677c907 2036->2042 2043 677c90e-677c929 2036->2043 2037->2036 2042->2043 2048 677c954-677c96f 2043->2048 2049 677c92b-677c94d 2043->2049 2054 677c971-677c993 2048->2054 2055 677c99a-677c9a4 2048->2055 2049->2048 2054->2055 2056 677c9a6-677c9af 2055->2056 2057 677c9b4-677ca2e 2055->2057 2056->2016 2063 677ca30-677ca4e 2057->2063 2064 677ca7b-677ca90 2057->2064 2068 677ca50-677ca5f 2063->2068 2069 677ca6a-677ca79 2063->2069 2064->2011 2068->2069 2069->2063 2069->2064
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $eq$$eq
                                              • API String ID: 0-2246304398
                                              • Opcode ID: 15f3745318044ae8deca3ba0a51ae75f5afabd46e2568ac7d70f4661146bb980
                                              • Instruction ID: 2fade0d748e1af4bb9f7814008d5926de4b0fa97611bbb826f10d80d3557f46c
                                              • Opcode Fuzzy Hash: 15f3745318044ae8deca3ba0a51ae75f5afabd46e2568ac7d70f4661146bb980
                                              • Instruction Fuzzy Hash: 7D516130B0020A8FDF55EB74D9A076EB7F6EF89300F508569D419EB398EE319C418B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06BC0C70 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 3031 6bc0c70-6bc0cac 3032 6bc0d5c-6bc0d7c 3031->3032 3033 6bc0cb2-6bc0cb7 3031->3033 3039 6bc0d7f-6bc0d8c 3032->3039 3034 6bc0cb9-6bc0cf0 3033->3034 3035 6bc0d0a-6bc0d42 CallWindowProcW 3033->3035 3041 6bc0cf9-6bc0d08 3034->3041 3042 6bc0cf2-6bc0cf8 3034->3042 3037 6bc0d4b-6bc0d5a 3035->3037 3038 6bc0d44-6bc0d4a 3035->3038 3037->3039 3038->3037 3041->3039 3042->3041
                                              APIs
                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 06BC0D31
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258722726.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6bc0000_MSBuild.jbxd
                                              Similarity
                                              • API ID: CallProcWindow
                                              • String ID:
                                              • API String ID: 2714655100-0
                                              • Opcode ID: 42a56698cb22278114c6c6cdde129533e9a47b84c11f2a98aee850e724ae47a2
                                              • Instruction ID: f903767215350d66c9a8c88e1de6e21270581b9dca272eb9cfb69927a43cf950
                                              • Opcode Fuzzy Hash: 42a56698cb22278114c6c6cdde129533e9a47b84c11f2a98aee850e724ae47a2
                                              • Instruction Fuzzy Hash: 79411AB5900305CFCB54DF99C848A9ABBF5FB88324F24C49DD519AB321D335A941CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 013270A0 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 3045 13270a0-132712c CheckRemoteDebuggerPresent 3047 1327135-1327170 3045->3047 3048 132712e-1327134 3045->3048 3048->3047
                                              APIs
                                              • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0132711F
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3250509676.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_1320000_MSBuild.jbxd
                                              Similarity
                                              • API ID: CheckDebuggerPresentRemote
                                              • String ID:
                                              • API String ID: 3662101638-0
                                              • Opcode ID: 2f9ea4d700cdcc7faad4e125b3b017bfee7895a3e567882eb2c59e2cdf819d5f
                                              • Instruction ID: 36df4897271c55107109aa1ac56a74fdd229310c309d43645c986c93dbc96b33
                                              • Opcode Fuzzy Hash: 2f9ea4d700cdcc7faad4e125b3b017bfee7895a3e567882eb2c59e2cdf819d5f
                                              • Instruction Fuzzy Hash: 10214AB18002598FCB10CFA9D884BEEFBF4FF59320F24845AE455A3241D778A945CF60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 013270A8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 3051 13270a8-132712c CheckRemoteDebuggerPresent 3053 1327135-1327170 3051->3053 3054 132712e-1327134 3051->3054 3054->3053
                                              APIs
                                              • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0132711F
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3250509676.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_1320000_MSBuild.jbxd
                                              Similarity
                                              • API ID: CheckDebuggerPresentRemote
                                              • String ID:
                                              • API String ID: 3662101638-0
                                              • Opcode ID: 77ab58b614cd3a01c4024523247c5a8bc163fa18af5afa9811f54f43a279c384
                                              • Instruction ID: b0f599b2c6ba6e05f0b69be042a1e2166ed5aa0c5e721c01101bfe3b1b873c55
                                              • Opcode Fuzzy Hash: 77ab58b614cd3a01c4024523247c5a8bc163fa18af5afa9811f54f43a279c384
                                              • Instruction Fuzzy Hash: 352139B58002598FDB10CF9AD884BEEFBF4FF59310F24845AE455A3251D778A944CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06BC22E0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 3057 6bc22e0-6bc321a OleInitialize 3059 6bc321c-6bc3222 3057->3059 3060 6bc3223-6bc3240 3057->3060 3059->3060
                                              APIs
                                              • OleInitialize.OLE32(00000000), ref: 06BC320D
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258722726.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6bc0000_MSBuild.jbxd
                                              Similarity
                                              • API ID: Initialize
                                              • String ID:
                                              • API String ID: 2538663250-0
                                              • Opcode ID: 6c86936bdf4eccde26a6c329c98f233459dc0411270604ca16ac0bf4d13f6995
                                              • Instruction ID: f8dbef011ddbd9469211aabfe84275c5baa6f3a16dde100007d09082aabb5d75
                                              • Opcode Fuzzy Hash: 6c86936bdf4eccde26a6c329c98f233459dc0411270604ca16ac0bf4d13f6995
                                              • Instruction Fuzzy Hash: A31115B58047498FCB20DF9AD984B9EFBF8EB48324F208459D519A7200C375A944CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06BC31B1 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 3063 6bc31b1-6bc31b7 3064 6bc31b8-6bc321a OleInitialize 3063->3064 3065 6bc321c-6bc3222 3064->3065 3066 6bc3223-6bc3240 3064->3066 3065->3066
                                              APIs
                                              • OleInitialize.OLE32(00000000), ref: 06BC320D
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258722726.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6bc0000_MSBuild.jbxd
                                              Similarity
                                              • API ID: Initialize
                                              • String ID:
                                              • API String ID: 2538663250-0
                                              • Opcode ID: 665f5935c6b8121a5202e49e5a720bfdb43cb8a8fef28f7be436c122020e2b9a
                                              • Instruction ID: 97737a9191559244df261b361a08536dc87f2cf1813ae4e03f8599305d09f3b7
                                              • Opcode Fuzzy Hash: 665f5935c6b8121a5202e49e5a720bfdb43cb8a8fef28f7be436c122020e2b9a
                                              • Instruction Fuzzy Hash: EC1103B59003499FCB20DFAAD984BCEFFF8EB48320F248459D519A7200C375A544CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06777DA0 Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: XPjq
                                              • API String ID: 0-4216394854
                                              • Opcode ID: 6f091d31d5c1311c6ac3d80a83cff87a648428b69e5c2188bfef115f7c499f64
                                              • Instruction ID: 573b9082cc1267a72da5b7784a80bdc11bae30e00566241a5771196c07e3e187
                                              • Opcode Fuzzy Hash: 6f091d31d5c1311c6ac3d80a83cff87a648428b69e5c2188bfef115f7c499f64
                                              • Instruction Fuzzy Hash: 9C41A274B002099FDB48DFA5C954BAEBAF6FFC8300F208529E105AB399DB749C41CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0677582D Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PHeq
                                              • API String ID: 0-2873676430
                                              • Opcode ID: 81ea952492a6c68c2767f65718ac7aee0bf9c6efaf93f9cfa9c48a3dd13723cb
                                              • Instruction ID: a57f9f9888cef4dbcd57b9a55c5cbbbac94bacfe0d1998606561fe612f478ba3
                                              • Opcode Fuzzy Hash: 81ea952492a6c68c2767f65718ac7aee0bf9c6efaf93f9cfa9c48a3dd13723cb
                                              • Instruction Fuzzy Hash: 11311070B142068FEF59AB74C55427E7BA3AF8A210F244969D406EB399EF35DC42CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06775840 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PHeq
                                              • API String ID: 0-2873676430
                                              • Opcode ID: d03422c4fa7665eb81fadf192febe9f2fff0d22d35ddfb1187581ccf40a7c054
                                              • Instruction ID: d0805a3d9466a2207847b744d40166f0326bd13cc5abbb77083cea857cd13809
                                              • Opcode Fuzzy Hash: d03422c4fa7665eb81fadf192febe9f2fff0d22d35ddfb1187581ccf40a7c054
                                              • Instruction Fuzzy Hash: F231BC70B102058FEF59AB74D55467F7BA7AF89210B244928D406EB399EF31DC41CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0677B90E Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $eq
                                              • API String ID: 0-731066626
                                              • Opcode ID: be53ae00fe9e5ddf4cf0603e282a4737dc642cc3efc753f33db15ce22ff9310e
                                              • Instruction ID: 01098974cfebd764d85080ab3c8ea0e430940253b8d62df898b2c8a224731594
                                              • Opcode Fuzzy Hash: be53ae00fe9e5ddf4cf0603e282a4737dc642cc3efc753f33db15ce22ff9310e
                                              • Instruction Fuzzy Hash: 39F0E536B04209CFDFA44D51E9A02797365AF70A20F044076CE20D7154D330D904CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06777C99 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \Ojq
                                              • API String ID: 0-1665755004
                                              • Opcode ID: fa65a05da742f34c98e73ed80cf0c28730696b850d70815b043fb7df144a0c5f
                                              • Instruction ID: 3135871ed78756c1d4125bbc655bbd0d1e4513338080a4a22a8d2b679df03dc8
                                              • Opcode Fuzzy Hash: fa65a05da742f34c98e73ed80cf0c28730696b850d70815b043fb7df144a0c5f
                                              • Instruction Fuzzy Hash: 40F0FE30A21129DFDF18DF94E859BADBBB6FF88705F20411AE402A7294CB741C45CB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0677E837 Relevance: .3, Instructions: 295COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a320b559d8edd1a3146855d3d14244c783c9a583189c47229990257b43b8f67f
                                              • Instruction ID: 87712eb771f06e0281a17c43d11c694219a4926ebe3f9328855eaa5b31507767
                                              • Opcode Fuzzy Hash: a320b559d8edd1a3146855d3d14244c783c9a583189c47229990257b43b8f67f
                                              • Instruction Fuzzy Hash: 24A19174F102098BEFA4DBA8D5907BE7BB6FB89310F604465E409EB395DA34DC818B52
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 067774E0 Relevance: .2, Instructions: 243COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dbbb5baec43f8c3e5f6816f8eecdfd8749b34b30924f0c06954aa23a80616d79
                                              • Instruction ID: ad288e39dc8c05645456acfe69623b4a90a3d1b1459b7452c78d5dff84f2a3da
                                              • Opcode Fuzzy Hash: dbbb5baec43f8c3e5f6816f8eecdfd8749b34b30924f0c06954aa23a80616d79
                                              • Instruction Fuzzy Hash: 64916F30B1060A8FDF58DBA8D59476E77B2EF85314F108529D40AEB399EB34DC828B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06779408 Relevance: .2, Instructions: 229COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8955d3b992b68b625ea0f06c202907208910c76ee5ecb31d170df7005677bc76
                                              • Instruction ID: 1cd77a522c0871bb0cdbef4f577567cbbb7bfbbccf7c8ad788d92b3e80c88f67
                                              • Opcode Fuzzy Hash: 8955d3b992b68b625ea0f06c202907208910c76ee5ecb31d170df7005677bc76
                                              • Instruction Fuzzy Hash: 2C61BFB1F005214FCF559A7EC88066FBADBAFC4220B254439E90EDB364DE69ED0287D1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06777800 Relevance: .2, Instructions: 221COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b88e93afb935c31fa90ac7d07e6dff164ca7298a9adc3913a0f99960c8db5ed5
                                              • Instruction ID: 7f9d01750700c696bbbf1492079ccfa50d48feee8b1ab7c59fb32e85912c347c
                                              • Opcode Fuzzy Hash: b88e93afb935c31fa90ac7d07e6dff164ca7298a9adc3913a0f99960c8db5ed5
                                              • Instruction Fuzzy Hash: D4914D34E1061A8FDF64DF68C880BA9B7B1FF85300F208699D449AB295DB70AA85CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 067774F0 Relevance: .2, Instructions: 218COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d255bec434500c562978a02140f977c2e2c47c75d3be127e150506645ef769f1
                                              • Instruction ID: 37636bd3c8899bead30650215282ea13c67dc555f906eaf20d672e7ca418c4cd
                                              • Opcode Fuzzy Hash: d255bec434500c562978a02140f977c2e2c47c75d3be127e150506645ef769f1
                                              • Instruction Fuzzy Hash: B4812F34B106098FDF48DBA8D59466E77F6EF85300F108529D40AEB399EF74DC828B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06777818 Relevance: .2, Instructions: 210COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9b177bd5328f498e588be54bc93e05bc929cdf9fa8677248db0811cb216923d5
                                              • Instruction ID: bf44fc6102930d3bf83b22761571d7016f60076067597301aa45c5282504133e
                                              • Opcode Fuzzy Hash: 9b177bd5328f498e588be54bc93e05bc929cdf9fa8677248db0811cb216923d5
                                              • Instruction Fuzzy Hash: 5E915034E106198BDF64DF68C880BADB7B1FF89300F208595D549BB395EB70AA85CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06778668 Relevance: .1, Instructions: 126COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e3629a027a06ab0dae589731d8f2bdf91aa72fc29c17b920787e55483812c1bf
                                              • Instruction ID: af66800a7d987d31c027f270c1f5e083b43292fd4f0fe260ce532f181d42334b
                                              • Opcode Fuzzy Hash: e3629a027a06ab0dae589731d8f2bdf91aa72fc29c17b920787e55483812c1bf
                                              • Instruction Fuzzy Hash: 94415D75F006099BDF60CEA9D884ABFFBB6EB84310F20493AD216D7650D330E9558BD2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 067756F0 Relevance: .1, Instructions: 101COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8604b74fa9abad3f99d31b79c2999ceae4a95e5cfee956eec9e16fbb31342b17
                                              • Instruction ID: 4aaad14642e2fb5c3ac3cf7881f2ccd23b7c016da0b8e7476e5804d30f66590d
                                              • Opcode Fuzzy Hash: 8604b74fa9abad3f99d31b79c2999ceae4a95e5cfee956eec9e16fbb31342b17
                                              • Instruction Fuzzy Hash: 20314D34E102059BDF59CFA4D5946AEBBB6AF89310F10C529E806EB354EF70AC42CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06775700 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7eceac122a19d977ecdbd57b0da1ce65e7401067289107b163af148745040510
                                              • Instruction ID: abddb97412dc7b46d436a6218dde388cfd3ee13ed803bebe5b64eeb4e2c1089a
                                              • Opcode Fuzzy Hash: 7eceac122a19d977ecdbd57b0da1ce65e7401067289107b163af148745040510
                                              • Instruction Fuzzy Hash: D8314F34E142059BDF59CFA4D5946AEB7F6AF89310F10C529E805EB354EF70AC41CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 067770E8 Relevance: .1, Instructions: 82COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 01feeddded64624ad6c0768fd615df62635cafac743b72397d67145580c378e1
                                              • Instruction ID: ee78efbabca6fb6fa85ab1a08cf5ff8f3fe8a278eee6615e871e8ed4cf7d0152
                                              • Opcode Fuzzy Hash: 01feeddded64624ad6c0768fd615df62635cafac743b72397d67145580c378e1
                                              • Instruction Fuzzy Hash: B7218B71F102199FDF44DFA9DD90AAEBBF1AB89710F148025E909EB364E730E941CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 067770F8 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cbe4c981afab18881de67d549404f5af5cc88bb686ac0abd5ab301e3e81b87c7
                                              • Instruction ID: 2ea0d20b12a03c8ef3ad57ed0f57401a27ad41f3821c83b976edcda221e503e2
                                              • Opcode Fuzzy Hash: cbe4c981afab18881de67d549404f5af5cc88bb686ac0abd5ab301e3e81b87c7
                                              • Instruction Fuzzy Hash: 9B219831F002199FDF44DFA9DDA0AAEBBF1FB89610F148029E905E7394E730D9008B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0114D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3249526520.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_114d000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 21d838c0b4f7ccb14a80fbc6149e14f5686478013682292fbbbf11564aa57c10
                                              • Instruction ID: 1d6a7281f59556ee6c072518ef2744730b4bc5ae71ba48ee6ca3ba911514b811
                                              • Opcode Fuzzy Hash: 21d838c0b4f7ccb14a80fbc6149e14f5686478013682292fbbbf11564aa57c10
                                              • Instruction Fuzzy Hash: EE212571504200DFCF19DF98E984B16BB65EB94724F20C56DD8090B246C33AD407CA62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06778658 Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6f1c084563c9f849251ae2ea4d21b69bb4faeb04966b562327f20f81f4272da4
                                              • Instruction ID: 894c62c96be92c11f668a99b49b8ca71ccea400b5020ee9ab5b036b2dee5a64a
                                              • Opcode Fuzzy Hash: 6f1c084563c9f849251ae2ea4d21b69bb4faeb04966b562327f20f81f4272da4
                                              • Instruction Fuzzy Hash: 68219071A006059FCF60CEA9DDC99AFBBB6FB85310F10893AD116D3651E230A945CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0677A330 Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 85fef21696ae66e4a0b90ac08471dfeff4b84ac3c3456bbeed3ec659d9a4c2dc
                                              • Instruction ID: 8dd0fd223f0011b41d5197896102e736f93ddbe81179ede392ec67c258219a88
                                              • Opcode Fuzzy Hash: 85fef21696ae66e4a0b90ac08471dfeff4b84ac3c3456bbeed3ec659d9a4c2dc
                                              • Instruction Fuzzy Hash: 8C21D331F101189FEF44EB6DE994AAEB7B7EB85310F608529E405EB355EB30ED418B84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0114D006 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3249526520.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_114d000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bc982339f06e6aa47a0252dbb6a367c848b3551c8678ad0ab52a2988035fda44
                                              • Instruction ID: 5e33bb1cfea64befcc26b8ecc26fa6ee6162e8a0eb3dd2d53b54aa56eebdc4f5
                                              • Opcode Fuzzy Hash: bc982339f06e6aa47a0252dbb6a367c848b3551c8678ad0ab52a2988035fda44
                                              • Instruction Fuzzy Hash: 122180755083809FCB07CF54D994711BF71EB56614F28C5DAD8498B2A7C33A980ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 067766A8 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c18250c1da33543dc699425921f72dbd047807d20993d8a144047398deb74710
                                              • Instruction ID: 66f3348f8e46b0d5e27659e169b5370edfcf36aad9c0e7308eae9b700d68c487
                                              • Opcode Fuzzy Hash: c18250c1da33543dc699425921f72dbd047807d20993d8a144047398deb74710
                                              • Instruction Fuzzy Hash: 4E11B271E002199BCF54DB69D8805EEF7F5EF89310F508969D106EB208EA31D940CBD0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0677743F Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4e11d170dab41295fac6753cfb2b9f732fdbfa94c1c5c279699fe6764ef220c4
                                              • Instruction ID: 6c183ae7f19c869276c35f4dc81a0608ec4770e191f72fd245234ac618797e32
                                              • Opcode Fuzzy Hash: 4e11d170dab41295fac6753cfb2b9f732fdbfa94c1c5c279699fe6764ef220c4
                                              • Instruction Fuzzy Hash: AD01F131B141104FCF699A3C849072AABEBDBCA222F10C93AE40AC7341DD25CC028390
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06777208 Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 53f941603d8e84b296cf7e2a86ce5d5cbffc4b45354f904b1943bcc747b6a931
                                              • Instruction ID: d6477487d990ee360d7b9eea211a24184422b5a4f713bb46a52e29d1f633c25e
                                              • Opcode Fuzzy Hash: 53f941603d8e84b296cf7e2a86ce5d5cbffc4b45354f904b1943bcc747b6a931
                                              • Instruction Fuzzy Hash: 0811A531F105194BCF58D668D8146AE73FAABC9710F118435E516E7358EE34DC018BE0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0677D919 Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b80507f9fac2a823f213206ff923fe4e62f3dfd6e293e4e96013c638b7458198
                                              • Instruction ID: 28cce3d80c2031402f9386a5ecfc713cd7daea3e616fd6b9b86286cbb8975464
                                              • Opcode Fuzzy Hash: b80507f9fac2a823f213206ff923fe4e62f3dfd6e293e4e96013c638b7458198
                                              • Instruction Fuzzy Hash: F601F730B141110FCF659A78DAB1B3A7BD6DFD6620F108529E04EDB399ED21DC428B80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06776EC1 Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2eaeba9192a7c572b1a668d9e2564ffdb46820f2f11fbe60c3af7b4c37e91755
                                              • Instruction ID: 1bc84b46bc0ac628cd663819002724de1fe1c350b323aa8c9f845fb743a65477
                                              • Opcode Fuzzy Hash: 2eaeba9192a7c572b1a668d9e2564ffdb46820f2f11fbe60c3af7b4c37e91755
                                              • Instruction Fuzzy Hash: 7421D0B5D00659AFCB10CF9AD884ADEFFF8FB48310F50816AE918A7241D374A954CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 067771F8 Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 005a550531f66740adc30149072cde52327c014286620cfe5f278d164abf22d1
                                              • Instruction ID: e69408efdf09e5bfd97c99570961018ea6fd5bd1ae51cc58909f3d822938d092
                                              • Opcode Fuzzy Hash: 005a550531f66740adc30149072cde52327c014286620cfe5f278d164abf22d1
                                              • Instruction Fuzzy Hash: AD01B532F104240BDF5895A8AC546FB33BB9BC9611F104036E52AE7258EE249C0287E1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06776EC8 Relevance: .1, Instructions: 52COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3d267f9b54e2d205742d2085c6bba095df1bd5b30694c2c04ef724f9593dded4
                                              • Instruction ID: afc6291d1a2565a1e6fe7cf926d9af90b9f8b723252807a34e28fc2a2bb7fcb2
                                              • Opcode Fuzzy Hash: 3d267f9b54e2d205742d2085c6bba095df1bd5b30694c2c04ef724f9593dded4
                                              • Instruction Fuzzy Hash: C311E2B5D00659AFCB10CF9AD884ADEFFF8FB48310F10812AE918A7240C374A944CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06777450 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 710815958902ef23c356b9cab9c048f13060bddbde7f704e9a2384c07bb43b15
                                              • Instruction ID: f0e071e00a35bbdede281ec73bff3a144d9ad7d792162e087497f0d9e73bb7d1
                                              • Opcode Fuzzy Hash: 710815958902ef23c356b9cab9c048f13060bddbde7f704e9a2384c07bb43b15
                                              • Instruction Fuzzy Hash: 0D01DC31B105205BDF689A7C9490B2BBBEBDBC9720F20C83AE50EC7344ED65DC424394
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0677D928 Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b164ff72253f1c2519301f1ebceb7afb5555c3704b8434b45f840535791d2cda
                                              • Instruction ID: 6bfe1a2500c49147b25520e9a4ee3addb82cc5ddcfd152fb6c389ab898eb5a0e
                                              • Opcode Fuzzy Hash: b164ff72253f1c2519301f1ebceb7afb5555c3704b8434b45f840535791d2cda
                                              • Instruction Fuzzy Hash: 79018130B105150BCF64AA38D5A0B3AB7DADFC6620F108838F04ED7354EE21DC428B80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06779A93 Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ee762fb3680e65e70cdbe0cf4d6ee47245599569670c522342b7be8bffc1d6a8
                                              • Instruction ID: ac69dbbd83776ea5bafff380fadb228bfb82c5c8fd3f797d3e918a6e4866b71d
                                              • Opcode Fuzzy Hash: ee762fb3680e65e70cdbe0cf4d6ee47245599569670c522342b7be8bffc1d6a8
                                              • Instruction Fuzzy Hash: A9E04871D173459FDF50CAB48E4577A7BB9DB42204F2685A6D505DB242E137CE01C7D0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06779AA0 Relevance: .0, Instructions: 22COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 99eaf142ca84b44b7758b2b24655deb4517eb82ac2963be868c188314192dacd
                                              • Instruction ID: 6ffa2253321646e82d59bce3f5ebbdfef5eb2278112d658beb8d23e76f2caa1c
                                              • Opcode Fuzzy Hash: 99eaf142ca84b44b7758b2b24655deb4517eb82ac2963be868c188314192dacd
                                              • Instruction Fuzzy Hash: 22E01271E17208ABDF50DEB4C945B6AB7ADD742214F2189A5D609CB201E576DA0187C0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 0677ACB8 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
                                              • API String ID: 0-2049195972
                                              • Opcode ID: 1cb0ab41bad017148eb464183f8869b58efa7f564ce98dec2f51970e56e49756
                                              • Instruction ID: 7ca85ae0978e8c67ba6e9eec32f35ad01fcd048fd09b435eaeee291abdd8b889
                                              • Opcode Fuzzy Hash: 1cb0ab41bad017148eb464183f8869b58efa7f564ce98dec2f51970e56e49756
                                              • Instruction Fuzzy Hash: 12120C30E01219CFDF64DF69C994AAEB7B2FF89704F208569D409AB365DB309D85CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0677DF48 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
                                              • API String ID: 0-1110479544
                                              • Opcode ID: f16407fc8ca02929887310c116fa88ec7f19fc3a3bef47cc62928feb7652f13d
                                              • Instruction ID: 57ee6c28b8ed26f403e6e3d88b995b3cff159f7cc028bfc044d665717e6a72f2
                                              • Opcode Fuzzy Hash: f16407fc8ca02929887310c116fa88ec7f19fc3a3bef47cc62928feb7652f13d
                                              • Instruction Fuzzy Hash: AD918F30A1020ADFDF68EF68D994B7EBBB2BF44304F208569E401AB295DF749C45CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0677A6B8 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: .5}q$$eq$$eq$$eq$$eq$$eq$$eq
                                              • API String ID: 0-1622854337
                                              • Opcode ID: f35c3b96cc952d9012bb70094d56777a0165facc5ffe62fbc878e7d078d70bfe
                                              • Instruction ID: b09c87ef53ac749a87399622ede7e5723b0a4086d27eeeb20aaac4967496e099
                                              • Opcode Fuzzy Hash: f35c3b96cc952d9012bb70094d56777a0165facc5ffe62fbc878e7d078d70bfe
                                              • Instruction Fuzzy Hash: 28F14C74B10209CFDB59EB68C594A6EB7B3FF85304F208529D415AB399DB31EC86CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0677B9F0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $eq$$eq$$eq$$eq
                                              • API String ID: 0-812946093
                                              • Opcode ID: e7bf79bc82a7349b4968f7686707c13f394304a4be361f984e3512b03dd21000
                                              • Instruction ID: 5aa314a5d60554ffd9fad26987ca508368db208caefee49f6e0210c947f1e19d
                                              • Opcode Fuzzy Hash: e7bf79bc82a7349b4968f7686707c13f394304a4be361f984e3512b03dd21000
                                              • Instruction Fuzzy Hash: CAB14C30A10219CFDF68EF68D59466EB7B2FF88704F248529D406AB395DB74DC86CB84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0677BE08 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LReq$LReq$$eq$$eq
                                              • API String ID: 0-731573373
                                              • Opcode ID: 28537c52ec25a388814d9d68d2fba90eb608a41afe699c56ce5d80026ca21a66
                                              • Instruction ID: eb8960d2e3ce2ee67cce85937dfc648235eabf9d83f3bc6000b05e250ce9d51c
                                              • Opcode Fuzzy Hash: 28537c52ec25a388814d9d68d2fba90eb608a41afe699c56ce5d80026ca21a66
                                              • Instruction Fuzzy Hash: AA51B3307002059FDF58EF68D994A6EB7A2FF89704F108968E5159B3A9DB70EC40CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0677E2D1 Relevance: 5.2, Strings: 4, Instructions: 160COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3258427965.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_6770000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $eq$$eq$$eq$$eq
                                              • API String ID: 0-812946093
                                              • Opcode ID: 903a5d6a81bd3f5a38bfa3b58fa6a2b1895c76a2aab5c610d41a512cf60b382e
                                              • Instruction ID: 04080398227d11ff2d14b03b8359e049a29979bf7657e2752cd56dbb5f8fb216
                                              • Opcode Fuzzy Hash: 903a5d6a81bd3f5a38bfa3b58fa6a2b1895c76a2aab5c610d41a512cf60b382e
                                              • Instruction Fuzzy Hash: 14519D30E102058BDFA5EB78D5906BEB7B2FB85314F2489AAE416EB355DB30DC41CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%