Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rJlMhHdHP2mDzMGx.exe

Overview

General Information

Sample name:rJlMhHdHP2mDzMGx.exe
Analysis ID:1428890
MD5:aa9057494eca3828c4aaca40ec9d823e
SHA1:d40deb9f879f6c5ff7bd8597d95f6c6592861a60
SHA256:74caca096964cc34ef4132f16a9a0aaa96b2d2a5972ee3c7c55bd5634c88bd70
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rJlMhHdHP2mDzMGx.exe (PID: 6152 cmdline: "C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exe" MD5: AA9057494ECA3828C4AACA40EC9D823E)
    • MSBuild.exe (PID: 6016 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.gazityres.com", "Username": "gaziul@gazityres.com", "Password": "Gazi1975"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2471547050.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000003.00000002.2471547050.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.2476109621.0000000002E59000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.2476109621.0000000002E2F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.1261980396.0000000004855000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.MSBuild.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              3.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                3.2.MSBuild.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x33541:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x335b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x3363d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x336cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x33739:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x337ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x33841:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x338d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.rJlMhHdHP2mDzMGx.exe.4890940.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.rJlMhHdHP2mDzMGx.exe.4890940.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    Networking

                    barindex
                    Sigma detected: MSBuild connects to smtp port
                    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 203.169.24.24, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 6016, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49708

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.4890940.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.gazityres.com", "Username": "gaziul@gazityres.com", "Password": "Gazi1975"}
                    Multi AV Scanner detection for submitted file
                    Source: rJlMhHdHP2mDzMGx.exeReversingLabs: Detection: 68%
                    Machine Learning detection for sample
                    Source: rJlMhHdHP2mDzMGx.exeJoe Sandbox ML: detected
                    Source: rJlMhHdHP2mDzMGx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.98.116.138:443 -> 192.168.2.7:49716 version: TLS 1.0
                    Source: rJlMhHdHP2mDzMGx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: xFqUV.pdb source: rJlMhHdHP2mDzMGx.exe
                    Source: Binary string: xFqUV.pdbSHA256 source: rJlMhHdHP2mDzMGx.exe
                    Source: global trafficTCP traffic: 192.168.2.7:49708 -> 203.169.24.24:587
                    Source: Joe Sandbox ViewIP Address: 203.169.24.24 203.169.24.24
                    Source: Joe Sandbox ViewASN Name: GAZICOMM-AS-APGAZICOMMUNICATIONSATELEPORTOPERATORBD GAZICOMM-AS-APGAZICOMMUNICATIONSATELEPORTOPERATORBD
                    Source: Joe Sandbox ViewJA3 fingerprint: 1138de370e523e824bbca92d049a3777
                    Source: global trafficTCP traffic: 192.168.2.7:49708 -> 203.169.24.24:587
                    Source: unknownHTTPS traffic detected: 104.98.116.138:443 -> 192.168.2.7:49716 version: TLS 1.0
                    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownDNS traffic detected: queries for: mail.gazityres.com
                    Source: MSBuild.exe, 00000003.00000002.2482076198.0000000006160000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2476109621.0000000002E37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: MSBuild.exe, 00000003.00000002.2482076198.0000000006160000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: MSBuild.exe, 00000003.00000002.2482076198.0000000006160000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2476109621.0000000002E37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: MSBuild.exe, 00000003.00000002.2482076198.0000000006160000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2476109621.0000000002E37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                    Source: MSBuild.exe, 00000003.00000002.2476109621.0000000002E37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.gazityres.com
                    Source: MSBuild.exe, 00000003.00000002.2482076198.0000000006160000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2476109621.0000000002E37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: rJlMhHdHP2mDzMGx.exe, 00000000.00000002.1261980396.0000000004855000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2471547050.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: MSBuild.exe, 00000003.00000002.2482076198.0000000006160000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2476109621.0000000002E37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.4890940.3.raw.unpack, cPKWk.cs.Net Code: A9G2omroA
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.4855f20.2.raw.unpack, cPKWk.cs.Net Code: A9G2omroA

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.4890940.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.4855f20.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.4890940.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.4855f20.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.51c0000.4.raw.unpack, LoginForm.csLarge array initialization: : array initializer size 33603
                    .NET source code contains very large strings
                    Source: rJlMhHdHP2mDzMGx.exe, Form1.csLong String: Length: 131612
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_027AD55C0_2_027AD55C
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_028F03A00_2_028F03A0
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_028F54700_2_028F5470
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_0548B0F00_2_0548B0F0
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_054804F10_2_054804F1
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_0548E6280_2_0548E628
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_054821080_2_05482108
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_0548E1E10_2_0548E1E1
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_0548E1F00_2_0548E1F0
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_054800400_2_05480040
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_054800060_2_05480006
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_0548B0DF0_2_0548B0DF
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_054820F80_2_054820F8
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_054830890_2_05483089
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_054830980_2_05483098
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_0548734A0_2_0548734A
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_0548534F0_2_0548534F
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_054823410_2_05482341
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_054873580_2_05487358
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_054853600_2_05485360
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_05482D700_2_05482D70
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_05481D890_2_05481D89
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_05482D800_2_05482D80
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_05481D980_2_05481D98
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_0548DDA20_2_0548DDA2
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_0548DDB80_2_0548DDB8
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_05480ED00_2_05480ED0
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_05480EE00_2_05480EE0
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_0548EA600_2_0548EA60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_013441C83_2_013441C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_013493703_2_01349370
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_01349B283_2_01349B28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_01344A983_2_01344A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0134CDA03_2_0134CDA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_01343E803_2_01343E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_062956C03_2_062956C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_06293F383_2_06293F38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0629DCE83_2_0629DCE8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0629BCD83_2_0629BCD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_06292AE83_2_06292AE8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_06299AC03_2_06299AC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_06298B6A3_2_06298B6A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_062900403_2_06290040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_06294FE03_2_06294FE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_062932383_2_06293238
                    Source: rJlMhHdHP2mDzMGx.exe, 00000000.00000000.1231125634.0000000000592000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamexFqUV.exe< vs rJlMhHdHP2mDzMGx.exe
                    Source: rJlMhHdHP2mDzMGx.exe, 00000000.00000002.1260964160.0000000000B5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs rJlMhHdHP2mDzMGx.exe
                    Source: rJlMhHdHP2mDzMGx.exe, 00000000.00000002.1261980396.0000000004855000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7d0f2cb-49ff-4075-bb3d-d51120ea7fe7.exe4 vs rJlMhHdHP2mDzMGx.exe
                    Source: rJlMhHdHP2mDzMGx.exe, 00000000.00000002.1264685255.00000000051C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs rJlMhHdHP2mDzMGx.exe
                    Source: rJlMhHdHP2mDzMGx.exe, 00000000.00000002.1266727659.0000000006F90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs rJlMhHdHP2mDzMGx.exe
                    Source: rJlMhHdHP2mDzMGx.exe, 00000000.00000002.1261489993.0000000002A4B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7d0f2cb-49ff-4075-bb3d-d51120ea7fe7.exe4 vs rJlMhHdHP2mDzMGx.exe
                    Source: rJlMhHdHP2mDzMGx.exe, 00000000.00000002.1261980396.0000000004415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs rJlMhHdHP2mDzMGx.exe
                    Source: rJlMhHdHP2mDzMGx.exeBinary or memory string: OriginalFilenamexFqUV.exe< vs rJlMhHdHP2mDzMGx.exe
                    Source: rJlMhHdHP2mDzMGx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.4890940.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.4855f20.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.4890940.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.4855f20.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: rJlMhHdHP2mDzMGx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.4890940.3.raw.unpack, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.4890940.3.raw.unpack, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.4890940.3.raw.unpack, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.4890940.3.raw.unpack, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.4890940.3.raw.unpack, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.4890940.3.raw.unpack, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.4890940.3.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.4890940.3.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, p2WYrZEysmcfbdpVDH.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, p2WYrZEysmcfbdpVDH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, p2WYrZEysmcfbdpVDH.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, p2WYrZEysmcfbdpVDH.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, p2WYrZEysmcfbdpVDH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, p2WYrZEysmcfbdpVDH.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, p2WYrZEysmcfbdpVDH.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, p2WYrZEysmcfbdpVDH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, p2WYrZEysmcfbdpVDH.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, LteUPvVBirAu5WkVfU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, LteUPvVBirAu5WkVfU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, LteUPvVBirAu5WkVfU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@3/1@2/1
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rJlMhHdHP2mDzMGx.exe.logJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeMutant created: \Sessions\1\BaseNamedObjects\cjkofKe
                    Source: rJlMhHdHP2mDzMGx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: rJlMhHdHP2mDzMGx.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: rJlMhHdHP2mDzMGx.exe, 00000000.00000000.1231125634.0000000000592000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT SUM(Amount) AS Total, Category FROM Expense WHERE ExpenseDate BETWEEN @StartDate and @EndDate GROUP BY Category;
                    Source: rJlMhHdHP2mDzMGx.exeReversingLabs: Detection: 68%
                    Source: unknownProcess created: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exe "C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exe"
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: rJlMhHdHP2mDzMGx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: rJlMhHdHP2mDzMGx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: rJlMhHdHP2mDzMGx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: xFqUV.pdb source: rJlMhHdHP2mDzMGx.exe
                    Source: Binary string: xFqUV.pdbSHA256 source: rJlMhHdHP2mDzMGx.exe

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.51c0000.4.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, p2WYrZEysmcfbdpVDH.cs.Net Code: eVoY7GOFor System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, p2WYrZEysmcfbdpVDH.cs.Net Code: eVoY7GOFor System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, p2WYrZEysmcfbdpVDH.cs.Net Code: eVoY7GOFor System.Reflection.Assembly.Load(byte[])
                    Source: rJlMhHdHP2mDzMGx.exeStatic PE information: 0xCCC08961 [Tue Nov 8 21:55:45 2078 UTC]
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeCode function: 0_2_0548C2D0 push 5D039B78h; ret 0_2_0548C2F7
                    Source: rJlMhHdHP2mDzMGx.exeStatic PE information: section name: .text entropy: 7.337518180611176
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, WkSwGORjm2YcFo0YNP.csHigh entropy of concatenated method names: 'Ul9gvklsk7', 's73gDwcqU3', 'zANgykfUlA', 'IdIyBs0Y1y', 'gGGyzCXCx7', 'GhYgSCFMaj', 'oiLgU339J4', 'RS2gAvDib9', 'oMig8BHsfn', 'HvkgYXrADC'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, LOPwg6OjRfejOpdlEA.csHigh entropy of concatenated method names: 'MUhrXOYGCx', 'Ub5rMDmo9M', 'xIADn47NHG', 'LR5Di5QJOI', 'l4eDqVVn1Y', 'loYDLo2tym', 'qLCDRLMDSC', 'j8VDPZFqnO', 'zYyDHwhBp5', 'WRHDjlwrYE'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, p2WYrZEysmcfbdpVDH.csHigh entropy of concatenated method names: 'lCR8tP1C5g', 'K1y8vyZtox', 'fPi8Q0YoML', 'w6P8DTThZR', 'SY68rkWIuq', 'uyZ8yqsttQ', 'Phn8glA0sA', 'hnK8EfswBu', 'OnW8Cn2KFQ', 'wvD8d5OgFO'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, jnW2xuBX4PO7iUXc60.csHigh entropy of concatenated method names: 'lYpFUC8aUW', 'utQF8KNW5a', 'y8uFYKOEGw', 'dRfFvdwF7P', 'UfRFQNT9pF', 'kLTFr7hJsK', 'CdWFyY9OWO', 'XllTs04LTN', 'lKmT0r9WEV', 'FWITWPr3l4'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, p6Fo2wmN1B2qS23VtF.csHigh entropy of concatenated method names: 'bXAG0BEXll', 'PZ7GBUiWRy', 'OdyTSBGJt6', 'rVNTU8FdPt', 'd5tGxShP7g', 'qL0GwkjVSF', 'UC6GI4DXqi', 'GSjGZxtkEx', 'hEXGkNvt25', 'oDHG2hoArf'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, h34XRFU8TkHrYwokVOB.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eGUlZGYbwb', 'gfPlkb7hyp', 'OlMl2iiY6d', 'xAklc4pq5T', 'sCSlpTvS6O', 'GSrlmvjKw2', 'mkElsMU0rr'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, D7uZnLJ17U2dWi89jJ.csHigh entropy of concatenated method names: 'RH8ytsdBH8', 'SFIyQy7jZK', 'OwnyrPV7V3', 'hKJygyXrl7', 'qduyElSqu1', 'YaprpNwkBU', 'HfcrmUiw0Q', 'agxrsVOnQn', 'C7ur0YEBc5', 'cx3rW8uDB1'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, EdI7XsAtxHQHTTntC8.csHigh entropy of concatenated method names: 'jeH7rdgfw', 'ClL6pxZji', 'BwN4ewnDW', 'PpQMHtr2l', 'ghLfvVBiD', 'swROOSjNe', 'FBphQCByYtLMqCYtK2', 'enDBbld3afdPMR5aJL', 'eGPHWxttSSRi6CLlNC', 'p1BTFOeXd'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, G72D6cY8NyIexubbhS.csHigh entropy of concatenated method names: 'FFRUgteUPv', 'YirUEAu5Wk', 'HO2UdscWYM', 'O5HUudROPw', 'UdlU1EAV7u', 'RnLUb17U2d', 'BeaAQlaKTGSqkPRTwX', 'pxcMEWRp1suOWU3LP6', 'pGcUUorubH', 'gsQU8kGoaD'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, LteUPvVBirAu5WkVfU.csHigh entropy of concatenated method names: 'cL5QZDOwFU', 'lU7Qk5n1g9', 'cniQ2jL0Xy', 'zDJQc9UxIr', 'aoXQp8epOR', 'RAqQmHuO3d', 'w1GQsq5sp3', 'xXYQ0MnvjD', 'mk9QWiJMhZ', 'XUOQBTppur'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, XD8c1fIjqWvAU8JOTe.csHigh entropy of concatenated method names: 'F6S3VormNc', 'khb3frti3r', 'HNv3Jt2bZd', 'X0I3e6vLVF', 'AJS3i2bxWA', 'jC13qGfsDy', 'Qyy3Rcx6qk', 'wUN3Pt0985', 'JSg3js4Zhi', 'bQ93x5RlB2'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, uTOqTUQAXF8xfhlRw1.csHigh entropy of concatenated method names: 'Dispose', 'vYoUWS0Sb5', 'PuRAei47Wa', 'KVY992Pq4p', 'OwhUBoC5Ev', 'LsAUzV6MFq', 'ProcessDialogKey', 'DGwAS3YXOv', 'rtNAU4itAU', 'UfgAAgnW2x'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, VXAs3BZrJUtxFR7ZmA.csHigh entropy of concatenated method names: 'VDv1j0HOih', 'fHy1wcPtOx', 'vRs1ZNPlVR', 'yce1kflSnU', 'oJ61ej0C5S', 'GY31nUu7IL', 'Oeh1inSSBe', 'MQN1qsDDRt', 'mOh1LadM1L', 'EjP1R6tGkw'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, XBt5TefO2scWYMx5Hd.csHigh entropy of concatenated method names: 'VWWD6mYb4f', 'z6vD4JpMyh', 'YInDVI8Og4', 'MQFDfrZC4Y', 'rIGD1NeMvj', 'KQ6DbSqGhb', 'E7aDGBFdIQ', 'rokDT79jD4', 'T0UDFkbLXa', 'Es2Dl9YgWE'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, CWXKvSUSWYwP3jr5YlO.csHigh entropy of concatenated method names: 'cowFaBhRjL', 'O6oFhmum52', 'ccDF7O4eNp', 'DS9F6McIH2', 'cnXFXQV1Q7', 'mA9F4CvNrH', 'RMJFMO9UYZ', 'dWkFVV9Z6m', 'vBCFfE7Heb', 'rJCFOJln3G'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, KrPPpqD3kw7Qt7Dr8w.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ea4AWL2PXD', 'uvIABX1QIO', 'HjHAzkfsc6', 'dDr8SGfWHa', 'NHj8UbVm2S', 'NEG8AUvP5y', 'KJS88WH0kQ', 'klTiwjre2IRMwZZ5eKv'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, P3YXOvWTtN4itAUpfg.csHigh entropy of concatenated method names: 'PVfTJUCxWh', 'siUTeTrSS8', 'YrGTncXiRl', 'taJTiueDwi', 'QfATZTBguw', 'E7RTqrbQ4g', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, MMCTpeHuJ1mPFD8m1D.csHigh entropy of concatenated method names: 'dG3gaB4dJ2', 'yFaghOlWal', 'hVGg7BIA4d', 'OGPg6YlVNr', 'QiSgXfrqpE', 'Bj9g4SisQe', 'u67gMAZEDc', 'PJvgVjYA25', 'bxvgf2bQs5', 'VPngOANsIK'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.46cc0b8.0.raw.unpack, PhoC5E0vRsAV6MFqMG.csHigh entropy of concatenated method names: 'DgPTvwXa2W', 'x12TQWTLxl', 'RMLTDJRKAi', 'Ul7Tr1c4Zg', 'KIUTy29RMC', 'zRHTggGdf7', 'jWMTE6v9sk', 'bpFTCJPQ01', 'E8GTd57af6', 'JbKTun9tu1'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, WkSwGORjm2YcFo0YNP.csHigh entropy of concatenated method names: 'Ul9gvklsk7', 's73gDwcqU3', 'zANgykfUlA', 'IdIyBs0Y1y', 'gGGyzCXCx7', 'GhYgSCFMaj', 'oiLgU339J4', 'RS2gAvDib9', 'oMig8BHsfn', 'HvkgYXrADC'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, LOPwg6OjRfejOpdlEA.csHigh entropy of concatenated method names: 'MUhrXOYGCx', 'Ub5rMDmo9M', 'xIADn47NHG', 'LR5Di5QJOI', 'l4eDqVVn1Y', 'loYDLo2tym', 'qLCDRLMDSC', 'j8VDPZFqnO', 'zYyDHwhBp5', 'WRHDjlwrYE'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, p2WYrZEysmcfbdpVDH.csHigh entropy of concatenated method names: 'lCR8tP1C5g', 'K1y8vyZtox', 'fPi8Q0YoML', 'w6P8DTThZR', 'SY68rkWIuq', 'uyZ8yqsttQ', 'Phn8glA0sA', 'hnK8EfswBu', 'OnW8Cn2KFQ', 'wvD8d5OgFO'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, jnW2xuBX4PO7iUXc60.csHigh entropy of concatenated method names: 'lYpFUC8aUW', 'utQF8KNW5a', 'y8uFYKOEGw', 'dRfFvdwF7P', 'UfRFQNT9pF', 'kLTFr7hJsK', 'CdWFyY9OWO', 'XllTs04LTN', 'lKmT0r9WEV', 'FWITWPr3l4'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, p6Fo2wmN1B2qS23VtF.csHigh entropy of concatenated method names: 'bXAG0BEXll', 'PZ7GBUiWRy', 'OdyTSBGJt6', 'rVNTU8FdPt', 'd5tGxShP7g', 'qL0GwkjVSF', 'UC6GI4DXqi', 'GSjGZxtkEx', 'hEXGkNvt25', 'oDHG2hoArf'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, h34XRFU8TkHrYwokVOB.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eGUlZGYbwb', 'gfPlkb7hyp', 'OlMl2iiY6d', 'xAklc4pq5T', 'sCSlpTvS6O', 'GSrlmvjKw2', 'mkElsMU0rr'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, D7uZnLJ17U2dWi89jJ.csHigh entropy of concatenated method names: 'RH8ytsdBH8', 'SFIyQy7jZK', 'OwnyrPV7V3', 'hKJygyXrl7', 'qduyElSqu1', 'YaprpNwkBU', 'HfcrmUiw0Q', 'agxrsVOnQn', 'C7ur0YEBc5', 'cx3rW8uDB1'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, EdI7XsAtxHQHTTntC8.csHigh entropy of concatenated method names: 'jeH7rdgfw', 'ClL6pxZji', 'BwN4ewnDW', 'PpQMHtr2l', 'ghLfvVBiD', 'swROOSjNe', 'FBphQCByYtLMqCYtK2', 'enDBbld3afdPMR5aJL', 'eGPHWxttSSRi6CLlNC', 'p1BTFOeXd'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, G72D6cY8NyIexubbhS.csHigh entropy of concatenated method names: 'FFRUgteUPv', 'YirUEAu5Wk', 'HO2UdscWYM', 'O5HUudROPw', 'UdlU1EAV7u', 'RnLUb17U2d', 'BeaAQlaKTGSqkPRTwX', 'pxcMEWRp1suOWU3LP6', 'pGcUUorubH', 'gsQU8kGoaD'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, LteUPvVBirAu5WkVfU.csHigh entropy of concatenated method names: 'cL5QZDOwFU', 'lU7Qk5n1g9', 'cniQ2jL0Xy', 'zDJQc9UxIr', 'aoXQp8epOR', 'RAqQmHuO3d', 'w1GQsq5sp3', 'xXYQ0MnvjD', 'mk9QWiJMhZ', 'XUOQBTppur'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, XD8c1fIjqWvAU8JOTe.csHigh entropy of concatenated method names: 'F6S3VormNc', 'khb3frti3r', 'HNv3Jt2bZd', 'X0I3e6vLVF', 'AJS3i2bxWA', 'jC13qGfsDy', 'Qyy3Rcx6qk', 'wUN3Pt0985', 'JSg3js4Zhi', 'bQ93x5RlB2'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, uTOqTUQAXF8xfhlRw1.csHigh entropy of concatenated method names: 'Dispose', 'vYoUWS0Sb5', 'PuRAei47Wa', 'KVY992Pq4p', 'OwhUBoC5Ev', 'LsAUzV6MFq', 'ProcessDialogKey', 'DGwAS3YXOv', 'rtNAU4itAU', 'UfgAAgnW2x'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, VXAs3BZrJUtxFR7ZmA.csHigh entropy of concatenated method names: 'VDv1j0HOih', 'fHy1wcPtOx', 'vRs1ZNPlVR', 'yce1kflSnU', 'oJ61ej0C5S', 'GY31nUu7IL', 'Oeh1inSSBe', 'MQN1qsDDRt', 'mOh1LadM1L', 'EjP1R6tGkw'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, XBt5TefO2scWYMx5Hd.csHigh entropy of concatenated method names: 'VWWD6mYb4f', 'z6vD4JpMyh', 'YInDVI8Og4', 'MQFDfrZC4Y', 'rIGD1NeMvj', 'KQ6DbSqGhb', 'E7aDGBFdIQ', 'rokDT79jD4', 'T0UDFkbLXa', 'Es2Dl9YgWE'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, CWXKvSUSWYwP3jr5YlO.csHigh entropy of concatenated method names: 'cowFaBhRjL', 'O6oFhmum52', 'ccDF7O4eNp', 'DS9F6McIH2', 'cnXFXQV1Q7', 'mA9F4CvNrH', 'RMJFMO9UYZ', 'dWkFVV9Z6m', 'vBCFfE7Heb', 'rJCFOJln3G'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, KrPPpqD3kw7Qt7Dr8w.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ea4AWL2PXD', 'uvIABX1QIO', 'HjHAzkfsc6', 'dDr8SGfWHa', 'NHj8UbVm2S', 'NEG8AUvP5y', 'KJS88WH0kQ', 'klTiwjre2IRMwZZ5eKv'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, P3YXOvWTtN4itAUpfg.csHigh entropy of concatenated method names: 'PVfTJUCxWh', 'siUTeTrSS8', 'YrGTncXiRl', 'taJTiueDwi', 'QfATZTBguw', 'E7RTqrbQ4g', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, MMCTpeHuJ1mPFD8m1D.csHigh entropy of concatenated method names: 'dG3gaB4dJ2', 'yFaghOlWal', 'hVGg7BIA4d', 'OGPg6YlVNr', 'QiSgXfrqpE', 'Bj9g4SisQe', 'u67gMAZEDc', 'PJvgVjYA25', 'bxvgf2bQs5', 'VPngOANsIK'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.47736d8.1.raw.unpack, PhoC5E0vRsAV6MFqMG.csHigh entropy of concatenated method names: 'DgPTvwXa2W', 'x12TQWTLxl', 'RMLTDJRKAi', 'Ul7Tr1c4Zg', 'KIUTy29RMC', 'zRHTggGdf7', 'jWMTE6v9sk', 'bpFTCJPQ01', 'E8GTd57af6', 'JbKTun9tu1'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, WkSwGORjm2YcFo0YNP.csHigh entropy of concatenated method names: 'Ul9gvklsk7', 's73gDwcqU3', 'zANgykfUlA', 'IdIyBs0Y1y', 'gGGyzCXCx7', 'GhYgSCFMaj', 'oiLgU339J4', 'RS2gAvDib9', 'oMig8BHsfn', 'HvkgYXrADC'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, LOPwg6OjRfejOpdlEA.csHigh entropy of concatenated method names: 'MUhrXOYGCx', 'Ub5rMDmo9M', 'xIADn47NHG', 'LR5Di5QJOI', 'l4eDqVVn1Y', 'loYDLo2tym', 'qLCDRLMDSC', 'j8VDPZFqnO', 'zYyDHwhBp5', 'WRHDjlwrYE'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, p2WYrZEysmcfbdpVDH.csHigh entropy of concatenated method names: 'lCR8tP1C5g', 'K1y8vyZtox', 'fPi8Q0YoML', 'w6P8DTThZR', 'SY68rkWIuq', 'uyZ8yqsttQ', 'Phn8glA0sA', 'hnK8EfswBu', 'OnW8Cn2KFQ', 'wvD8d5OgFO'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, jnW2xuBX4PO7iUXc60.csHigh entropy of concatenated method names: 'lYpFUC8aUW', 'utQF8KNW5a', 'y8uFYKOEGw', 'dRfFvdwF7P', 'UfRFQNT9pF', 'kLTFr7hJsK', 'CdWFyY9OWO', 'XllTs04LTN', 'lKmT0r9WEV', 'FWITWPr3l4'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, p6Fo2wmN1B2qS23VtF.csHigh entropy of concatenated method names: 'bXAG0BEXll', 'PZ7GBUiWRy', 'OdyTSBGJt6', 'rVNTU8FdPt', 'd5tGxShP7g', 'qL0GwkjVSF', 'UC6GI4DXqi', 'GSjGZxtkEx', 'hEXGkNvt25', 'oDHG2hoArf'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, h34XRFU8TkHrYwokVOB.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eGUlZGYbwb', 'gfPlkb7hyp', 'OlMl2iiY6d', 'xAklc4pq5T', 'sCSlpTvS6O', 'GSrlmvjKw2', 'mkElsMU0rr'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, D7uZnLJ17U2dWi89jJ.csHigh entropy of concatenated method names: 'RH8ytsdBH8', 'SFIyQy7jZK', 'OwnyrPV7V3', 'hKJygyXrl7', 'qduyElSqu1', 'YaprpNwkBU', 'HfcrmUiw0Q', 'agxrsVOnQn', 'C7ur0YEBc5', 'cx3rW8uDB1'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, EdI7XsAtxHQHTTntC8.csHigh entropy of concatenated method names: 'jeH7rdgfw', 'ClL6pxZji', 'BwN4ewnDW', 'PpQMHtr2l', 'ghLfvVBiD', 'swROOSjNe', 'FBphQCByYtLMqCYtK2', 'enDBbld3afdPMR5aJL', 'eGPHWxttSSRi6CLlNC', 'p1BTFOeXd'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, G72D6cY8NyIexubbhS.csHigh entropy of concatenated method names: 'FFRUgteUPv', 'YirUEAu5Wk', 'HO2UdscWYM', 'O5HUudROPw', 'UdlU1EAV7u', 'RnLUb17U2d', 'BeaAQlaKTGSqkPRTwX', 'pxcMEWRp1suOWU3LP6', 'pGcUUorubH', 'gsQU8kGoaD'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, LteUPvVBirAu5WkVfU.csHigh entropy of concatenated method names: 'cL5QZDOwFU', 'lU7Qk5n1g9', 'cniQ2jL0Xy', 'zDJQc9UxIr', 'aoXQp8epOR', 'RAqQmHuO3d', 'w1GQsq5sp3', 'xXYQ0MnvjD', 'mk9QWiJMhZ', 'XUOQBTppur'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, XD8c1fIjqWvAU8JOTe.csHigh entropy of concatenated method names: 'F6S3VormNc', 'khb3frti3r', 'HNv3Jt2bZd', 'X0I3e6vLVF', 'AJS3i2bxWA', 'jC13qGfsDy', 'Qyy3Rcx6qk', 'wUN3Pt0985', 'JSg3js4Zhi', 'bQ93x5RlB2'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, uTOqTUQAXF8xfhlRw1.csHigh entropy of concatenated method names: 'Dispose', 'vYoUWS0Sb5', 'PuRAei47Wa', 'KVY992Pq4p', 'OwhUBoC5Ev', 'LsAUzV6MFq', 'ProcessDialogKey', 'DGwAS3YXOv', 'rtNAU4itAU', 'UfgAAgnW2x'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, VXAs3BZrJUtxFR7ZmA.csHigh entropy of concatenated method names: 'VDv1j0HOih', 'fHy1wcPtOx', 'vRs1ZNPlVR', 'yce1kflSnU', 'oJ61ej0C5S', 'GY31nUu7IL', 'Oeh1inSSBe', 'MQN1qsDDRt', 'mOh1LadM1L', 'EjP1R6tGkw'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, XBt5TefO2scWYMx5Hd.csHigh entropy of concatenated method names: 'VWWD6mYb4f', 'z6vD4JpMyh', 'YInDVI8Og4', 'MQFDfrZC4Y', 'rIGD1NeMvj', 'KQ6DbSqGhb', 'E7aDGBFdIQ', 'rokDT79jD4', 'T0UDFkbLXa', 'Es2Dl9YgWE'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, CWXKvSUSWYwP3jr5YlO.csHigh entropy of concatenated method names: 'cowFaBhRjL', 'O6oFhmum52', 'ccDF7O4eNp', 'DS9F6McIH2', 'cnXFXQV1Q7', 'mA9F4CvNrH', 'RMJFMO9UYZ', 'dWkFVV9Z6m', 'vBCFfE7Heb', 'rJCFOJln3G'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, KrPPpqD3kw7Qt7Dr8w.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ea4AWL2PXD', 'uvIABX1QIO', 'HjHAzkfsc6', 'dDr8SGfWHa', 'NHj8UbVm2S', 'NEG8AUvP5y', 'KJS88WH0kQ', 'klTiwjre2IRMwZZ5eKv'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, P3YXOvWTtN4itAUpfg.csHigh entropy of concatenated method names: 'PVfTJUCxWh', 'siUTeTrSS8', 'YrGTncXiRl', 'taJTiueDwi', 'QfATZTBguw', 'E7RTqrbQ4g', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, MMCTpeHuJ1mPFD8m1D.csHigh entropy of concatenated method names: 'dG3gaB4dJ2', 'yFaghOlWal', 'hVGg7BIA4d', 'OGPg6YlVNr', 'QiSgXfrqpE', 'Bj9g4SisQe', 'u67gMAZEDc', 'PJvgVjYA25', 'bxvgf2bQs5', 'VPngOANsIK'
                    Source: 0.2.rJlMhHdHP2mDzMGx.exe.6f90000.7.raw.unpack, PhoC5E0vRsAV6MFqMG.csHigh entropy of concatenated method names: 'DgPTvwXa2W', 'x12TQWTLxl', 'RMLTDJRKAi', 'Ul7Tr1c4Zg', 'KIUTy29RMC', 'zRHTggGdf7', 'jWMTE6v9sk', 'bpFTCJPQ01', 'E8GTd57af6', 'JbKTun9tu1'
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: rJlMhHdHP2mDzMGx.exe PID: 6152, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeMemory allocated: 27A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeMemory allocated: 29B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeMemory allocated: 28E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeMemory allocated: 7340000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeMemory allocated: 6DF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeMemory allocated: 8340000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeMemory allocated: 9340000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeMemory allocated: 98A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeMemory allocated: A8A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeMemory allocated: B8A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1300000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2DE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 4DE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2587Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 7269Jump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exe TID: 5628Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep count: 38 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -35048813740048126s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4052Thread sleep count: 2587 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -99890s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4052Thread sleep count: 7269 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -99781s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -99672s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -99562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -99453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -99343s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -99234s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -99124s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -99015s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -98845s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -98734s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -98625s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -98515s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -98406s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -98297s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -98187s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -98078s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -97966s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -97859s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -97747s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -97640s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -97531s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -97422s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -97310s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -97203s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -97093s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -96984s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -96875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -96765s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -96656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -96546s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -96437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -96328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -96218s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -96109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -96000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -95890s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -95780s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -95672s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -95562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -95453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -95343s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -95234s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -95124s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -95014s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -94906s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -94796s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -94686s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1540Thread sleep time: -94578s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99124Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98845Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98187Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97966Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97747Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97310Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97093Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95780Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95124Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95014Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94796Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94686Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94578Jump to behavior
                    Source: rJlMhHdHP2mDzMGx.exe, 00000000.00000002.1266727659.0000000006F90000.00000004.08000000.00040000.00000000.sdmp, rJlMhHdHP2mDzMGx.exe, 00000000.00000002.1261980396.0000000004415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEMu5q9YIm
                    Source: MSBuild.exe, 00000003.00000002.2482076198.0000000006160000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: CC8008Jump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeQueries volume information: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rJlMhHdHP2mDzMGx.exe.4890940.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rJlMhHdHP2mDzMGx.exe.4855f20.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rJlMhHdHP2mDzMGx.exe.4890940.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rJlMhHdHP2mDzMGx.exe.4855f20.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.2471547050.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2476109621.0000000002E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2476109621.0000000002E2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1261980396.0000000004855000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2476109621.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rJlMhHdHP2mDzMGx.exe PID: 6152, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6016, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rJlMhHdHP2mDzMGx.exe.4890940.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rJlMhHdHP2mDzMGx.exe.4855f20.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rJlMhHdHP2mDzMGx.exe.4890940.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rJlMhHdHP2mDzMGx.exe.4855f20.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.2471547050.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1261980396.0000000004855000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2476109621.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rJlMhHdHP2mDzMGx.exe PID: 6152, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6016, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rJlMhHdHP2mDzMGx.exe.4890940.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rJlMhHdHP2mDzMGx.exe.4855f20.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rJlMhHdHP2mDzMGx.exe.4890940.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rJlMhHdHP2mDzMGx.exe.4855f20.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.2471547050.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2476109621.0000000002E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2476109621.0000000002E2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1261980396.0000000004855000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2476109621.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rJlMhHdHP2mDzMGx.exe PID: 6152, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6016, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		12
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		111
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		12
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt311
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    rJlMhHdHP2mDzMGx.exe68%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    rJlMhHdHP2mDzMGx.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://sectigo.com/CPS00%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    bg.microsoft.map.fastly.net
                    		199.232.210.172
                    		truefalse
                      		unknown
                      mail.gazityres.com
                      		203.169.24.24
                      		truetrue
                        		unknown
                        fp2e7a.wpc.phicdn.net
                        		192.229.211.108
                        		truefalse
                          		unknown
                          windowsupdatebg.s.llnwi.net
                          		69.164.42.0
                          		truefalse
                            		unknown
                            time.windows.com
                            		unknown
                            		unknownfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://sectigo.com/CPS0MSBuild.exe, 00000003.00000002.2482076198.0000000006160000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2476109621.0000000002E37000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://account.dyn.com/rJlMhHdHP2mDzMGx.exe, 00000000.00000002.1261980396.0000000004855000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2471547050.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                		high
                                http://mail.gazityres.comMSBuild.exe, 00000003.00000002.2476109621.0000000002E37000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  203.169.24.24
                                  		mail.gazityres.comBangladesh
                                  		38315GAZICOMM-AS-APGAZICOMMUNICATIONSATELEPORTOPERATORBDtrue

                                  General Information

                                  Joe Sandbox version:40.0.0 Tourmaline
                                  Analysis ID:1428890
                                  Start date and time:2024-04-19 19:19:10 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 6m 35s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:19
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:rJlMhHdHP2mDzMGx.exe
                                  Detection:MAL
                                  Classification:mal100.spre.troj.spyw.evad.winEXE@3/1@2/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 99%
                                  • Number of executed functions: 136
                                  • Number of non-executed functions: 27
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 23.201.212.130, 168.61.215.74, 20.12.23.50, 23.40.205.35, 69.164.42.0, 192.229.211.108, 52.165.164.15, 20.242.39.171, 199.232.210.172
                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, twc.trafficmanager.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: rJlMhHdHP2mDzMGx.exe

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  19:20:04API Interceptor2x Sleep call for process: rJlMhHdHP2mDzMGx.exe modified
                                  19:20:06API Interceptor76x Sleep call for process: MSBuild.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  203.169.24.24xYUpeXwPkWEHXm4.exeGet hashmaliciousAgentTeslaBrowse
                                    Shipping Documents.exeGet hashmaliciousAgentTeslaBrowse
                                      dwutTyDPzl2TBZV.exeGet hashmaliciousAgentTeslaBrowse
                                        DHL#Shipment0987789.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          TT request.exeGet hashmaliciousAgentTeslaBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            windowsupdatebg.s.llnwi.neteInvoicing_pdf.vbsGet hashmaliciousFormBookBrowse
                                            • 69.164.42.0
                                            https://www.we-conect.io/Get hashmaliciousUnknownBrowse
                                            • 69.164.42.0
                                            http://87.120.84.22Get hashmaliciousUnknownBrowse
                                            • 69.164.42.0
                                            https://scsang.cn/Get hashmaliciousUnknownBrowse
                                            • 69.164.42.0
                                            https://cvn7.sa.com/invoice.html?app=Get hashmaliciousHTMLPhisherBrowse
                                            • 69.164.42.0
                                            https://zmmzmnsnnbxbbxvcxv22.z13.web.core.windows.net/Get hashmaliciousUnknownBrowse
                                            • 69.164.42.0
                                            https://sdcoes.net/LandingPage/Index/122/Get hashmaliciousHTMLPhisherBrowse
                                            • 69.164.42.0
                                            https://netflixfreeprimeofficle.blogspot.com/Get hashmaliciousHTMLPhisherBrowse
                                            • 69.164.42.0
                                            F873635427.vbsGet hashmaliciousRemcos, XWormBrowse
                                            • 69.164.42.0
                                            Transferencia 4334300002017359pdf.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 69.164.42.0
                                            fp2e7a.wpc.phicdn.netUPDATED SSTATEMENT OF ACCOUNT.exeGet hashmaliciousAgentTeslaBrowse
                                            • 192.229.211.108
                                            REMITTANCE COPY.exeGet hashmaliciousAgentTeslaBrowse
                                            • 192.229.211.108
                                            eOU2MVDmTd.exeGet hashmaliciousCredGrabber, Meduza Stealer, PureLog Stealer, zgRATBrowse
                                            • 192.229.211.108
                                            purchaseorder4.exeGet hashmaliciousPython StealerBrowse
                                            • 192.229.211.108
                                            https://cionfacttalleriproj.norwayeast.cloudapp.azure.com/?finanzas.busqueda?q=Secretar%C3%ADa+de+Administraci%C3%B3n+y+Finanzas?30337974_3097_705331937556-157889157889770732479410588494105884Get hashmaliciousHTMLPhisherBrowse
                                            • 192.229.211.108
                                            https://diversityjobs.com/employer/company/1665/Worthington-Industries-IncGet hashmaliciousUnknownBrowse
                                            • 192.229.211.108
                                            https://app.box.com/s/ktl5qtvf2us1megbgmjabwqaxcdy69b5Get hashmaliciousUnknownBrowse
                                            • 192.229.211.108
                                            https://dt.r24dmp.de/Get hashmaliciousUnknownBrowse
                                            • 192.229.211.108
                                            s.exeGet hashmaliciousUnknownBrowse
                                            • 192.229.211.108
                                            https://bestprizerhere.life/?u=3w8p605&o=pn1kfzq&t=pshtb_redirectUrl_bodyGet hashmaliciousGRQ ScamBrowse
                                            • 192.229.211.108
                                            bg.microsoft.map.fastly.netWCcNzb83Y3.exeGet hashmaliciousCobaltStrikeBrowse
                                            • 199.232.210.172
                                            UPDATED SSTATEMENT OF ACCOUNT.exeGet hashmaliciousAgentTeslaBrowse
                                            • 199.232.214.172
                                            Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 199.232.210.172
                                            https://royaltattoo.in/js/kalexander@yourlawyer.comGet hashmaliciousPhisherBrowse
                                            • 199.232.214.172
                                            REMITTANCE COPY.exeGet hashmaliciousAgentTeslaBrowse
                                            • 199.232.214.172
                                            purchaseorder4.exeGet hashmaliciousPython StealerBrowse
                                            • 199.232.210.172
                                            https://cionfacttalleriproj.norwayeast.cloudapp.azure.com/?finanzas.busqueda?q=Secretar%C3%ADa+de+Administraci%C3%B3n+y+Finanzas?30337974_3097_705331937556-157889157889770732479410588494105884Get hashmaliciousHTMLPhisherBrowse
                                            • 199.232.210.172
                                            https://diversityjobs.com/employer/company/1665/Worthington-Industries-IncGet hashmaliciousUnknownBrowse
                                            • 199.232.210.172
                                            s.exeGet hashmaliciousUnknownBrowse
                                            • 199.232.214.172
                                            https://bestprizerhere.life/?u=3w8p605&o=pn1kfzq&t=pshtb_redirectUrl_bodyGet hashmaliciousGRQ ScamBrowse
                                            • 199.232.214.172
                                            mail.gazityres.comxYUpeXwPkWEHXm4.exeGet hashmaliciousAgentTeslaBrowse
                                            • 203.169.24.24
                                            Shipping Documents.exeGet hashmaliciousAgentTeslaBrowse
                                            • 203.169.24.24
                                            dwutTyDPzl2TBZV.exeGet hashmaliciousAgentTeslaBrowse
                                            • 203.169.24.24
                                            DHL#Shipment0987789.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                            • 203.169.24.24

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            GAZICOMM-AS-APGAZICOMMUNICATIONSATELEPORTOPERATORBDxYUpeXwPkWEHXm4.exeGet hashmaliciousAgentTeslaBrowse
                                            • 203.169.24.24
                                            Shipping Documents.exeGet hashmaliciousAgentTeslaBrowse
                                            • 203.169.24.24
                                            dwutTyDPzl2TBZV.exeGet hashmaliciousAgentTeslaBrowse
                                            • 203.169.24.24
                                            rM8kh7uPK0.elfGet hashmaliciousMoobotBrowse
                                            • 203.169.24.42
                                            DHL#Shipment0987789.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                            • 203.169.24.24
                                            TT request.exeGet hashmaliciousAgentTeslaBrowse
                                            • 203.169.24.24

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            1138de370e523e824bbca92d049a3777UPDATED SSTATEMENT OF ACCOUNT.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.98.116.138
                                            REMITTANCE COPY.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.98.116.138
                                            https://www.dropbox.com/l/scl/AADwcgxTbjuvzakz6kszZMzP6RXavhxhixQGet hashmaliciousHTMLPhisherBrowse
                                            • 104.98.116.138
                                            eOU2MVDmTd.exeGet hashmaliciousCredGrabber, Meduza Stealer, PureLog Stealer, zgRATBrowse
                                            • 104.98.116.138
                                            https://cionfacttalleriproj.norwayeast.cloudapp.azure.com/?finanzas.busqueda?q=Secretar%C3%ADa+de+Administraci%C3%B3n+y+Finanzas?30337974_3097_705331937556-157889157889770732479410588494105884Get hashmaliciousHTMLPhisherBrowse
                                            • 104.98.116.138
                                            https://bestprizerhere.life/?u=3w8p605&o=pn1kfzq&t=pshtb_redirectUrl_bodyGet hashmaliciousGRQ ScamBrowse
                                            • 104.98.116.138
                                            New Voicemail_Daiichi-Sankyo.htmlGet hashmaliciousHTMLPhisherBrowse
                                            • 104.98.116.138
                                            VnSRmWE631.htmlGet hashmaliciousUnknownBrowse
                                            • 104.98.116.138
                                            xYUpeXwPkWEHXm4.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.98.116.138
                                            nBBR7c5gR5.htmlGet hashmaliciousUnknownBrowse
                                            • 104.98.116.138

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rJlMhHdHP2mDzMGx.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1216
                                            Entropy (8bit):5.34331486778365
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.33176859579465
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:rJlMhHdHP2mDzMGx.exe
                                            File size:1'025'024 bytes
                                            MD5:aa9057494eca3828c4aaca40ec9d823e
                                            SHA1:d40deb9f879f6c5ff7bd8597d95f6c6592861a60
                                            SHA256:74caca096964cc34ef4132f16a9a0aaa96b2d2a5972ee3c7c55bd5634c88bd70
                                            SHA512:ba6d8bb4288e7f3c18c22c58fda0151f5674502c1ff4a19d658eea25ac03404e8ea9805db6446b3d5f806c58b4a46f6a9037b7f3fcda5f26e54815b2b3ece52f
                                            SSDEEP:12288:AhTSy6oFOimegps2Z/FQue7TzPFHKoQjRMecE1Qw31mvlhCtmrZ64991tNGaOVCL:sLh3YvS9PooQqDE1BFmDZ591lYCL
                                            TLSH:2D25E13D0CBE2A3B9176D2AACFE58867F440D07B3A116D3A94D387954346A9379C313E
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a.................0.................. ........@.. ....................................@................................

                                            File Icon

                                            Icon Hash:00928e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x4fb8de
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0xCCC08961 [Tue Nov 8 21:55:45 2078 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xfb88a0x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xfc0000x5b4.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xfe0000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xfaa080x70.text
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000xf98e40xf9a005aa6875a885b47aa8f7db10ad63e7ab6False0.8031901367676515data7.337518180611176IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0xfc0000x5b40x600275c0be4f990b35dd6b5fb8ec3b192f6False0.4270833333333333data4.115580415461303IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0xfe0000xc0x200678ef7f6efaaf7eefed14a8b6ccf06c7False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_VERSION0xfc0900x324data0.43905472636815923
                                            RT_MANIFEST0xfc3c40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Apr 19, 2024 19:19:59.684299946 CEST49671443192.168.2.7204.79.197.203
                                            Apr 19, 2024 19:19:59.996215105 CEST49671443192.168.2.7204.79.197.203
                                            Apr 19, 2024 19:20:00.605670929 CEST49671443192.168.2.7204.79.197.203
                                            Apr 19, 2024 19:20:01.808825016 CEST49671443192.168.2.7204.79.197.203
                                            Apr 19, 2024 19:20:03.527465105 CEST49674443192.168.2.7104.98.116.138
                                            Apr 19, 2024 19:20:03.527472019 CEST49675443192.168.2.7104.98.116.138
                                            Apr 19, 2024 19:20:03.652457952 CEST49672443192.168.2.7104.98.116.138
                                            Apr 19, 2024 19:20:04.215007067 CEST49671443192.168.2.7204.79.197.203
                                            Apr 19, 2024 19:20:08.041975021 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:20:08.231031895 CEST49677443192.168.2.720.50.201.200
                                            Apr 19, 2024 19:20:08.383148909 CEST58749708203.169.24.24192.168.2.7
                                            Apr 19, 2024 19:20:08.385390997 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:20:08.605618954 CEST49677443192.168.2.720.50.201.200
                                            Apr 19, 2024 19:20:09.027476072 CEST49671443192.168.2.7204.79.197.203
                                            Apr 19, 2024 19:20:09.114423990 CEST58749708203.169.24.24192.168.2.7
                                            Apr 19, 2024 19:20:09.115207911 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:20:09.357418060 CEST49677443192.168.2.720.50.201.200
                                            Apr 19, 2024 19:20:09.456635952 CEST58749708203.169.24.24192.168.2.7
                                            Apr 19, 2024 19:20:09.456804037 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:20:09.800446033 CEST58749708203.169.24.24192.168.2.7
                                            Apr 19, 2024 19:20:09.806020021 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:20:10.156917095 CEST58749708203.169.24.24192.168.2.7
                                            Apr 19, 2024 19:20:10.156939983 CEST58749708203.169.24.24192.168.2.7
                                            Apr 19, 2024 19:20:10.156956911 CEST58749708203.169.24.24192.168.2.7
                                            Apr 19, 2024 19:20:10.156974077 CEST58749708203.169.24.24192.168.2.7
                                            Apr 19, 2024 19:20:10.157008886 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:20:10.157058954 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:20:10.159661055 CEST58749708203.169.24.24192.168.2.7
                                            Apr 19, 2024 19:20:10.199690104 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:20:10.331707001 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:20:10.673403025 CEST58749708203.169.24.24192.168.2.7
                                            Apr 19, 2024 19:20:10.686733007 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:20:10.855572939 CEST49677443192.168.2.720.50.201.200
                                            Apr 19, 2024 19:20:11.027512074 CEST58749708203.169.24.24192.168.2.7
                                            Apr 19, 2024 19:20:11.028600931 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:20:11.385046005 CEST58749708203.169.24.24192.168.2.7
                                            Apr 19, 2024 19:20:11.386030912 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:20:11.731839895 CEST58749708203.169.24.24192.168.2.7
                                            Apr 19, 2024 19:20:11.732177019 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:20:12.072911024 CEST58749708203.169.24.24192.168.2.7
                                            Apr 19, 2024 19:20:12.073157072 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:20:12.452855110 CEST58749708203.169.24.24192.168.2.7
                                            Apr 19, 2024 19:20:12.834372997 CEST58749708203.169.24.24192.168.2.7
                                            Apr 19, 2024 19:20:12.836195946 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:20:13.136853933 CEST49674443192.168.2.7104.98.116.138
                                            Apr 19, 2024 19:20:13.136868954 CEST49675443192.168.2.7104.98.116.138
                                            Apr 19, 2024 19:20:13.177162886 CEST58749708203.169.24.24192.168.2.7
                                            Apr 19, 2024 19:20:13.177176952 CEST58749708203.169.24.24192.168.2.7
                                            Apr 19, 2024 19:20:13.177786112 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:20:13.177787066 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:20:13.177870989 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:20:13.177870989 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:20:13.262043953 CEST49672443192.168.2.7104.98.116.138
                                            Apr 19, 2024 19:20:13.521526098 CEST58749708203.169.24.24192.168.2.7
                                            Apr 19, 2024 19:20:13.521542072 CEST58749708203.169.24.24192.168.2.7
                                            Apr 19, 2024 19:20:13.521552086 CEST58749708203.169.24.24192.168.2.7
                                            Apr 19, 2024 19:20:13.521564007 CEST58749708203.169.24.24192.168.2.7
                                            Apr 19, 2024 19:20:13.839960098 CEST49677443192.168.2.720.50.201.200
                                            Apr 19, 2024 19:20:14.830960989 CEST44349703104.98.116.138192.168.2.7
                                            Apr 19, 2024 19:20:14.831171036 CEST49703443192.168.2.7104.98.116.138
                                            Apr 19, 2024 19:20:15.591156960 CEST58749708203.169.24.24192.168.2.7
                                            Apr 19, 2024 19:20:15.636898041 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:20:18.636881113 CEST49671443192.168.2.7204.79.197.203
                                            Apr 19, 2024 19:20:19.795612097 CEST49677443192.168.2.720.50.201.200
                                            Apr 19, 2024 19:20:25.535136938 CEST49703443192.168.2.7104.98.116.138
                                            Apr 19, 2024 19:20:25.535267115 CEST49703443192.168.2.7104.98.116.138
                                            Apr 19, 2024 19:20:25.537183046 CEST49716443192.168.2.7104.98.116.138
                                            Apr 19, 2024 19:20:25.537224054 CEST44349716104.98.116.138192.168.2.7
                                            Apr 19, 2024 19:20:25.537292004 CEST49716443192.168.2.7104.98.116.138
                                            Apr 19, 2024 19:20:25.538249969 CEST49716443192.168.2.7104.98.116.138
                                            Apr 19, 2024 19:20:25.538261890 CEST44349716104.98.116.138192.168.2.7
                                            Apr 19, 2024 19:20:25.686911106 CEST44349703104.98.116.138192.168.2.7
                                            Apr 19, 2024 19:20:25.686927080 CEST44349703104.98.116.138192.168.2.7
                                            Apr 19, 2024 19:20:25.853607893 CEST44349716104.98.116.138192.168.2.7
                                            Apr 19, 2024 19:20:25.853709936 CEST49716443192.168.2.7104.98.116.138
                                            Apr 19, 2024 19:20:31.699549913 CEST49677443192.168.2.720.50.201.200
                                            Apr 19, 2024 19:20:45.001488924 CEST44349716104.98.116.138192.168.2.7
                                            Apr 19, 2024 19:20:45.001585960 CEST49716443192.168.2.7104.98.116.138
                                            Apr 19, 2024 19:21:47.340758085 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:21:47.730998993 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:21:48.121520042 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:21:48.887206078 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:21:50.418507099 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:21:51.949651957 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:21:53.465394974 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:21:56.512170076 CEST49708587192.168.2.7203.169.24.24
                                            Apr 19, 2024 19:22:02.590312004 CEST49708587192.168.2.7203.169.24.24

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Apr 19, 2024 19:20:07.323859930 CEST5727553192.168.2.71.1.1.1
                                            Apr 19, 2024 19:20:08.035631895 CEST53572751.1.1.1192.168.2.7
                                            Apr 19, 2024 19:20:12.957516909 CEST5665453192.168.2.71.1.1.1

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Apr 19, 2024 19:20:07.323859930 CEST192.168.2.71.1.1.10xd3f7Standard query (0)mail.gazityres.comA (IP address)IN (0x0001)false
                                            Apr 19, 2024 19:20:12.957516909 CEST192.168.2.71.1.1.10x4c49Standard query (0)time.windows.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Apr 19, 2024 19:20:08.035631895 CEST1.1.1.1192.168.2.70xd3f7No error (0)mail.gazityres.com203.169.24.24A (IP address)IN (0x0001)false
                                            Apr 19, 2024 19:20:13.062081099 CEST1.1.1.1192.168.2.70x4c49No error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                            Apr 19, 2024 19:20:24.137989998 CEST1.1.1.1192.168.2.70xf71bNo error (0)windowsupdatebg.s.llnwi.net69.164.42.0A (IP address)IN (0x0001)false
                                            Apr 19, 2024 19:20:24.356995106 CEST1.1.1.1192.168.2.70x9482No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                            Apr 19, 2024 19:20:24.356995106 CEST1.1.1.1192.168.2.70x9482No error (0)fp2e7a.wpc.phicdn.net192.229.211.108A (IP address)IN (0x0001)false
                                            Apr 19, 2024 19:20:37.418773890 CEST1.1.1.1192.168.2.70x8287No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                            Apr 19, 2024 19:20:37.418773890 CEST1.1.1.1192.168.2.70x8287No error (0)fp2e7a.wpc.phicdn.net192.229.211.108A (IP address)IN (0x0001)false
                                            Apr 19, 2024 19:21:03.365967989 CEST1.1.1.1192.168.2.70xeb6cNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                            Apr 19, 2024 19:21:03.365967989 CEST1.1.1.1192.168.2.70xeb6cNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                            SMTP Packets

                                            TimestampSource PortDest PortSource IPDest IPCommands
                                            Apr 19, 2024 19:20:09.114423990 CEST58749708203.169.24.24192.168.2.7220-dns1.gazi.com ESMTP Exim 4.96.2 #2 Fri, 19 Apr 2024 23:20:10 +0600
                                            220-We do not authorize the use of this system to transport unsolicited,
                                            220 and/or bulk e-mail.
                                            Apr 19, 2024 19:20:09.115207911 CEST49708587192.168.2.7203.169.24.24EHLO 818225
                                            Apr 19, 2024 19:20:09.456635952 CEST58749708203.169.24.24192.168.2.7250-dns1.gazi.com Hello 818225 [81.181.57.52]
                                            250-SIZE 52428800
                                            250-8BITMIME
                                            250-PIPELINING
                                            250-PIPECONNECT
                                            250-STARTTLS
                                            250 HELP
                                            Apr 19, 2024 19:20:09.456804037 CEST49708587192.168.2.7203.169.24.24STARTTLS
                                            Apr 19, 2024 19:20:09.800446033 CEST58749708203.169.24.24192.168.2.7220 TLS go ahead

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:19:20:03
                                            Start date:19/04/2024
                                            Path:C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\rJlMhHdHP2mDzMGx.exe"
                                            Imagebase:0x590000
                                            File size:1'025'024 bytes
                                            MD5 hash:AA9057494ECA3828C4AACA40EC9D823E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1261980396.0000000004855000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1261980396.0000000004855000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:19:20:04
                                            Start date:19/04/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                            Imagebase:0xa60000
                                            File size:262'432 bytes
                                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2471547050.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2471547050.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2476109621.0000000002E59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2476109621.0000000002E2F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2476109621.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2476109621.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:moderate
                                            Has exited:false

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:8.7%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:215
                                              Total number of Limit Nodes:14
                                              execution_graph 27363 27aaf38 27364 27aaf7a 27363->27364 27365 27aaf80 GetModuleHandleW 27363->27365 27364->27365 27366 27aafad 27365->27366 27369 27a4668 27370 27a467a 27369->27370 27371 27a4686 27370->27371 27373 27a4778 27370->27373 27374 27a479d 27373->27374 27378 27a4878 27374->27378 27382 27a4888 27374->27382 27380 27a4888 27378->27380 27379 27a498c 27379->27379 27380->27379 27386 27a44b0 27380->27386 27384 27a48af 27382->27384 27383 27a498c 27384->27383 27385 27a44b0 CreateActCtxA 27384->27385 27385->27383 27387 27a5918 CreateActCtxA 27386->27387 27389 27a59db 27387->27389 27390 28f105b 27391 28f1061 27390->27391 27396 28f1efe 27391->27396 27416 28f1e60 27391->27416 27435 28f1e98 27391->27435 27392 28f1079 27397 28f1e8c 27396->27397 27398 28f1f01 27396->27398 27402 28f1eba 27397->27402 27454 28f256d 27397->27454 27459 28f2371 27397->27459 27464 28f2791 27397->27464 27468 28f2c37 27397->27468 27473 28f24ba 27397->27473 27478 28f27de 27397->27478 27483 28f22de 27397->27483 27488 28f2605 27397->27488 27493 28f23c6 27397->27493 27498 28f26c7 27397->27498 27503 28f2d08 27397->27503 27507 28f2b68 27397->27507 27514 28f26e8 27397->27514 27518 28f2509 27397->27518 27523 28f23eb 27397->27523 27528 28f2cad 27397->27528 27398->27392 27402->27392 27417 28f1e20 27416->27417 27417->27416 27418 28f256d 2 API calls 27417->27418 27419 28f2cad 2 API calls 27417->27419 27420 28f23eb 2 API calls 27417->27420 27421 28f1e22 27417->27421 27422 28f2509 2 API calls 27417->27422 27423 28f26e8 2 API calls 27417->27423 27424 28f2b68 4 API calls 27417->27424 27425 28f2d08 2 API calls 27417->27425 27426 28f26c7 2 API calls 27417->27426 27427 28f23c6 2 API calls 27417->27427 27428 28f2605 2 API calls 27417->27428 27429 28f22de 2 API calls 27417->27429 27430 28f27de 2 API calls 27417->27430 27431 28f24ba 2 API calls 27417->27431 27432 28f2c37 2 API calls 27417->27432 27433 28f2791 2 API calls 27417->27433 27434 28f2371 2 API calls 27417->27434 27418->27421 27419->27421 27420->27421 27421->27392 27422->27421 27423->27421 27424->27421 27425->27421 27426->27421 27427->27421 27428->27421 27429->27421 27430->27421 27431->27421 27432->27421 27433->27421 27434->27421 27436 28f1eb2 27435->27436 27437 28f1eba 27436->27437 27438 28f256d 2 API calls 27436->27438 27439 28f2cad 2 API calls 27436->27439 27440 28f23eb 2 API calls 27436->27440 27441 28f2509 2 API calls 27436->27441 27442 28f26e8 2 API calls 27436->27442 27443 28f2b68 4 API calls 27436->27443 27444 28f2d08 2 API calls 27436->27444 27445 28f26c7 2 API calls 27436->27445 27446 28f23c6 2 API calls 27436->27446 27447 28f2605 2 API calls 27436->27447 27448 28f22de 2 API calls 27436->27448 27449 28f27de 2 API calls 27436->27449 27450 28f24ba 2 API calls 27436->27450 27451 28f2c37 2 API calls 27436->27451 27452 28f2791 2 API calls 27436->27452 27453 28f2371 2 API calls 27436->27453 27437->27392 27438->27437 27439->27437 27440->27437 27441->27437 27442->27437 27443->27437 27444->27437 27445->27437 27446->27437 27447->27437 27448->27437 27449->27437 27450->27437 27451->27437 27452->27437 27453->27437 27455 28f23d2 27454->27455 27456 28f25cb 27455->27456 27533 28f0898 27455->27533 27537 28f0890 27455->27537 27456->27402 27460 28f238e 27459->27460 27541 28f0b14 27460->27541 27545 28f0b20 27460->27545 27466 28f0898 WriteProcessMemory 27464->27466 27467 28f0890 WriteProcessMemory 27464->27467 27465 28f27bf 27466->27465 27467->27465 27469 28f2d89 27468->27469 27549 28f02c0 27469->27549 27553 28f02c8 27469->27553 27470 28f2da4 27474 28f24c7 27473->27474 27475 28f2cba 27474->27475 27557 28f0218 27474->27557 27561 28f0211 27474->27561 27479 28f23d2 27478->27479 27480 28f25cb 27479->27480 27481 28f0898 WriteProcessMemory 27479->27481 27482 28f0890 WriteProcessMemory 27479->27482 27480->27402 27481->27479 27482->27479 27484 28f22e9 27483->27484 27486 28f0b14 CreateProcessA 27484->27486 27487 28f0b20 CreateProcessA 27484->27487 27485 28f23a7 27485->27402 27486->27485 27487->27485 27489 28f2743 27488->27489 27491 28f02c8 Wow64SetThreadContext 27489->27491 27492 28f02c0 Wow64SetThreadContext 27489->27492 27490 28f2428 27490->27402 27491->27490 27492->27490 27494 28f23d2 27493->27494 27495 28f25cb 27494->27495 27496 28f0898 WriteProcessMemory 27494->27496 27497 28f0890 WriteProcessMemory 27494->27497 27495->27402 27496->27494 27497->27494 27499 28f26d0 27498->27499 27501 28f0898 WriteProcessMemory 27499->27501 27502 28f0890 WriteProcessMemory 27499->27502 27500 28f2d30 27501->27500 27502->27500 27504 28f2d30 27503->27504 27505 28f0898 WriteProcessMemory 27503->27505 27506 28f0890 WriteProcessMemory 27503->27506 27505->27504 27506->27504 27565 28f2fe8 27507->27565 27570 28f2ff8 27507->27570 27508 28f23d2 27509 28f25cb 27508->27509 27510 28f0898 WriteProcessMemory 27508->27510 27511 28f0890 WriteProcessMemory 27508->27511 27509->27402 27510->27508 27511->27508 27583 28f0988 27514->27583 27587 28f0980 27514->27587 27515 28f26b4 27515->27402 27519 28f250f 27518->27519 27520 28f2cba 27519->27520 27521 28f0218 ResumeThread 27519->27521 27522 28f0211 ResumeThread 27519->27522 27521->27519 27522->27519 27524 28f238e 27523->27524 27525 28f23a7 27523->27525 27526 28f0b14 CreateProcessA 27524->27526 27527 28f0b20 CreateProcessA 27524->27527 27525->27402 27526->27525 27527->27525 27529 28f2cba 27528->27529 27530 28f251b 27528->27530 27530->27528 27531 28f0218 ResumeThread 27530->27531 27532 28f0211 ResumeThread 27530->27532 27531->27530 27532->27530 27534 28f08e0 WriteProcessMemory 27533->27534 27536 28f0937 27534->27536 27536->27455 27538 28f08e0 WriteProcessMemory 27537->27538 27540 28f0937 27538->27540 27540->27455 27542 28f0ba9 CreateProcessA 27541->27542 27544 28f0d6b 27542->27544 27544->27544 27546 28f0ba9 CreateProcessA 27545->27546 27548 28f0d6b 27546->27548 27548->27548 27550 28f030d Wow64SetThreadContext 27549->27550 27552 28f0355 27550->27552 27552->27470 27554 28f030d Wow64SetThreadContext 27553->27554 27556 28f0355 27554->27556 27556->27470 27558 28f0258 ResumeThread 27557->27558 27560 28f0289 27558->27560 27560->27474 27562 28f0258 ResumeThread 27561->27562 27564 28f0289 27562->27564 27564->27474 27566 28f300d 27565->27566 27575 28f07d8 27566->27575 27579 28f07d0 27566->27579 27567 28f302c 27567->27508 27571 28f300d 27570->27571 27573 28f07d8 VirtualAllocEx 27571->27573 27574 28f07d0 VirtualAllocEx 27571->27574 27572 28f302c 27572->27508 27573->27572 27574->27572 27576 28f0818 VirtualAllocEx 27575->27576 27578 28f0855 27576->27578 27578->27567 27580 28f0818 VirtualAllocEx 27579->27580 27582 28f0855 27580->27582 27582->27567 27584 28f09d3 ReadProcessMemory 27583->27584 27586 28f0a17 27584->27586 27586->27515 27588 28f0985 ReadProcessMemory 27587->27588 27590 28f0a17 27588->27590 27590->27515 27591 28f3198 27592 28f3323 27591->27592 27593 28f31be 27591->27593 27593->27592 27596 28f3818 PostMessageW 27593->27596 27598 28f3820 PostMessageW 27593->27598 27597 28f388c 27596->27597 27597->27593 27599 28f388c 27598->27599 27599->27593 27636 28f4bb8 27637 28f4bc1 FindCloseChangeNotification 27636->27637 27638 28f4c1f 27637->27638 27367 27ad630 DuplicateHandle 27368 27ad6c6 27367->27368 27600 27acfe0 27601 27ad026 GetCurrentProcess 27600->27601 27603 27ad078 GetCurrentThread 27601->27603 27604 27ad071 27601->27604 27605 27ad0ae 27603->27605 27606 27ad0b5 GetCurrentProcess 27603->27606 27604->27603 27605->27606 27609 27ad0eb 27606->27609 27607 27ad113 GetCurrentThreadId 27608 27ad144 27607->27608 27609->27607 27610 27aac50 27614 27aad48 27610->27614 27619 27aad39 27610->27619 27611 27aac5f 27615 27aad59 27614->27615 27616 27aad74 27614->27616 27615->27616 27624 27aafe0 27615->27624 27628 27aafd1 27615->27628 27616->27611 27620 27aad59 27619->27620 27621 27aad74 27619->27621 27620->27621 27622 27aafe0 LoadLibraryExW 27620->27622 27623 27aafd1 LoadLibraryExW 27620->27623 27621->27611 27622->27621 27623->27621 27625 27aaff4 27624->27625 27627 27ab019 27625->27627 27632 27aa0d0 27625->27632 27627->27616 27629 27aaff4 27628->27629 27630 27aa0d0 LoadLibraryExW 27629->27630 27631 27ab019 27629->27631 27630->27631 27631->27616 27633 27ab1c0 LoadLibraryExW 27632->27633 27635 27ab239 27633->27635 27635->27627

                                              Executed Functions

                                              Function 0548B0F0 Relevance: .1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 614ae8b1fa557f76f8bd13a5f5692b77ab27a0d8d91dd20a21530eccde14fc07
                                              • Instruction ID: e541359a366626f032199d5bf4e417ac84b1ebb1e30dd3881aa20e2ab7bf16a4
                                              • Opcode Fuzzy Hash: 614ae8b1fa557f76f8bd13a5f5692b77ab27a0d8d91dd20a21530eccde14fc07
                                              • Instruction Fuzzy Hash: 2C31E6B0D046588FDB18DF9AC9487EEBBF6FF88300F14C06AD509AB254DBB419468F40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548B0DF Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b38242f57179261c19f098349662b42973cba894e262b62fa330114db2acb952
                                              • Instruction ID: ab7a1dfbecf9fc67840332e9925c413a14bff088c4b4b458a4c35b7522dd38fc
                                              • Opcode Fuzzy Hash: b38242f57179261c19f098349662b42973cba894e262b62fa330114db2acb952
                                              • Instruction Fuzzy Hash: 9731C4B1D006588BEB18DF9AC9493EEBBF7FF88300F14C06AD419AA254DB7409468F90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 027ACFE0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 296 27acfe0-27ad06f GetCurrentProcess 300 27ad078-27ad0ac GetCurrentThread 296->300 301 27ad071-27ad077 296->301 302 27ad0ae-27ad0b4 300->302 303 27ad0b5-27ad0e9 GetCurrentProcess 300->303 301->300 302->303 304 27ad0eb-27ad0f1 303->304 305 27ad0f2-27ad10d call 27ad5b8 303->305 304->305 309 27ad113-27ad142 GetCurrentThreadId 305->309 310 27ad14b-27ad1ad 309->310 311 27ad144-27ad14a 309->311 311->310
                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 027AD05E
                                              • GetCurrentThread.KERNEL32 ref: 027AD09B
                                              • GetCurrentProcess.KERNEL32 ref: 027AD0D8
                                              • GetCurrentThreadId.KERNEL32 ref: 027AD131
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261308148.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_27a0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: ee773d4692c8147698e7701ca48d8eec1d4054dd8fd1424f19596faa49d88d0a
                                              • Instruction ID: e19c61e6f56811e64acd3aa671065020ba2a73cfe42778e4cecdbde681bd23fb
                                              • Opcode Fuzzy Hash: ee773d4692c8147698e7701ca48d8eec1d4054dd8fd1424f19596faa49d88d0a
                                              • Instruction Fuzzy Hash: 975156B09003098FEB24DFAAD549BDEBBF1FF88324F248159E409A7350D774A944CB66
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 028F0B14 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 391 28f0b14-28f0bb5 393 28f0bee-28f0c0e 391->393 394 28f0bb7-28f0bc1 391->394 399 28f0c47-28f0c76 393->399 400 28f0c10-28f0c1a 393->400 394->393 395 28f0bc3-28f0bc5 394->395 397 28f0be8-28f0beb 395->397 398 28f0bc7-28f0bd1 395->398 397->393 401 28f0bd5-28f0be4 398->401 402 28f0bd3 398->402 410 28f0caf-28f0d69 CreateProcessA 399->410 411 28f0c78-28f0c82 399->411 400->399 403 28f0c1c-28f0c1e 400->403 401->401 404 28f0be6 401->404 402->401 405 28f0c41-28f0c44 403->405 406 28f0c20-28f0c2a 403->406 404->397 405->399 408 28f0c2e-28f0c3d 406->408 409 28f0c2c 406->409 408->408 412 28f0c3f 408->412 409->408 422 28f0d6b-28f0d71 410->422 423 28f0d72-28f0df8 410->423 411->410 413 28f0c84-28f0c86 411->413 412->405 414 28f0ca9-28f0cac 413->414 415 28f0c88-28f0c92 413->415 414->410 417 28f0c96-28f0ca5 415->417 418 28f0c94 415->418 417->417 419 28f0ca7 417->419 418->417 419->414 422->423 433 28f0dfa-28f0dfe 423->433 434 28f0e08-28f0e0c 423->434 433->434 435 28f0e00 433->435 436 28f0e0e-28f0e12 434->436 437 28f0e1c-28f0e20 434->437 435->434 436->437 438 28f0e14 436->438 439 28f0e22-28f0e26 437->439 440 28f0e30-28f0e34 437->440 438->437 439->440 441 28f0e28 439->441 442 28f0e46-28f0e4d 440->442 443 28f0e36-28f0e3c 440->443 441->440 444 28f0e4f-28f0e5e 442->444 445 28f0e64 442->445 443->442 444->445 447 28f0e65 445->447 447->447
                                              APIs
                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 028F0D56
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261399730.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28f0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: d3f9f8411581cd2cb15a88069a2a88e3eca79929cf2212d1245047fda35841ff
                                              • Instruction ID: deb2c16bb0c40c9179f11a1f688dab26f3717110001573888c68b69e20ea2742
                                              • Opcode Fuzzy Hash: d3f9f8411581cd2cb15a88069a2a88e3eca79929cf2212d1245047fda35841ff
                                              • Instruction Fuzzy Hash: 77A16979D00219CFEB64CFA8C840BEEBBB2BF48314F148569E948E7244DB749985CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 028F0B20 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 448 28f0b20-28f0bb5 450 28f0bee-28f0c0e 448->450 451 28f0bb7-28f0bc1 448->451 456 28f0c47-28f0c76 450->456 457 28f0c10-28f0c1a 450->457 451->450 452 28f0bc3-28f0bc5 451->452 454 28f0be8-28f0beb 452->454 455 28f0bc7-28f0bd1 452->455 454->450 458 28f0bd5-28f0be4 455->458 459 28f0bd3 455->459 467 28f0caf-28f0d69 CreateProcessA 456->467 468 28f0c78-28f0c82 456->468 457->456 460 28f0c1c-28f0c1e 457->460 458->458 461 28f0be6 458->461 459->458 462 28f0c41-28f0c44 460->462 463 28f0c20-28f0c2a 460->463 461->454 462->456 465 28f0c2e-28f0c3d 463->465 466 28f0c2c 463->466 465->465 469 28f0c3f 465->469 466->465 479 28f0d6b-28f0d71 467->479 480 28f0d72-28f0df8 467->480 468->467 470 28f0c84-28f0c86 468->470 469->462 471 28f0ca9-28f0cac 470->471 472 28f0c88-28f0c92 470->472 471->467 474 28f0c96-28f0ca5 472->474 475 28f0c94 472->475 474->474 476 28f0ca7 474->476 475->474 476->471 479->480 490 28f0dfa-28f0dfe 480->490 491 28f0e08-28f0e0c 480->491 490->491 492 28f0e00 490->492 493 28f0e0e-28f0e12 491->493 494 28f0e1c-28f0e20 491->494 492->491 493->494 495 28f0e14 493->495 496 28f0e22-28f0e26 494->496 497 28f0e30-28f0e34 494->497 495->494 496->497 498 28f0e28 496->498 499 28f0e46-28f0e4d 497->499 500 28f0e36-28f0e3c 497->500 498->497 501 28f0e4f-28f0e5e 499->501 502 28f0e64 499->502 500->499 501->502 504 28f0e65 502->504 504->504
                                              APIs
                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 028F0D56
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261399730.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28f0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 4aac4511930feb87521f73a8758ebf2842cc17146701a64b8d17e1689c81e4b0
                                              • Instruction ID: 56da58c39677b4dfe91af667213292c3e5bd74f0dfadef3af5e67d0b916f97d6
                                              • Opcode Fuzzy Hash: 4aac4511930feb87521f73a8758ebf2842cc17146701a64b8d17e1689c81e4b0
                                              • Instruction Fuzzy Hash: 24915879D00219CFEB64DFA8C840BEEBBB2BF48314F148169E948E7244DB759985CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 027A44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 505 27a44b0-27a59d9 CreateActCtxA 508 27a59db-27a59e1 505->508 509 27a59e2-27a5a3c 505->509 508->509 516 27a5a4b-27a5a4f 509->516 517 27a5a3e-27a5a41 509->517 518 27a5a60 516->518 519 27a5a51-27a5a5d 516->519 517->516 521 27a5a61 518->521 519->518 521->521
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 027A59C9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261308148.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_27a0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: aad7f965028f2e93a872ff1babd0728c8b0c57f8e671b4bc68ebd3c0e6590f27
                                              • Instruction ID: e9f2e485cb628b32e061959897ea6f6c74409940ec18fcd1ea82a6658cee3cce
                                              • Opcode Fuzzy Hash: aad7f965028f2e93a872ff1babd0728c8b0c57f8e671b4bc68ebd3c0e6590f27
                                              • Instruction Fuzzy Hash: 8D41E0B0D00718CFEB24DFAAC88478DBBB5BF48314F20816AD409AB251DB756949CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 027A590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 522 27a590c-27a59d9 CreateActCtxA 524 27a59db-27a59e1 522->524 525 27a59e2-27a5a3c 522->525 524->525 532 27a5a4b-27a5a4f 525->532 533 27a5a3e-27a5a41 525->533 534 27a5a60 532->534 535 27a5a51-27a5a5d 532->535 533->532 537 27a5a61 534->537 535->534 537->537
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 027A59C9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261308148.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_27a0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: b9fa9af3e508cc15f7084f1a827dbf35e602b78648f9029c74431729ffee80d2
                                              • Instruction ID: 4c5a93c210d4ea664ac434bc30f37800d671cd7e736d66028547df8bb6966120
                                              • Opcode Fuzzy Hash: b9fa9af3e508cc15f7084f1a827dbf35e602b78648f9029c74431729ffee80d2
                                              • Instruction Fuzzy Hash: A541E2B0D00759CFEB24CFA9C8847DDBBB1BF88314F20816AD409AB251DB75694ACF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 028F0890 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 538 28f0890-28f08e6 540 28f08e8-28f08f4 538->540 541 28f08f6-28f0935 WriteProcessMemory 538->541 540->541 543 28f093e-28f096e 541->543 544 28f0937-28f093d 541->544 544->543
                                              APIs
                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 028F0928
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261399730.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28f0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: f96dcf1fb68bd40ac8f3f79018c153b9e48c5e9515d82e321068a69a55fba8b2
                                              • Instruction ID: 19314510c9a54e9a99a5f01aa776d6cbc1ffddbf0e77b8f66fa3118f8d7499f8
                                              • Opcode Fuzzy Hash: f96dcf1fb68bd40ac8f3f79018c153b9e48c5e9515d82e321068a69a55fba8b2
                                              • Instruction Fuzzy Hash: 3B2126769003099FDB14CFA9C9817EEBBF5FF48310F10842AE959A7241D7789940CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 028F0898 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 548 28f0898-28f08e6 550 28f08e8-28f08f4 548->550 551 28f08f6-28f0935 WriteProcessMemory 548->551 550->551 553 28f093e-28f096e 551->553 554 28f0937-28f093d 551->554 554->553
                                              APIs
                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 028F0928
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261399730.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28f0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: bc782e17aae5eb99d0d0a93e7b80262f34d4b8b37c3a87850c4de11ae8d4f1ce
                                              • Instruction ID: 6205b319c94fb00c6ff4dcf32ad6ede355efd4261b17955ecb3f8067daa9ecf1
                                              • Opcode Fuzzy Hash: bc782e17aae5eb99d0d0a93e7b80262f34d4b8b37c3a87850c4de11ae8d4f1ce
                                              • Instruction Fuzzy Hash: 342133769003099FDB14CFAAC880BEEBBF5FB48310F10842AE918A7241D7789940CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 028F02C0 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 558 28f02c0-28f0313 560 28f0315-28f0321 558->560 561 28f0323-28f0353 Wow64SetThreadContext 558->561 560->561 563 28f035c-28f038c 561->563 564 28f0355-28f035b 561->564 564->563
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 028F0346
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261399730.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28f0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 644b87640c009122e7d2ad64ea18705afc155f33a697b0c546248f553b188e1f
                                              • Instruction ID: 84c55a54b1d9104d7c5a8d631efc416b08a7d9a160feb780ce867774fd30f2e4
                                              • Opcode Fuzzy Hash: 644b87640c009122e7d2ad64ea18705afc155f33a697b0c546248f553b188e1f
                                              • Instruction Fuzzy Hash: BD215476D003088FDB14DFAAC484BEEBBF4AF48224F14842AD959A7241CB789944CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 028F0980 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 568 28f0980-28f0a15 ReadProcessMemory 572 28f0a1e-28f0a4e 568->572 573 28f0a17-28f0a1d 568->573 573->572
                                              APIs
                                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 028F0A08
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261399730.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28f0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: d3ccfb51b0da02e11b34883e0b5b4602b53a072f837c59f5c8fd85bf3e52832d
                                              • Instruction ID: 7e9e9ea31ca1e01ed234d98d7118592ff93f098eb38d530e6af474ae6ed89a2c
                                              • Opcode Fuzzy Hash: d3ccfb51b0da02e11b34883e0b5b4602b53a072f837c59f5c8fd85bf3e52832d
                                              • Instruction Fuzzy Hash: F62139B5C003598FDB14CFAAC9807EEBBF1FF48320F14852AE919A7640C7389940CB65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 028F02C8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 577 28f02c8-28f0313 579 28f0315-28f0321 577->579 580 28f0323-28f0353 Wow64SetThreadContext 577->580 579->580 582 28f035c-28f038c 580->582 583 28f0355-28f035b 580->583 583->582
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 028F0346
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261399730.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28f0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 9b0bba8ba3eecc4211ba1dab07e9587eab1b7f976f9d7b592067a685f622c675
                                              • Instruction ID: 1812d8c21dd8c30f217b1b5ce7c289382d3c536fba024615757907212d94f00e
                                              • Opcode Fuzzy Hash: 9b0bba8ba3eecc4211ba1dab07e9587eab1b7f976f9d7b592067a685f622c675
                                              • Instruction Fuzzy Hash: 98213576D003098FDB14DFAAC484BEEBBF4AF48314F14842AD959A7241CB78A944CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 028F0988 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 587 28f0988-28f0a15 ReadProcessMemory 590 28f0a1e-28f0a4e 587->590 591 28f0a17-28f0a1d 587->591 591->590
                                              APIs
                                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 028F0A08
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261399730.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28f0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: aa7d696b37c300622d390829921b1afe6ec7d68ebda105fe2cd4c1cd04e14ce9
                                              • Instruction ID: cce151645dcd6c4cc0d51ba68df15f8bbc3f0a9d940baf6051dcaa4b194847a6
                                              • Opcode Fuzzy Hash: aa7d696b37c300622d390829921b1afe6ec7d68ebda105fe2cd4c1cd04e14ce9
                                              • Instruction Fuzzy Hash: 01210575C003599FDB14DFAAC880BEEBBF5FF48310F10842AE919A7240C7799940CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 027AD630 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 595 27ad630-27ad6c4 DuplicateHandle 596 27ad6cd-27ad6ea 595->596 597 27ad6c6-27ad6cc 595->597 597->596
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 027AD6B7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261308148.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_27a0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: df8b3d13e70c7a1f39fc001576ccca3d5d174fa4768b05937f246730c584f026
                                              • Instruction ID: 7ffd47b225e5e45d1046ff8acb08632de7f535262df7cfdccda7400a5788d957
                                              • Opcode Fuzzy Hash: df8b3d13e70c7a1f39fc001576ccca3d5d174fa4768b05937f246730c584f026
                                              • Instruction Fuzzy Hash: AD21C4B5D002489FDB10CFAAD984ADEFBF4FB48324F14841AE918A7350D375A954CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 028F07D0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 028F0846
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261399730.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28f0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 230bc24153dc1624c539c7525c191a750fd740428a384fda8ff084ac7b5de6ac
                                              • Instruction ID: 25730bb18d21837f4a8883a18377d3b653c1078bf00a5f7378c7350e5c6d02c6
                                              • Opcode Fuzzy Hash: 230bc24153dc1624c539c7525c191a750fd740428a384fda8ff084ac7b5de6ac
                                              • Instruction Fuzzy Hash: 0B116776C00208CFDB14DFA9C8417EEBBF1EF48320F14881AE559A7650CB3A9900CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 027AA0D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,027AB019,00000800,00000000,00000000), ref: 027AB22A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261308148.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_27a0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 11e03fe5829156b2418b6e752e09b5a673570e8b2f6f72379f31c7e1de3563bf
                                              • Instruction ID: ae671125941f39c82e23e15d25ebada6bb0e9b2a0313852dc6547527089c95e9
                                              • Opcode Fuzzy Hash: 11e03fe5829156b2418b6e752e09b5a673570e8b2f6f72379f31c7e1de3563bf
                                              • Instruction Fuzzy Hash: C91106B6D002089FDB10CF9AD444BDFFBF4AB88324F10852AE915A7640C375A945CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 027AB1B9 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,027AB019,00000800,00000000,00000000), ref: 027AB22A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261308148.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_27a0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: a300cd60c302e3c18ed08db478119aad6049acfc19526ee9ef426f899d8cf14d
                                              • Instruction ID: 212c943fc7ada61d14b5353e01be7e04257c03bd2639afab8d456346d2e4fb18
                                              • Opcode Fuzzy Hash: a300cd60c302e3c18ed08db478119aad6049acfc19526ee9ef426f899d8cf14d
                                              • Instruction Fuzzy Hash: 851126B6C002498FDB14CFAAD844BDEFBF4AB88324F14852AD919A7740C375A945CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 028F07D8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 028F0846
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261399730.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28f0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: bf9fdb62b762a5c8bb7beae1534336f0a9cb2d8b8cef5dbb0e2178cdded7c8a5
                                              • Instruction ID: e61479acd11182ccae2298974076088487e19798672347d535e5363d391466b7
                                              • Opcode Fuzzy Hash: bf9fdb62b762a5c8bb7beae1534336f0a9cb2d8b8cef5dbb0e2178cdded7c8a5
                                              • Instruction Fuzzy Hash: DB1117769002489FDB14DFAAC844BEEBBF5AB48314F148419E919A7250CB759940CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 028F4BB0 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindCloseChangeNotification.KERNEL32(?), ref: 028F4C10
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261399730.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28f0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID: ChangeCloseFindNotification
                                              • String ID:
                                              • API String ID: 2591292051-0
                                              • Opcode ID: 89b9de9de92366d957b6f4f82c5b9e47864a59f050619a6262096a9d918fb7a0
                                              • Instruction ID: c92c63f25b8762b148cd5fb1dae5f56b959c20f8f65dd2c27bfebe51ba4f0057
                                              • Opcode Fuzzy Hash: 89b9de9de92366d957b6f4f82c5b9e47864a59f050619a6262096a9d918fb7a0
                                              • Instruction Fuzzy Hash: 961158B98003498FDB20CF99C485BDEFBF4EB48324F10841ADA58A7340C739A944CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 028F0211 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261399730.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28f0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 726d43227f70f5fbea9a12d9936550eaefd5c894f54b8b3d787fca2bafd404c5
                                              • Instruction ID: 54c085ae7cf76dc4c91d6ac9f87feb5e4034d70bd0ca0bc9763f16a46778b4ad
                                              • Opcode Fuzzy Hash: 726d43227f70f5fbea9a12d9936550eaefd5c894f54b8b3d787fca2bafd404c5
                                              • Instruction Fuzzy Hash: C4115BB5D003488FDB24DFA9C4447EEFBF4AF48314F14841AD559A7640CB39A901CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 028F0218 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261399730.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28f0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: a6e8a653fb856f330f1e8faf8aa7db1f7f3911274e6e38b2e25d3457671a85aa
                                              • Instruction ID: 3173f4d2ed73a2154f13221b7f8d65872a095e2fccd4ee3565f2bad7467bf39a
                                              • Opcode Fuzzy Hash: a6e8a653fb856f330f1e8faf8aa7db1f7f3911274e6e38b2e25d3457671a85aa
                                              • Instruction Fuzzy Hash: 89113A75D003488FDB24DFAAC8447EFFBF5AB48314F24841ED519A7240CB79A944CBA9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 027AAF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 027AAF9E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261308148.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_27a0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: ae2baebb79843bea11d61a0499c88b3825372629dafc358b848c6549d485c028
                                              • Instruction ID: 93ac2a62bf37011b9623145bcf59145df0205c4b55488bfe2076e681822d32ad
                                              • Opcode Fuzzy Hash: ae2baebb79843bea11d61a0499c88b3825372629dafc358b848c6549d485c028
                                              • Instruction Fuzzy Hash: F211E0B6C003498FDB24CF9AD544BDEFBF4AB88324F14852AD819A7610C379A945CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 028F4BB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindCloseChangeNotification.KERNEL32(?), ref: 028F4C10
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261399730.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28f0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID: ChangeCloseFindNotification
                                              • String ID:
                                              • API String ID: 2591292051-0
                                              • Opcode ID: ca03006172becacc113d5211b9963f9a3ad57b45761958bfce2059ee94a7ed61
                                              • Instruction ID: cde5dff526b2089f001fc9a09b6634541456221f7a40542ee101831d35f92386
                                              • Opcode Fuzzy Hash: ca03006172becacc113d5211b9963f9a3ad57b45761958bfce2059ee94a7ed61
                                              • Instruction Fuzzy Hash: B61122BA8002498FDB20CF9AC544BDEBBF4EB48320F10841ADA58A7340C778A944CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 028F3818 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,?,?,?), ref: 028F387D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261399730.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28f0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 658edbd5cf11dbf4468c5da07b5aca42889a5264bce33206c0a7ab7209f29768
                                              • Instruction ID: 550465b0d2e36023e2e4c96eaa21a74fb2e90d62d4a5b08fd5f867ef82657432
                                              • Opcode Fuzzy Hash: 658edbd5cf11dbf4468c5da07b5aca42889a5264bce33206c0a7ab7209f29768
                                              • Instruction Fuzzy Hash: 0C1122B98003498FCB10CF99C985BDEBBF4FB08310F10845AD958A7700C379A944CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 028F3820 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,?,?,?), ref: 028F387D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261399730.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28f0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 530ea8d552745789658eac580496c7d49ef70fa97bb5519d351e9bf70f7ef52b
                                              • Instruction ID: 5aa6876f9725ab4f8a05dec98ee41f7f5d8dbdb85df247e173584ce17b49b69e
                                              • Opcode Fuzzy Hash: 530ea8d552745789658eac580496c7d49ef70fa97bb5519d351e9bf70f7ef52b
                                              • Instruction Fuzzy Hash: 191103B98003489FDB10CF9AD884BDEFBF8FB48310F10845AE918A7200C379A944CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548A250 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Teq
                                              • API String ID: 0-1098410595
                                              • Opcode ID: c960d47065846bc9ec2d6773556b56b26eb7e8e3155e82ab5d9ad83922f2f4ed
                                              • Instruction ID: 4d1d9e61c3866607554d0cce210171795aeac5fe9870db946721d991eea4f45d
                                              • Opcode Fuzzy Hash: c960d47065846bc9ec2d6773556b56b26eb7e8e3155e82ab5d9ad83922f2f4ed
                                              • Instruction Fuzzy Hash: 2A71D274E04218CFDB18DFAAC884AEDBBF6BF89310F14902AE419AB355DB715946CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548A240 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Teq
                                              • API String ID: 0-1098410595
                                              • Opcode ID: 96a6204bb5ab2d03d1f964b66faf95b7bb4b7abf1d0654f7f9323ad483d6775c
                                              • Instruction ID: 6a2c090750d67b6012c333ebd9d65a028bac364b026f390b576597e3e4b2176a
                                              • Opcode Fuzzy Hash: 96a6204bb5ab2d03d1f964b66faf95b7bb4b7abf1d0654f7f9323ad483d6775c
                                              • Instruction Fuzzy Hash: 2F51E574E04218CFDB18DFAAC885AEEBBB6BF89310F14812AD419AB354DB715946CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05486130 Relevance: .1, Instructions: 143COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 95364f80f29de832a6e7452edf7417614e04704b70a1c401ee4de5be4341e2ab
                                              • Instruction ID: aadda5cb383e33e3154052a831c21edee90a84ae5e87298c7d699558a49c9938
                                              • Opcode Fuzzy Hash: 95364f80f29de832a6e7452edf7417614e04704b70a1c401ee4de5be4341e2ab
                                              • Instruction Fuzzy Hash: 5441AF71904348AFDF15DFA9D844AEEBFF5EF49210F1580AAE845E7311D734A901CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548D6D4 Relevance: .1, Instructions: 136COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 110916b9164755bdc8d75b23cd7a07436f2e1e7ba9cf5879008882c9d18073c4
                                              • Instruction ID: 8f62be6d2975c6d08b8352d825746bb11642f2d785d04b8f9531ebbc4be44742
                                              • Opcode Fuzzy Hash: 110916b9164755bdc8d75b23cd7a07436f2e1e7ba9cf5879008882c9d18073c4
                                              • Instruction Fuzzy Hash: AB510934A16225CFD724EF68E989AEDBBF5FB48301F908196E409AB391DB309C41CF11
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548AA58 Relevance: .1, Instructions: 107COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e3eb0d91d07982280716df53e6607b857d70828f42a53715facb6375ac5755b4
                                              • Instruction ID: 1687d3568b5ee908c4a3c8de8871c60de99ea5034b526ed97d39f8c37a0e9711
                                              • Opcode Fuzzy Hash: e3eb0d91d07982280716df53e6607b857d70828f42a53715facb6375ac5755b4
                                              • Instruction Fuzzy Hash: 09313670E082098FDB08DF9AC5486FEBBF7BB89311F18D0ABD519AB251D7B44942CB54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 054896C0 Relevance: .1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 96577a1717461204c282bc2aca121ce9fd280cb6a5b3d83bc1403a276ded7e35
                                              • Instruction ID: 12efb31570289ec02eec340aae1304943bb465b8ca153af34c5304bbbca956e8
                                              • Opcode Fuzzy Hash: 96577a1717461204c282bc2aca121ce9fd280cb6a5b3d83bc1403a276ded7e35
                                              • Instruction Fuzzy Hash: FE414A30E09A19CBDB18EFA8C8407FEB7B2FF45700F14816BE456AB291D3749941CB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548776A Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e5c8a204305788b4cf1d3a496404d1ffab56392fe67c3e2989dba58dac1dd8e3
                                              • Instruction ID: 446bf53aa83ba9eda1ea3476422281ce693acc9c1cea7604fb711aa015d8f4dc
                                              • Opcode Fuzzy Hash: e5c8a204305788b4cf1d3a496404d1ffab56392fe67c3e2989dba58dac1dd8e3
                                              • Instruction Fuzzy Hash: 2D31CE30A00210DFDB24EB58C952BFE7BB2FB45300F7480ABE4158B391DA76E842CB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 054878E8 Relevance: .1, Instructions: 94COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 29dc1366b95a0b14a1e60c7babb74c452b451c897ce158b0da25ecb7dc282845
                                              • Instruction ID: 20ad44a397ea8faf054bd25bae19212d24461e8897836e4e8b7a4ce80156f1e0
                                              • Opcode Fuzzy Hash: 29dc1366b95a0b14a1e60c7babb74c452b451c897ce158b0da25ecb7dc282845
                                              • Instruction Fuzzy Hash: 98318C71E14129CBD700EBA9C8646FEB7B2FF44301F2481A7E479D7291E339DA42CA60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548AA47 Relevance: .1, Instructions: 94COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 60a6736720bcf4d430c5389c828aca364da75db5c5917c3ada637ed578ecc4b0
                                              • Instruction ID: 876757cc3e439126a2886cec16fcab6547f61712de294436231e70501ed4a841
                                              • Opcode Fuzzy Hash: 60a6736720bcf4d430c5389c828aca364da75db5c5917c3ada637ed578ecc4b0
                                              • Instruction Fuzzy Hash: C4313A70E092188FDB08DF9AC5486FEBBF7AB8D311F14D0ABD409A7251D7B44902CB54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05485904 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7366db8214770af6c5af611af440665a611fa2bf2a63db85cd1bc9cda988cab6
                                              • Instruction ID: b6fb595e8e134fd9d07487cba92a322a271b16d0b27c01f9f286b8ae6fb7e3ae
                                              • Opcode Fuzzy Hash: 7366db8214770af6c5af611af440665a611fa2bf2a63db85cd1bc9cda988cab6
                                              • Instruction Fuzzy Hash: 64317EB68083889FDB11EFA9C840BDEBFF0EF59314F15805AD454AB251C3389945CBA6
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548B1AE Relevance: .1, Instructions: 81COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 25ff5e40a7406a145e67cb0f5944f060238912ce3ed9af10baa30bae82b2ca0b
                                              • Instruction ID: a8a63eb5e4a76a3a74559e04376297f479db55d86c13cd8fbd177e845ae883c2
                                              • Opcode Fuzzy Hash: 25ff5e40a7406a145e67cb0f5944f060238912ce3ed9af10baa30bae82b2ca0b
                                              • Instruction Fuzzy Hash: 16310974904228CFCB24EF94C588AFDBBB6FF49340F519596E80AAB355C770A981CF40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 054877C8 Relevance: .1, Instructions: 77COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e503f34adedba292acf9ba7419fee0bbbe65b2d42bf8322be9acbe308016b6c4
                                              • Instruction ID: 8797be29f057a28bfd09e522915308a579b86e28ae7665f29c8704750aefc243
                                              • Opcode Fuzzy Hash: e503f34adedba292acf9ba7419fee0bbbe65b2d42bf8322be9acbe308016b6c4
                                              • Instruction Fuzzy Hash: 5221A330B04254DFD724AB158926BBE3763FB81700F3580EBE0168F392DA769842C7A6
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00B4D3D8 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1260954090.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b4d000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f9dd82151d0d4ea4ba7ddd710b91abd49281e1d4f66f37b97bf0f7a707b8bc27
                                              • Instruction ID: d2c2aeb53ddc78a6e9d65b95acd1d18d4e19b79369dd25fa80bcdf73bbcae95e
                                              • Opcode Fuzzy Hash: f9dd82151d0d4ea4ba7ddd710b91abd49281e1d4f66f37b97bf0f7a707b8bc27
                                              • Instruction Fuzzy Hash: DC210671504204DFDB15DF14D9C0B16BBA5FB94324F20C5A9E9090B356C336E956EAA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 010FD01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261168944.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_10fd000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5f4b994183bb10d6742c5be996bbcf4f5a825401f029ee074fd61413c88c3087
                                              • Instruction ID: 4f70fe6d0ea616bf22691d6e1aa115d84488a9a106dec90d9ad04c46a59bb66c
                                              • Opcode Fuzzy Hash: 5f4b994183bb10d6742c5be996bbcf4f5a825401f029ee074fd61413c88c3087
                                              • Instruction Fuzzy Hash: 25210371504300EFDB15DF64D580B16BBA1EB84314F20C5ADEA8A4B642C336D447CB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 010FD1D4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261168944.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_10fd000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9fbb90104b83b7c8fcbde7e0e5f92314c550e6d90ba4a2d4cf6418a018b623a4
                                              • Instruction ID: d29d31295f28598ca01edf2c0e492b18261ae21f0d9370bc4ac2e8f5e99c55fd
                                              • Opcode Fuzzy Hash: 9fbb90104b83b7c8fcbde7e0e5f92314c550e6d90ba4a2d4cf6418a018b623a4
                                              • Instruction Fuzzy Hash: 1B214975904300EFDB95DF94D5C1B16BBA1FB84324F20C5ADEA894F652C336D446CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 054877B4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 78b6e04846e519a52a8b4ec85df4baa020cd3aa8a6023e1007d64674b4527273
                                              • Instruction ID: 383579330ded76200c0837905313a056cb00bf64c1ebca6661dfc922959742a6
                                              • Opcode Fuzzy Hash: 78b6e04846e519a52a8b4ec85df4baa020cd3aa8a6023e1007d64674b4527273
                                              • Instruction Fuzzy Hash: B221B330B44250DBE724AA14C922BFA7763FB81705F7580EBE4164F392DA77E842C696
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548FD00 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 79fec143edc8459fa02b37962840b72c74573092b6f5ae5355d71081f20858ee
                                              • Instruction ID: eab11638fd557d7c3b511ca2650c733b5c38a5df2706a78dbeac44578358d5e6
                                              • Opcode Fuzzy Hash: 79fec143edc8459fa02b37962840b72c74573092b6f5ae5355d71081f20858ee
                                              • Instruction Fuzzy Hash: AD31E974E152189FCB15DF99D494AEEBBF1FF48310F10806AE906AB360DB34A945CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548FCF1 Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 341b12dc75d27efd0ecf0437881eddffa4304025b29403bcdf5d84cc39b1b19a
                                              • Instruction ID: 3bfcf2b8b9cf40921d8ef3bb581bf55b2594712a6e70e85e8aec2d60d6467bd4
                                              • Opcode Fuzzy Hash: 341b12dc75d27efd0ecf0437881eddffa4304025b29403bcdf5d84cc39b1b19a
                                              • Instruction Fuzzy Hash: C3310574E006189FCB15DFA8D499AEEBBF1FF48310F00806AE506AB350DB30A945CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548AB88 Relevance: .1, Instructions: 66COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e86db5ace9cb96738807ba22c0ee3393ea8864f07c5d2ff017567a47b174b2b5
                                              • Instruction ID: 4ee4bbc5cf1eb062c1ac751dcb3aac10da5f3ac95cfed86a521962c5fd754949
                                              • Opcode Fuzzy Hash: e86db5ace9cb96738807ba22c0ee3393ea8864f07c5d2ff017567a47b174b2b5
                                              • Instruction Fuzzy Hash: A12139B4D08209CFCB40DF9AC181AFEBBF6EB48310F649066D909A7711D7709A41CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548EEF8 Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7f82a7d18e9e40e2d663c3fb5cec8a0b35b88f3fc4fed5cde83e2e23440fc2ab
                                              • Instruction ID: 3fe57c97ce215e57f14bad703d772ad2d6258e0f32cd50d10a18fc8de3a42867
                                              • Opcode Fuzzy Hash: 7f82a7d18e9e40e2d663c3fb5cec8a0b35b88f3fc4fed5cde83e2e23440fc2ab
                                              • Instruction Fuzzy Hash: D011A730B00205AFDB28FB7598007FF76ABFB84B50F04416AE65A9B348EA30891187D0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548AC40 Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fecd93ef1b7d73a78147e689d6112fe31a002a8a8a70b25ac1adcbf4b63e98a9
                                              • Instruction ID: e6a110793bea18b148bdf689c6aff533f11b9c1981c47732981f5e9404aa1226
                                              • Opcode Fuzzy Hash: fecd93ef1b7d73a78147e689d6112fe31a002a8a8a70b25ac1adcbf4b63e98a9
                                              • Instruction Fuzzy Hash: 9F113D74D08208DFC704EFAAC5406FEBBF9FF49320F1995AB944997312D7B0AA418B80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548AB98 Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 043959a3ad3d50aa134134f1eec0b8c8865049b574d4ea1681a7a3fe4607a56e
                                              • Instruction ID: b7ee88f39e673fad167065a782e16cdbd03e3b86e5705a39fc0e8a1d4199146c
                                              • Opcode Fuzzy Hash: 043959a3ad3d50aa134134f1eec0b8c8865049b574d4ea1681a7a3fe4607a56e
                                              • Instruction Fuzzy Hash: D62108B4D08209CFCB44EF9AC1809FEBBF6AB48310F6491AAD909A7711D7709A41CF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05485990 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 46fc7e3ebbdc173ab8662e1eb4dcae732bc6c82415f334f9771b17d46f3a0687
                                              • Instruction ID: 17c5d78afa7b09792c85d09268d796c9100839fc9e4fa2f7dba274d488a36891
                                              • Opcode Fuzzy Hash: 46fc7e3ebbdc173ab8662e1eb4dcae732bc6c82415f334f9771b17d46f3a0687
                                              • Instruction Fuzzy Hash: AF21F2B59002499FDB20DF9AD884ADEBBF4FB48310F10845AE919A7310C379A944CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00B4D3D3 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1260954090.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b4d000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                              • Instruction ID: c6f52eadc01b17d375eeb67a61428328268d25877e57d5cc687692bd6045c601
                                              • Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                              • Instruction Fuzzy Hash: 9411E176504240CFCB11CF10D5C4B16BFB1FB94324F24C6A9D8090B756C33AE956DBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 010FD1CF Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261168944.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_10fd000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                              • Instruction ID: 83aa58758bbb4a6e26d2dd960ebc86b54744268e2af64ecc0975517fd265d0ff
                                              • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                              • Instruction Fuzzy Hash: CB11BB79504280DFCB52CF54D5C4B15BBA1FB84324F24C6AED9894BA96C33AD40ACBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 010FD017 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261168944.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_10fd000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                              • Instruction ID: 7d2e170d4e647f7de5aa6206b6c5326b78d4cce83933c90bb803d8c9c3cd163f
                                              • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                              • Instruction Fuzzy Hash: 4011BB75504280CFCB16CF54D5C4B15FBA2FB84314F24C6AEE9494BA56C33AD40ACBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548AC50 Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5c5d9ed25863bbed6db9959c8bf31b1c8afc748700f74a5347d3d6c08ffc3c8b
                                              • Instruction ID: b47e7ee5590c68ed0817477fe46551f3b30867d7abf90f37c0b20f5473e5ef93
                                              • Opcode Fuzzy Hash: 5c5d9ed25863bbed6db9959c8bf31b1c8afc748700f74a5347d3d6c08ffc3c8b
                                              • Instruction Fuzzy Hash: 9511CC74D08208DFCB04EFAAC5419FDBBFAFB49320F199597941997311D7B0AA419B80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548AF57 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 52262d2a4537fec0a8bf948919753313236883655a2be16a5bcb3d837efc296e
                                              • Instruction ID: 4e569f261811a69f6ec70cd6c7bd4a51f4d511555fed102419c8623de7824d3d
                                              • Opcode Fuzzy Hash: 52262d2a4537fec0a8bf948919753313236883655a2be16a5bcb3d837efc296e
                                              • Instruction Fuzzy Hash: B4116D74A08208DFCB14DF65D044AFDBBB5FB49301F5090AAE90997345D7749942DB41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548B9BD Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a0fa83958d9028d4801155b92fc8729e94512671d79ef067642c99c9610535f1
                                              • Instruction ID: 62169eddaf83b2237d3059757bfcfea1b1b163b7150324794d1c45b630a3e786
                                              • Opcode Fuzzy Hash: a0fa83958d9028d4801155b92fc8729e94512671d79ef067642c99c9610535f1
                                              • Instruction Fuzzy Hash: 4311E534A08254DFCB24EF58C698AFCB7BAFF49300F559996D41A6B216CB30A885CF14
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548BF91 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 228f01a9c06e39ddcebebc2e12088b6aae876fe1f68fc9f99d830174df8d4405
                                              • Instruction ID: a4855c4cc125c902ada10e516283a8cd06173d8b46f46bc8e66ee17fe4656db9
                                              • Opcode Fuzzy Hash: 228f01a9c06e39ddcebebc2e12088b6aae876fe1f68fc9f99d830174df8d4405
                                              • Instruction Fuzzy Hash: 49010C34A08248DFD704EBA9C595AFEFBF6EF49300F1990D9E9499B356DA309E01DB40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548D81F Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 889ab85f38a161c2ee923dfbeb1bdd5cd46fb550e6b7811684e4e3227e57600b
                                              • Instruction ID: df3bed45341694bf2a965860a8eccf1c4ac485911ee5ea84588d02ad5dcad1c9
                                              • Opcode Fuzzy Hash: 889ab85f38a161c2ee923dfbeb1bdd5cd46fb550e6b7811684e4e3227e57600b
                                              • Instruction Fuzzy Hash: B711F874E14224CFD764DF24D885BF97BBABB89201F908996A40E9B346DE304D928F51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00B4D745 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1260954090.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b4d000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cf0f958e64dfeb2f7a7e2f111286a5b0122edddd538c82c0a887474a9a94438e
                                              • Instruction ID: d7e03a7d1dac57c91ec9b09d084cd238373f34de95cdc30bb28c7f47553e0dfc
                                              • Opcode Fuzzy Hash: cf0f958e64dfeb2f7a7e2f111286a5b0122edddd538c82c0a887474a9a94438e
                                              • Instruction Fuzzy Hash: A0012B710043409FEB204F25CDC8B66FBD8DF41324F18C59AED090F282C6799D40DAB1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548AF68 Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 30a16dd0aaaf48c9014d121a9445794f6788c381d10d681ac7ce0e3779d51972
                                              • Instruction ID: 83d3a9477e38449be6b360bace22600f422d95bebedc79e8b79e90ba49b9ef5d
                                              • Opcode Fuzzy Hash: 30a16dd0aaaf48c9014d121a9445794f6788c381d10d681ac7ce0e3779d51972
                                              • Instruction Fuzzy Hash: 47017174E08208DFCB18EFA5D0409FCBBB6FB49311F0090AAD80997305C7719942DF40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05486F3F Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 39c8c4668459d189d9868d69a012ecc6ef383c82088d5353c40744770ac2ff39
                                              • Instruction ID: 4accadc45918acbb7b096a67575ecc66105f87c4e3ac2965e766f4238042c595
                                              • Opcode Fuzzy Hash: 39c8c4668459d189d9868d69a012ecc6ef383c82088d5353c40744770ac2ff39
                                              • Instruction Fuzzy Hash: 95018631B24201CBE790EAEDE4403FFB3A2AB68352F510837B15AC7284D664D966C256
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548DA3B Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c70072006df47cb7da6a34f58150b328dc9eaf045a251b2393b6ad0afc9a3c28
                                              • Instruction ID: e95a66745d7d543b91b3a987c5decdb15e1e147a23b513feb84e668cae53672e
                                              • Opcode Fuzzy Hash: c70072006df47cb7da6a34f58150b328dc9eaf045a251b2393b6ad0afc9a3c28
                                              • Instruction Fuzzy Hash: A4111230E19254CFD704EFA8EA89AEDBBF5FB48310B548256E4169B399DB309801CF00
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548BF28 Relevance: .0, Instructions: 41COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3218d7c7b056a1a70f0ad454de2a26df8ad9b13aa5dade00b82f42a1e06c5cc9
                                              • Instruction ID: 7a6a5ed6516252fc911b46cb2a29f080a720002a3e6b0226b97f42e6315c4d0e
                                              • Opcode Fuzzy Hash: 3218d7c7b056a1a70f0ad454de2a26df8ad9b13aa5dade00b82f42a1e06c5cc9
                                              • Instruction Fuzzy Hash: DBF01D7094D208DFC704EF55C5409FDBBBAEB4A300B0491A6A9099B22ACB309A46DF40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548BFA0 Relevance: .0, Instructions: 41COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 834bdd04cbc088f1d04ab55381f02393fe4554d7d99f3f18abcc09820bc0a6ee
                                              • Instruction ID: 9d1068e8b972b178d96c33a120b065fc3b2603cb46f54cfbbe1620d3fe0420ac
                                              • Opcode Fuzzy Hash: 834bdd04cbc088f1d04ab55381f02393fe4554d7d99f3f18abcc09820bc0a6ee
                                              • Instruction Fuzzy Hash: 0A01A834A08108DFD704EFA9D685AADBBF6EB49300F159095E9099B355DB71DE01DF40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548D605 Relevance: .0, Instructions: 39COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 842a2df33c3743cf84e70f9adaf6f882fa8ceb7b90a293f57447b40966c83607
                                              • Instruction ID: 734ecf3f2d7475fd88f70fdd991443d8f1aaadefb09ebc74eae88ce7cfa93627
                                              • Opcode Fuzzy Hash: 842a2df33c3743cf84e70f9adaf6f882fa8ceb7b90a293f57447b40966c83607
                                              • Instruction Fuzzy Hash: 4F111834A15328CFD7A4DB20D8857F97BBAAB89201F904596A4099B345DB304E95CF52
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548B320 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: df98cfa455e574181d2fd7d3ce809946167282e2d2551634e0e50d05463b0def
                                              • Instruction ID: b3fd60ccb82a3e33d80397ae876a10ca44ada102cba739d8e520b0572e2ac51f
                                              • Opcode Fuzzy Hash: df98cfa455e574181d2fd7d3ce809946167282e2d2551634e0e50d05463b0def
                                              • Instruction Fuzzy Hash: 1D010434A04224CFCB28DF94C9849EDBBB6FB49311F5045AAD40AAB351CB74AD86CF00
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00B4D744 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1260954090.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b4d000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4d4c3f26742c74818ed1963b3fdc88c46f37dfa5d2f54da14086e1d967750d71
                                              • Instruction ID: c605e56b961aa8e9e38683d2fe9d0e1f44edd1c656fc30708fa8ae9d457d5191
                                              • Opcode Fuzzy Hash: 4d4c3f26742c74818ed1963b3fdc88c46f37dfa5d2f54da14086e1d967750d71
                                              • Instruction Fuzzy Hash: 2DF06D71404344AEEB208F16C988B66FFE8EB91734F18C59AED084B286C2799C44DAB1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05487110 Relevance: .0, Instructions: 34COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8038e6c2da35553542ad505c36deb8b727fe2f47c35caec0b494bdfce9a03d79
                                              • Instruction ID: 1b0f1a4c8cc7dbedbcba65763ba9ab9addfbea9956a16d12afb627574d1bd6bb
                                              • Opcode Fuzzy Hash: 8038e6c2da35553542ad505c36deb8b727fe2f47c35caec0b494bdfce9a03d79
                                              • Instruction Fuzzy Hash: 09F0F9B0D0420A9FD704EFA9D9A2BEEBBF4FF48204F1145AAD515E3302D77596028B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548BF19 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d2e0b8949083faccf100faccd88930d95a087f05eff40233f0d0e1781d57ff59
                                              • Instruction ID: dfb5d8cba359606274c7f0104075d91e549b0182ad942d70ef6cce7dc8fa10ad
                                              • Opcode Fuzzy Hash: d2e0b8949083faccf100faccd88930d95a087f05eff40233f0d0e1781d57ff59
                                              • Instruction Fuzzy Hash: F2F0E23058D295CFC314EA60C1426FE7BB9EB06204F0495DAA94E8A11BCA309903DF40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05485980 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1bc555ee7aa4acfe4a3290cda8ad279f4bedc2a4d6910b0f7cb6985120171c48
                                              • Instruction ID: 2cb77daad208596ca087c915d4283fe92293077f77d9352d97c0ce6973e00775
                                              • Opcode Fuzzy Hash: 1bc555ee7aa4acfe4a3290cda8ad279f4bedc2a4d6910b0f7cb6985120171c48
                                              • Instruction Fuzzy Hash: FBF01232604109BFDF48EB59DC85DEE7BEAEF48224B10816BA405D7221E671E951CB54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548D5B0 Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ff58a1362ac327bc52dec9a31a8f0c48555f90777aea72f15de55de43c49ecc4
                                              • Instruction ID: e878f8f5679adfdbb0c4968a4159c3c007644ecd732317f0fa1ed4ba6e93bf86
                                              • Opcode Fuzzy Hash: ff58a1362ac327bc52dec9a31a8f0c48555f90777aea72f15de55de43c49ecc4
                                              • Instruction Fuzzy Hash: 05F0BE7090A294CBD315EBB8E9053FDBBFA9F49301F4484A7C1469B296DE30084ACB22
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05487120 Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6040b33c08547ea9c2bf14e6125cb4c06754a437faaa45f807c98322debc712c
                                              • Instruction ID: 1693b564f56d194f3a558682c777dcf4d8afc1d37cb15136f951b4fc7c11be7c
                                              • Opcode Fuzzy Hash: 6040b33c08547ea9c2bf14e6125cb4c06754a437faaa45f807c98322debc712c
                                              • Instruction Fuzzy Hash: 76F03AB0E0420A9FDB44DFA9C841ABEBBF4FF08200F1045AAD909E3701D77596018F90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548EE8A Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: afe90e83ebc494827ddb9c574ac88ea3852f1b4d93ef471e88b725240f2ee0e1
                                              • Instruction ID: 2e14ca51f4215757636e69abe5f490c514b3ba7bb79edc50aaa9f2673a499d70
                                              • Opcode Fuzzy Hash: afe90e83ebc494827ddb9c574ac88ea3852f1b4d93ef471e88b725240f2ee0e1
                                              • Instruction Fuzzy Hash: 77F09430D05248EFCB11EFA8D4042CCBFB1EF4A301F0081EAE918AB320D7390A50EB01
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 054899F0 Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9601c8dfd6775adedaa611cee66f3f94d5cf8b0cb21ca72782c8e6819c6b2c1d
                                              • Instruction ID: cbb30f03f89889c6c7df86afb008915800818ed1c8f9fc668adff085fa92a8a3
                                              • Opcode Fuzzy Hash: 9601c8dfd6775adedaa611cee66f3f94d5cf8b0cb21ca72782c8e6819c6b2c1d
                                              • Instruction Fuzzy Hash: 05E09A35E4E915CBDF20EB10ED40AFDB7BABBC9211F0066A7D01EA6245D33009428E00
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548D5C0 Relevance: .0, Instructions: 27COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9373eb0cd3ed06bdb38ea7597a0831b01ca7b78664cd2f3dc76b7c197a8d0cea
                                              • Instruction ID: 19738603bb6fdeead9d42dbec721572bdc46bfb1ab5476d97451d5bb333b9628
                                              • Opcode Fuzzy Hash: 9373eb0cd3ed06bdb38ea7597a0831b01ca7b78664cd2f3dc76b7c197a8d0cea
                                              • Instruction Fuzzy Hash: 71F0A030D0A208CBE714F6E5D8487FDBBFE9F88301F40902781065A294DE70044ACA62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548B1BA Relevance: .0, Instructions: 26COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5d1d9228c80e756957c3fd53d7784311bb44e05c723c64597c53d73a2ee9e465
                                              • Instruction ID: 6216a8099ef46cc3d78073410d3cca5649c454ccc5d0515e19cc220d7aa53309
                                              • Opcode Fuzzy Hash: 5d1d9228c80e756957c3fd53d7784311bb44e05c723c64597c53d73a2ee9e465
                                              • Instruction Fuzzy Hash: D4F01C30508254CFC715EF91D5A59FC7B7BFF4A301B555986D00AAB216CB35D882CF00
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 054870B8 Relevance: .0, Instructions: 24COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5c04b5b7ca023be698e075902ca63c132fe63f31b03bd8d1fbae8b68e5128b39
                                              • Instruction ID: 6c38d5047583e2e5577553d5855cfdde0bc483f6057b4e509ed06bc1832bad3c
                                              • Opcode Fuzzy Hash: 5c04b5b7ca023be698e075902ca63c132fe63f31b03bd8d1fbae8b68e5128b39
                                              • Instruction Fuzzy Hash: E9E06DB1D001059FC740EF78C9557DEBFF1EB08204F2184A6C065E7311EB7086028F51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548EE98 Relevance: .0, Instructions: 23COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 23add7793716b3f6ea765152c5b92794a50c198971d6f829cbd2f28f0df70283
                                              • Instruction ID: 82359dbcbf255c460be96a2076e6e1975d5602b1b0b6e1974e5816afbde8ead6
                                              • Opcode Fuzzy Hash: 23add7793716b3f6ea765152c5b92794a50c198971d6f829cbd2f28f0df70283
                                              • Instruction Fuzzy Hash: D7F03934D0020CEFCB14EFA8D5486DDBBF5EB48311F10C0AAA818A7350D7745A50EF41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548B8D1 Relevance: .0, Instructions: 23COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 65700f463a1ce49a3590a5c18cd2ce210a032385b75e1ba0d436bc645e8015ae
                                              • Instruction ID: c42dccedf2854c362bae98c328037e38f110fb4c142d1d3ddedabc0dc7c786dd
                                              • Opcode Fuzzy Hash: 65700f463a1ce49a3590a5c18cd2ce210a032385b75e1ba0d436bc645e8015ae
                                              • Instruction Fuzzy Hash: 76F0F834D08699CFCB24DF94C8486FDBBB6FF09351F50829AE42A6A295CB701945CF40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548B489 Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8bb98159e28d5ec7c4fa75d2803fbc6c81a21c4bd1fe5d2ebf6588089e5bc456
                                              • Instruction ID: 9bc17082e226fbf440f2d4552dae4694fe546c4216210f748605f479bf2a1670
                                              • Opcode Fuzzy Hash: 8bb98159e28d5ec7c4fa75d2803fbc6c81a21c4bd1fe5d2ebf6588089e5bc456
                                              • Instruction Fuzzy Hash: 84E04F3410C290CFC715DB24C8B9AE53FBAEF06101B4544E6E44A5F153DF718405CF21
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 054870C8 Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bbea535bcd49789f06c35d65d39969ec4680917608a2dd12011c901a5aa0e15e
                                              • Instruction ID: 532c1e9bf28195895dd63df68d53a80b760c27fa338c6256e2a60a527a7192ad
                                              • Opcode Fuzzy Hash: bbea535bcd49789f06c35d65d39969ec4680917608a2dd12011c901a5aa0e15e
                                              • Instruction Fuzzy Hash: 70E012B0D002099FC780EFB9C905AAEBBF1AB08200F2084AAC019E7211EB7096018F80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 054871C0 Relevance: .0, Instructions: 14COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aed253f96397a716ce71bd39cc85ca8edec4b8f40dd8228bb91239eed6fa331e
                                              • Instruction ID: 8325b7e19b2e6907b4a2636c7f29b149ff7f20dd77fd36526b1506f434238c30
                                              • Opcode Fuzzy Hash: aed253f96397a716ce71bd39cc85ca8edec4b8f40dd8228bb91239eed6fa331e
                                              • Instruction Fuzzy Hash: F8D012322501085F8B80FEE5E840CAB7FDDBB14600700C467E548C7521E632F474DB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548BC81 Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 68fa6680b53853a10e20709e981bd01bee84d70f89dcbd1f79b77f77e9325c8f
                                              • Instruction ID: a60701e6262198ff444353605fd5534d7cd79e5ff74ad84936942eccf81f192e
                                              • Opcode Fuzzy Hash: 68fa6680b53853a10e20709e981bd01bee84d70f89dcbd1f79b77f77e9325c8f
                                              • Instruction Fuzzy Hash: 41D06C74A06228DFCB54CFA8D6848AC7BF6BB09201B154159F84997212C731EE02CF10
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05486168 Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 96fd28e00b66a1cb43be361b8c39be4e0e3621d820e8d074cc6c7da66a93a55c
                                              • Instruction ID: d31b540f0f2e5ecde1da83c470d63f890c97a7d1571042f44704a2b5ca72a125
                                              • Opcode Fuzzy Hash: 96fd28e00b66a1cb43be361b8c39be4e0e3621d820e8d074cc6c7da66a93a55c
                                              • Instruction Fuzzy Hash: 16C0923B18025067F600AA55CE52BCBE320EF7474DFB46019AED5A0251E2288023E96A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05489870 Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 66932e28fffd9197b712b85915fd6bae7689db5aa3379dcb66c1f7bc9f534167
                                              • Instruction ID: 1ff0e74bb4cb19d76e8133a7d79dde795f30cceeff6a9ed2f4d7645f8ba9f86d
                                              • Opcode Fuzzy Hash: 66932e28fffd9197b712b85915fd6bae7689db5aa3379dcb66c1f7bc9f534167
                                              • Instruction Fuzzy Hash: 67C08C300317148BC23C77D4BA0E3F93AA87B40212F800020B00E890104EF04400E661
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05485944 Relevance: .0, Instructions: 8COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 96600f438cd7587adacc6bb34f3df7db6abb8d20e95d3353f2a51e6cf9abe200
                                              • Instruction ID: cf2907d6ca12fccdbeaf5e7a280fb4798a859f98832fc12157cb5bcea7ae6365
                                              • Opcode Fuzzy Hash: 96600f438cd7587adacc6bb34f3df7db6abb8d20e95d3353f2a51e6cf9abe200
                                              • Instruction Fuzzy Hash: 68B012366D4240F7F58173B14D44DFFE051EBB5711BC08C17B2045401185609437EA27
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 028F5470 Relevance: 7.8, Strings: 6, Instructions: 335COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261399730.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28f0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: +|$+|$,|$,|$,|$,|
                                              • API String ID: 0-587894797
                                              • Opcode ID: 16c095066b9cfe250be699fb1fd03633a580bff36c1dfad33e1e60ee25a0a4e2
                                              • Instruction ID: dc65f6fd56ccb9215f56d1699412ca788341b5505d8f2c1ac7fa7a4e9c75acf3
                                              • Opcode Fuzzy Hash: 16c095066b9cfe250be699fb1fd03633a580bff36c1dfad33e1e60ee25a0a4e2
                                              • Instruction Fuzzy Hash: 28C1BA397006048BDB6ADB79C460B6EB7FBAF89704F54456DC25ACB290DB38E902CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05487358 Relevance: 4.0, Strings: 3, Instructions: 253COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: T+-q$[V~*$]\`
                                              • API String ID: 0-3978741314
                                              • Opcode ID: 533cca8a6dadbd4c08859d0b5e14424564403b5273dded452f3e002e013bdf66
                                              • Instruction ID: f19f8032ea837ace3f24c08453a9df711ee8c4159f63b39f2954a98dda836944
                                              • Opcode Fuzzy Hash: 533cca8a6dadbd4c08859d0b5e14424564403b5273dded452f3e002e013bdf66
                                              • Instruction Fuzzy Hash: 76B1F570E15219DBCB44DFAAD9809EEFBF2FF89300B24D52AD416AB215D731A9028F54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548734A Relevance: 4.0, Strings: 3, Instructions: 252COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: T+-q$[V~*$]\`
                                              • API String ID: 0-3978741314
                                              • Opcode ID: 60b487fbf950ee31a2f910c45e9b1f15d680ac41ca52c62857f0772f16b4437f
                                              • Instruction ID: 7bb1ada7bd1141faf2fb5fff443f2ee621fcb72f2b77e27d52e2aeafa9eb3941
                                              • Opcode Fuzzy Hash: 60b487fbf950ee31a2f910c45e9b1f15d680ac41ca52c62857f0772f16b4437f
                                              • Instruction Fuzzy Hash: 6FA10470E15219DBCB04DFAAD9809EEFBF2FF89300B24D52AD415AB215D331A9028F54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05480006 Relevance: 1.6, Strings: 1, Instructions: 316COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: tIh
                                              • API String ID: 0-443931868
                                              • Opcode ID: cb672e1c7173550f66c932a9c3018abcf1209b45ee8b13f74ae6135844c87900
                                              • Instruction ID: babe9c705aef54787fd6b8695117c5377d4b93850dc642a2ee257bc1312ae453
                                              • Opcode Fuzzy Hash: cb672e1c7173550f66c932a9c3018abcf1209b45ee8b13f74ae6135844c87900
                                              • Instruction Fuzzy Hash: C5D16770E1420ADFCB08DFA5C5898EEFBB2FF8A300B148556D419AB315D734AA46CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05480040 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: tIh
                                              • API String ID: 0-443931868
                                              • Opcode ID: f2a4d6063e43e31d6022525ed5f59544aa8bb72522676f16cbf053f012cf8d6f
                                              • Instruction ID: fa2ca5dd316923a8bed28fb09c125b8ae66885578006d7210261074a15cf4f29
                                              • Opcode Fuzzy Hash: f2a4d6063e43e31d6022525ed5f59544aa8bb72522676f16cbf053f012cf8d6f
                                              • Instruction Fuzzy Hash: 83D14770E2420ADFCB08DF95D5888EEFBB2FF89300B10955AD419AB315D734AA46CF95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548E628 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2aa712e55aee5797aee0f41e198a5fd954e5bd33de6b27d754c9ca3840f4d38d
                                              • Instruction ID: 07fb5bf2ed317504c3adf68c89dc9fe7d6591e0cf8eca6a10508e347719c40ec
                                              • Opcode Fuzzy Hash: 2aa712e55aee5797aee0f41e198a5fd954e5bd33de6b27d754c9ca3840f4d38d
                                              • Instruction Fuzzy Hash: 08E10A74E042198FDB14DFA9C680AAEFBF2FF89304F24816AD415AB355D770A941CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548E1F0 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 11c9e084ee3084ac691f23798550ba8d4aff67563455b9abed582c1693f4f505
                                              • Instruction ID: ac69b35d901e1c68019879fde24ff8fc7b3403565009a8cf021e57796447da06
                                              • Opcode Fuzzy Hash: 11c9e084ee3084ac691f23798550ba8d4aff67563455b9abed582c1693f4f505
                                              • Instruction Fuzzy Hash: D7E1E974E042198FDB14EFA9C584AAEFBF2BF89304F24816AD415AB355D731AD42CF60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548DDB8 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 995cd7d4a2e0b5dbf94ba1e65d51499c145d9769430b81473f42fbf1d6e51bce
                                              • Instruction ID: 2603ff57c82f41e48920f55d269f916548c49c1e5eccd6a73efe39feaf8450ef
                                              • Opcode Fuzzy Hash: 995cd7d4a2e0b5dbf94ba1e65d51499c145d9769430b81473f42fbf1d6e51bce
                                              • Instruction Fuzzy Hash: 4BE1FB74E042198FDB14EFA9C580AAEFBF2FF89304F24816AD515AB359D731A941CF60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548EA60 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6df49ec852875174bd806a8a623bc77e532d4bf0d6fddf2f2aa3fdddc276f7d9
                                              • Instruction ID: dc1cd44f02112127aed4f02691fc90865df536ae4156066f19d83da39638f81e
                                              • Opcode Fuzzy Hash: 6df49ec852875174bd806a8a623bc77e532d4bf0d6fddf2f2aa3fdddc276f7d9
                                              • Instruction Fuzzy Hash: 3FE1FA74E042198FDB14EFA9C584AAEFBF2FF89304F24816AD415AB355D730A942CF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 028F03A0 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261399730.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28f0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a86ac544d2b5909400910a0ca2216d96cd42a00d789481dc55a6bd32ec14130a
                                              • Instruction ID: b7172c0faf28711a87dc1c2401a7329ff9bc101a6c109c03fafa90838fb61824
                                              • Opcode Fuzzy Hash: a86ac544d2b5909400910a0ca2216d96cd42a00d789481dc55a6bd32ec14130a
                                              • Instruction Fuzzy Hash: E0E11A78E042198FDB14DFA8C580AAEFBF2FF88304F248169D515AB35AD771A941CF60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548534F Relevance: .3, Instructions: 271COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3b7d404cf0ab0a9b2d049e48c13161e49766642f8bc1e7cc53769e46abed57d2
                                              • Instruction ID: 98cb7835beee6d2d1a4124653e724d05153c58ecc0339b5c437fd3d8f3645e21
                                              • Opcode Fuzzy Hash: 3b7d404cf0ab0a9b2d049e48c13161e49766642f8bc1e7cc53769e46abed57d2
                                              • Instruction Fuzzy Hash: 00D1F835D2076A8ADB10EFA4D9907DDB7B1EF95300F50879AE4093B214FB706AC5CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05485360 Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2be909fac1c30be1751722cdb50ec6f309428d892fbc12a06dd60c2fd4e8babe
                                              • Instruction ID: b7b0ff9577dec51b1007c3a7ff8b131e304014e2b11397ad3593336e54fafa0b
                                              • Opcode Fuzzy Hash: 2be909fac1c30be1751722cdb50ec6f309428d892fbc12a06dd60c2fd4e8babe
                                              • Instruction Fuzzy Hash: 7DD1F735D2076A8ADB10EFA4D990BDDB7B1EF95300F50879AE4093B214FB70AAC5CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 027AD55C Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1261308148.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_27a0000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fbe1b2512c930daa9e18bbeb01da99876a89bbdd13e9e22da06b8e409eb4345a
                                              • Instruction ID: 3aa2a1ac91772f88d09c0f575bf114a48d5ece680d09976fc2517ed47da2e21d
                                              • Opcode Fuzzy Hash: fbe1b2512c930daa9e18bbeb01da99876a89bbdd13e9e22da06b8e409eb4345a
                                              • Instruction Fuzzy Hash: ECA16D32E002158FCF16DFB4C89459EB7B2FFC5314B25866AE805AB265EB32E915CF41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05483098 Relevance: .2, Instructions: 231COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aca608f986f4ab988fabff15089ad6e7b869dbbbf3c929e5bec20b485548e10f
                                              • Instruction ID: 87cc5cbf3b439889737b051460bc325ff0f8d96e500965bba98b8bf1758be580
                                              • Opcode Fuzzy Hash: aca608f986f4ab988fabff15089ad6e7b869dbbbf3c929e5bec20b485548e10f
                                              • Instruction Fuzzy Hash: FD91E870D15209DFCB18DFD9D9809EEFBB2BB89700F20A81AE416B7264D7749946CF14
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05483089 Relevance: .2, Instructions: 228COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a3f35a7076fcaff0b8370d288ba18b0d9f68f8687f1a975c3f34e80a0e8fe0e5
                                              • Instruction ID: 662094c5183641ff3cb9afd23be226db755560a705c5a5d9be804cfdb259283c
                                              • Opcode Fuzzy Hash: a3f35a7076fcaff0b8370d288ba18b0d9f68f8687f1a975c3f34e80a0e8fe0e5
                                              • Instruction Fuzzy Hash: 6891FA74D152099FCB08DFE9D9809EEFBB2FB89700F10A81AE416B7264D7749946CF14
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05482D70 Relevance: .2, Instructions: 206COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9eed18977bbc6a2df632b065b8d08d8928534682efb37dd4938fac332090bd01
                                              • Instruction ID: de83c0ac053a2aaa40ccdce88ce7185284466a77341bb0b3a6bfa0e1d8741308
                                              • Opcode Fuzzy Hash: 9eed18977bbc6a2df632b065b8d08d8928534682efb37dd4938fac332090bd01
                                              • Instruction Fuzzy Hash: 7381F278E08629DFCB04DFA9C880AEEFBB2FF88300F10955AD815A7254D7789952CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05482D80 Relevance: .2, Instructions: 204COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 30656b1ddaeabb3a4b053a8b63ca0e0ee4971da582d3a9e5c884f39503b05812
                                              • Instruction ID: 01d0a8ebfeeef58c9611931f86ce136158f1f0431dfea52600beed10b9ce28e0
                                              • Opcode Fuzzy Hash: 30656b1ddaeabb3a4b053a8b63ca0e0ee4971da582d3a9e5c884f39503b05812
                                              • Instruction Fuzzy Hash: F381F278E08629DFCB04DFA9C9809EEFBB2FB88300F10995AD805B7254D7749A52CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05480EE0 Relevance: .2, Instructions: 184COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9e1109ef7e158502fdceaac1747bd584e519b0dda4561d77b8b80c035f6db214
                                              • Instruction ID: e8b18ca52e53d22204cc1b084802307555a422ea2f248ba1b3905a96381a9302
                                              • Opcode Fuzzy Hash: 9e1109ef7e158502fdceaac1747bd584e519b0dda4561d77b8b80c035f6db214
                                              • Instruction Fuzzy Hash: BF81D074E20219CFCB54DF99C5849EEBBF2FF88210F14956AE419AB324D370AA46CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05480ED0 Relevance: .2, Instructions: 183COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2f92020b1569bddff75df86a14e8f178e7bcbc2e98860335efcd950ec53b23a9
                                              • Instruction ID: d06bfecda6fdca37795a7d8bd20999744aac275487bda14d3f854c00e9626678
                                              • Opcode Fuzzy Hash: 2f92020b1569bddff75df86a14e8f178e7bcbc2e98860335efcd950ec53b23a9
                                              • Instruction Fuzzy Hash: 8881E474E10219CFCB54CFA9C5849EEBBF2FF88210F14956AE419AB324D370AA46CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05482341 Relevance: .2, Instructions: 157COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fa8b48e55c1d1fb132e2735db978f488068b7d6a4a18db6a06d5e7ef32346454
                                              • Instruction ID: 50631f14b6867c728e38218dc3b96eb5feee8d4624cd6af17882bd9d1dd222aa
                                              • Opcode Fuzzy Hash: fa8b48e55c1d1fb132e2735db978f488068b7d6a4a18db6a06d5e7ef32346454
                                              • Instruction Fuzzy Hash: 356119B852D60AEBC708CF61E1862EDBFB2FB89300F609489D089AB154DFF08765D704
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05481D98 Relevance: .2, Instructions: 153COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8b9a205dcb2cdbc132f9b21882b154a9b9d1f9d8851e5674a164098920e8ec69
                                              • Instruction ID: 6cc1c2af46db2aecf4168d07d49822a6d89bc0a8834ebed5f25358b1126f243a
                                              • Opcode Fuzzy Hash: 8b9a205dcb2cdbc132f9b21882b154a9b9d1f9d8851e5674a164098920e8ec69
                                              • Instruction Fuzzy Hash: 5B61F5B5E0420A9FCB04DFAAD5816EEFBF2BF89300F14945AD515A7244D334AA42CF95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05481D89 Relevance: .2, Instructions: 151COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f14648b47197bd7bbe9de5403fc843e374f105a12627df35ada5321fe430c848
                                              • Instruction ID: f4f68248353795454753f7b1a34fa37df2de96d8752121726a193c690cedcb67
                                              • Opcode Fuzzy Hash: f14648b47197bd7bbe9de5403fc843e374f105a12627df35ada5321fe430c848
                                              • Instruction Fuzzy Hash: 2951F475E0460A9BCB04DFA9D981AEEFBF2FF89300F14942BD415A7240D734AA42CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548DDA2 Relevance: .1, Instructions: 135COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5ac1722e6f651e66ca6c7ae78cfff43db395a7d77a834cd8a2e7378b8c66bff1
                                              • Instruction ID: af3cb9e971e5a4ab8dea737848ce21d582b1640cab315c360bb99e8a8643b198
                                              • Opcode Fuzzy Hash: 5ac1722e6f651e66ca6c7ae78cfff43db395a7d77a834cd8a2e7378b8c66bff1
                                              • Instruction Fuzzy Hash: 63511B74E042198FDB14DFA9C6805EEFBF2BF89304F2481AAD419AB355D7319942CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0548E1E1 Relevance: .1, Instructions: 128COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5e6db0761e98bb76c321a5f790e36f5db5d5307ddc11964a2b841c2bb633320b
                                              • Instruction ID: 7ebd40c6f4bfe5ec173d450ef2aed09e6a8387c84a6fd65f547df99c0cd992a0
                                              • Opcode Fuzzy Hash: 5e6db0761e98bb76c321a5f790e36f5db5d5307ddc11964a2b841c2bb633320b
                                              • Instruction Fuzzy Hash: B8510874E042198FDB14DFA9C6806EEFBF2BF89304F24816AD419AB355D7309942CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 054804F1 Relevance: .1, Instructions: 102COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 22a4926ad202a2a98a5fb41c568c05e875bb37097b6b0189335aed25e81e449d
                                              • Instruction ID: ed1842e611183cb2acdd1de6ae0f8e5b265ea8a04b117d1cdc8f3edbe4b2686b
                                              • Opcode Fuzzy Hash: 22a4926ad202a2a98a5fb41c568c05e875bb37097b6b0189335aed25e81e449d
                                              • Instruction Fuzzy Hash: F24115B0E14219DFCB04CFAAC9445EEBBF2BF89210F14952AD419B7260D7349A45CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 054820F8 Relevance: .1, Instructions: 102COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3e6f2708ba8053bb10414ecb262c391d8dd5f421e7b5e25dc1ef303cbb85b723
                                              • Instruction ID: 55e0597f1d0663fe520e862df77f4dc1a74ea89c8c2c77b8fe68291a29056fd0
                                              • Opcode Fuzzy Hash: 3e6f2708ba8053bb10414ecb262c391d8dd5f421e7b5e25dc1ef303cbb85b723
                                              • Instruction Fuzzy Hash: 8D41DAB4E0420A9FDB08DFAAC9855EEFBF2BF88300F24D46AC915E7254D7749A418F54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05482108 Relevance: .1, Instructions: 101COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1266392962.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5480000_rJlMhHdHP2mDzMGx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7d52923aadec2034d4cf57d57f97506f1001fd7eaf8652aa9f678b83577871c1
                                              • Instruction ID: ef6a0ef89e3329f6c37daab3c15f581583644e44a175f3fde92b0add4c778953
                                              • Opcode Fuzzy Hash: 7d52923aadec2034d4cf57d57f97506f1001fd7eaf8652aa9f678b83577871c1
                                              • Instruction Fuzzy Hash: EA41EAB4E0420A9FDB08DFAAC5815EEFBF2BF88300F24D56AC915A7214D774AA418F54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Execution Graph

                                              Execution Coverage:11.8%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:31
                                              Total number of Limit Nodes:5
                                              execution_graph 28561 13409cd 28563 134084e 28561->28563 28562 134091b 28563->28562 28566 1341380 28563->28566 28571 1341488 28563->28571 28568 1341396 28566->28568 28567 1341484 28567->28563 28568->28567 28569 1341488 4 API calls 28568->28569 28577 1347088 28568->28577 28569->28568 28573 134148b 28571->28573 28574 1341396 28571->28574 28572 1341484 28572->28563 28573->28563 28574->28572 28575 1341488 4 API calls 28574->28575 28576 1347088 4 API calls 28574->28576 28575->28574 28576->28574 28578 1347092 28577->28578 28579 13470cf 28578->28579 28584 629cf59 28578->28584 28589 629cf68 28578->28589 28579->28568 28580 13470ac 28580->28579 28594 629e2ff 28580->28594 28586 629cf62 28584->28586 28585 629d192 28585->28580 28586->28585 28587 629d578 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28586->28587 28588 629d5c0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28586->28588 28587->28586 28588->28586 28591 629cf7d 28589->28591 28590 629d192 28590->28580 28591->28590 28592 629d5c0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28591->28592 28593 629d578 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28591->28593 28592->28591 28593->28591 28595 629e2bb GlobalMemoryStatusEx 28594->28595 28597 629e306 28594->28597 28596 629e2ce 28595->28596 28596->28579 28597->28579 28597->28597

                                              Executed Functions

                                              Function 01349B28 Relevance: 3.1, Instructions: 3067COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bea2b8e8d5ddb804c366e83131538ed1c652b71f63bb8bc82c8abe7985e1a18e
                                              • Instruction ID: cb4f3b7c8eab4ff5a3269769740411569622999f88e929c40f84316117f80876
                                              • Opcode Fuzzy Hash: bea2b8e8d5ddb804c366e83131538ed1c652b71f63bb8bc82c8abe7985e1a18e
                                              • Instruction Fuzzy Hash: 23630A31D10B198ADB51EF68C8806A9F7B1FF99300F15D79AE4587B125EB70AAC4CF81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0134CDA0 Relevance: 2.3, Instructions: 2307COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e320ebb4cd6585cb6fe5390e3051d362bc7abcf810fba6a28266a29f1dcffcd9
                                              • Instruction ID: 1241433060641bdcead1b2d6a0c2b5041852c3a6172f6143b92f219f0c44ff92
                                              • Opcode Fuzzy Hash: e320ebb4cd6585cb6fe5390e3051d362bc7abcf810fba6a28266a29f1dcffcd9
                                              • Instruction Fuzzy Hash: 06331E31D107198FDB11EF68C8806ADF7B1FF99304F14D69AD458AB225EB70AAC5CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 013441C8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \VNm
                                              • API String ID: 0-2505523818
                                              • Opcode ID: 851c7febd70d3a4ecca8e4f6524fa201007674cb65c8c503d1bf3381af657c5e
                                              • Instruction ID: ab298e27213e8b202f1f86061f75169d3dd30cec2468f0060b9a89da5698b84c
                                              • Opcode Fuzzy Hash: 851c7febd70d3a4ecca8e4f6524fa201007674cb65c8c503d1bf3381af657c5e
                                              • Instruction Fuzzy Hash: 9DB15E70E00209DFDF14CFA9C9857ADBBF2BF88718F148139E815A7294EB74A845CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01343E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \VNm
                                              • API String ID: 0-2505523818
                                              • Opcode ID: 04e4cdedd4bbbbef77843968cf5978026b78a2bd331cc2a1129169eb87f04360
                                              • Instruction ID: 8c8163874b076a41a7b695efbe03aba47ff5f3f86bf5c599c9154c60f7862f47
                                              • Opcode Fuzzy Hash: 04e4cdedd4bbbbef77843968cf5978026b78a2bd331cc2a1129169eb87f04360
                                              • Instruction Fuzzy Hash: EE913B70E002199FEF14CFA9D98579EBBF2BF88318F148129E415A7294EB74A845CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01349370 Relevance: .6, Instructions: 616COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a6b70745d5e72772db75718de10723baaafa209a7a816804cc1c8dfe5519eff8
                                              • Instruction ID: 204fa0548a32febee9e4747e0f6e2a85ea9b38454b4780c4e1326b6e680b6ef7
                                              • Opcode Fuzzy Hash: a6b70745d5e72772db75718de10723baaafa209a7a816804cc1c8dfe5519eff8
                                              • Instruction Fuzzy Hash: 66325C34A002058FDB15DF69D584BAEBBF2EF88318F148569E906EB395DB34EC45CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01344A98 Relevance: .3, Instructions: 266COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 065aa60fb20181a2df7c39d74ca731ed227a32b00f1567c86c82fb0e02b1ae52
                                              • Instruction ID: 36810a1841a58b5907bdd17d2583b1da6dbf9fdae01bae9d333f0984ddd1859d
                                              • Opcode Fuzzy Hash: 065aa60fb20181a2df7c39d74ca731ed227a32b00f1567c86c82fb0e02b1ae52
                                              • Instruction Fuzzy Hash: E6B14E70E003099FDF14CFA9D98579DBBF2AF48318F188139D855EB254EB74A845CB85
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01346ED3 Relevance: 2.6, Strings: 2, Instructions: 145COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1892 1346ed3-1346f3a call 1346c38 1901 1346f56-1346f6d 1892->1901 1902 1346f3c-1346f41 1892->1902 1903 1346f42-1346f55 call 1346764 1901->1903 1906 1346f6f-1346f84 1901->1906 1902->1903 1908 1346f86-1346f89 1906->1908 1910 1346f99-1346f9c 1908->1910 1911 1346f8b call 1347900 1908->1911 1912 1346f9e-1346fd3 1910->1912 1913 1346fd8-1346fdb 1910->1913 1914 1346f91-1346f94 1911->1914 1912->1913 1915 1346fdd-1346ff1 1913->1915 1916 134700e-1347011 1913->1916 1914->1910 1925 1346ff7 1915->1925 1926 1346ff3-1346ff5 1915->1926 1917 1347025-1347027 1916->1917 1918 1347013-134701a 1916->1918 1919 134702e-1347031 1917->1919 1920 1347029 1917->1920 1922 1347020 1918->1922 1923 13470e3-13470e9 1918->1923 1919->1908 1924 1347037-1347046 1919->1924 1920->1919 1922->1917 1929 1347070-1347085 1924->1929 1930 1347048-134704b 1924->1930 1927 1346ffa-1347009 1925->1927 1926->1927 1927->1916 1929->1923 1933 1347053-134706e 1930->1933 1933->1929 1933->1930
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LRq$LRq
                                              • API String ID: 0-3710822783
                                              • Opcode ID: dabf3ff492723ed2ee5689f0fab0dfc3627f5f9a7731a146118ca60eb3edc5df
                                              • Instruction ID: 706a19d95a8ae96300e1060033ad0309e0ce15015f54dfd58b84cc8a4e7eb3f1
                                              • Opcode Fuzzy Hash: dabf3ff492723ed2ee5689f0fab0dfc3627f5f9a7731a146118ca60eb3edc5df
                                              • Instruction Fuzzy Hash: 06518D70A042498FDB15DF79C4657AEBBB2EF86304F20846AE445EB351DB71AC46CB41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0629E180 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2805 629e180-629e18b 2806 629e18d-629e1b4 call 629d560 2805->2806 2807 629e1b5-629e1d4 call 629d56c 2805->2807 2813 629e1da-629e22a 2807->2813 2814 629e1d6-629e1d9 2807->2814 2819 629e23a-629e23e 2813->2819 2820 629e22c-629e239 2813->2820 2822 629e23b-629e23e 2820->2822 2823 629e23f-629e2cc GlobalMemoryStatusEx 2820->2823 2827 629e2ce-629e2d4 2823->2827 2828 629e2d5-629e2fd 2823->2828 2827->2828
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2482851525.0000000006290000.00000040.00000800.00020000.00000000.sdmp, Offset: 06290000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6290000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6ded6ad9685c52da5c38a6aa73ec48c333137603455d968f6f477d0a766b67e1
                                              • Instruction ID: 486d393b319999fc4e25c4aa88c95f53cb1c8a2c5cebe48e9ec738bbc54d4839
                                              • Opcode Fuzzy Hash: 6ded6ad9685c52da5c38a6aa73ec48c333137603455d968f6f477d0a766b67e1
                                              • Instruction Fuzzy Hash: CA411272D1079A8FCB10CF69D8442EEBBF1AFC9210F15856AD845A7641DB389845CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0629E2FF Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2831 629e2ff-629e304 2832 629e2bb-629e2cc GlobalMemoryStatusEx 2831->2832 2833 629e306-629e332 2831->2833 2834 629e2ce-629e2d4 2832->2834 2835 629e2d5-629e2fd 2832->2835 2837 629e334-629e337 2833->2837 2834->2835 2840 629e339-629e38e 2837->2840 2841 629e393-629e396 2837->2841 2840->2841 2842 629e398-629e3b9 2841->2842 2843 629e3be-629e3c1 2841->2843 2842->2843 2844 629e3de-629e3e1 2843->2844 2845 629e3c3-629e3d9 2843->2845 2847 629e3ef-629e3f2 2844->2847 2848 629e3e3-629e3ea 2844->2848 2845->2844 2850 629e403-629e406 2847->2850 2851 629e3f4-629e3f8 2847->2851 2848->2847 2856 629e408-629e40f 2850->2856 2857 629e412-629e415 2850->2857 2854 629e3fe 2851->2854 2855 629e743-629e77e 2851->2855 2854->2850 2886 629e790 2855->2886 2887 629e780-629e78e 2855->2887 2861 629e42c-629e42f 2857->2861 2862 629e417-629e427 2857->2862 2863 629e44b-629e44e 2861->2863 2864 629e431-629e446 2861->2864 2862->2861 2868 629e450-629e461 2863->2868 2869 629e466-629e469 2863->2869 2864->2863 2868->2869 2872 629e489-629e48c 2869->2872 2873 629e46b-629e484 call 6291b4c 2869->2873 2874 629e4a9-629e4ac 2872->2874 2875 629e48e-629e4a4 2872->2875 2873->2872 2879 629e4df-629e4e2 2874->2879 2880 629e4ae-629e4da 2874->2880 2875->2874 2884 629e502-629e505 2879->2884 2885 629e4e4-629e4f7 2879->2885 2880->2879 2892 629e52d-629e530 2884->2892 2893 629e507-629e528 2884->2893 2890 629e5ea-629e5f1 2885->2890 2891 629e4fd 2885->2891 2899 629e798-629e7ad 2886->2899 2887->2899 2894 629e5f6-629e5f9 2890->2894 2891->2884 2895 629e532-629e540 2892->2895 2896 629e545-629e548 2892->2896 2893->2892 2900 629e5fb-629e60c 2894->2900 2901 629e611-629e614 2894->2901 2895->2896 2902 629e54a-629e567 2896->2902 2903 629e56c-629e56f 2896->2903 2927 629e7bf 2899->2927 2928 629e7af-629e7bd 2899->2928 2900->2901 2907 629e637-629e63a 2901->2907 2908 629e616-629e632 2901->2908 2902->2903 2909 629e579-629e57c 2903->2909 2910 629e571-629e576 2903->2910 2914 629e63c-629e63f 2907->2914 2915 629e641-629e643 2907->2915 2908->2907 2916 629e5cb-629e5ce 2909->2916 2917 629e57e-629e5c6 2909->2917 2910->2909 2914->2915 2922 629e64e-629e650 2914->2922 2915->2855 2923 629e649 2915->2923 2920 629e5d0-629e5da 2916->2920 2921 629e5e5-629e5e8 2916->2921 2917->2916 2920->2842 2936 629e5e0 2920->2936 2921->2890 2921->2894 2924 629e652 2922->2924 2925 629e657-629e65a 2922->2925 2923->2922 2924->2925 2925->2837 2930 629e660-629e66f 2925->2930 2935 629e7c7-629e807 2927->2935 2928->2935 2938 629e72b-629e740 2930->2938 2939 629e675-629e725 call 6291b4c 2930->2939 2952 629e80f-629e842 2935->2952 2936->2921 2938->2855 2939->2938 2961 629e84f 2952->2961 2962 629e844-629e849 2952->2962 2964 629e850 2961->2964 2962->2961 2964->2964
                                              APIs
                                              • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0629E1D2), ref: 0629E2BF
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2482851525.0000000006290000.00000040.00000800.00020000.00000000.sdmp, Offset: 06290000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6290000_MSBuild.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID:
                                              • API String ID: 1890195054-0
                                              • Opcode ID: 7118b6ac61154cde9f6610c4f587172ae5ff41ebb25fc4acd28a6c04847ca11a
                                              • Instruction ID: ce25335cb3d98239d540f01904159ac0ca242e56753e149272ec630e92d4b542
                                              • Opcode Fuzzy Hash: 7118b6ac61154cde9f6610c4f587172ae5ff41ebb25fc4acd28a6c04847ca11a
                                              • Instruction Fuzzy Hash: 8041DD32E102099FDF20DB69C444BADBBB1EF89310F25842AE845EB351C734AD45CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0629D56C Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0629E1D2), ref: 0629E2BF
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2482851525.0000000006290000.00000040.00000800.00020000.00000000.sdmp, Offset: 06290000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6290000_MSBuild.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID:
                                              • API String ID: 1890195054-0
                                              • Opcode ID: a95e9d776513d0faf659c588cf69bf2a61987f8562809d4a261873fd0fb6a958
                                              • Instruction ID: 221d1b397d77580affc40a14336e3561892021722d5051d6a3db14e974bf336d
                                              • Opcode Fuzzy Hash: a95e9d776513d0faf659c588cf69bf2a61987f8562809d4a261873fd0fb6a958
                                              • Instruction Fuzzy Hash: EB1136B1C1065A9FDB10CF9AC444B9EFBF4AF48210F11816AE914A7640D378A944CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 013441BD Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \VNm
                                              • API String ID: 0-2505523818
                                              • Opcode ID: 2563ba08318dd713061e1529adcdedca759e8db3b11b3df5594f5521d8aaad1b
                                              • Instruction ID: 04bd52708ae092ea831c058f36a7eada3e69049a3ef775341349a95170ca8321
                                              • Opcode Fuzzy Hash: 2563ba08318dd713061e1529adcdedca759e8db3b11b3df5594f5521d8aaad1b
                                              • Instruction Fuzzy Hash: 45B14B70E00209DFDF14CFA9D98579DBBF1BF48718F248139E815AB294DB74A845CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01343E74 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \VNm
                                              • API String ID: 0-2505523818
                                              • Opcode ID: 598db7c0971c2154dc6062047890fb5db1b0715db62965fa10c7287c4bb61cef
                                              • Instruction ID: da038eda8efe8bb87c13de6bf64cde5ca93b28604e8d81cfa62fda1b66f326bb
                                              • Opcode Fuzzy Hash: 598db7c0971c2154dc6062047890fb5db1b0715db62965fa10c7287c4bb61cef
                                              • Instruction Fuzzy Hash: 8AA15B70E00219DFEF14CFA9D985BDEBBF1BF48318F148129E415AB294EB74A845CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0134F2D5 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PHq
                                              • API String ID: 0-3820536768
                                              • Opcode ID: f2d339c226aae66ce8f663e30165a463f5127b13ac61e43d1c398736fba9a233
                                              • Instruction ID: 31481c9d91323945aa1d7b1bdfe6a0440aec72b5b8b993719ea00fe35c768b52
                                              • Opcode Fuzzy Hash: f2d339c226aae66ce8f663e30165a463f5127b13ac61e43d1c398736fba9a233
                                              • Instruction Fuzzy Hash: 10312630B002058FDB259B38C4247AE7BE7AF89214F184568D446DB389DF35EC47CB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0134F2E8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PHq
                                              • API String ID: 0-3820536768
                                              • Opcode ID: 601c504e59e7db9a0fba85104038956e459e4c0b876c345d7dbb9726da9c736b
                                              • Instruction ID: 7804019d7a43939b2d908b45ab0a861ddd6ab1021e2fdad01c1958e0824082e3
                                              • Opcode Fuzzy Hash: 601c504e59e7db9a0fba85104038956e459e4c0b876c345d7dbb9726da9c736b
                                              • Instruction Fuzzy Hash: 2531E230B002058FDB25AB39C4546AE7BE7AF89644F284568D446DB389DF31EC47CB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01346F70 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LRq
                                              • API String ID: 0-3187445251
                                              • Opcode ID: eeb85f489b931ca79c9bfae5063516aefd2291d52c20382749e07b7fab5874e8
                                              • Instruction ID: a3dd627d5df9b8fb85bd08ea65b0f8007787529968342b216615cebe7f167840
                                              • Opcode Fuzzy Hash: eeb85f489b931ca79c9bfae5063516aefd2291d52c20382749e07b7fab5874e8
                                              • Instruction Fuzzy Hash: B1316C74E102099FDB25CFA9D4507AEB7B6EF85304F60852AE406FB340EBB1ED458B40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01346B98 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LRq
                                              • API String ID: 0-3187445251
                                              • Opcode ID: 92a8a60394f9c8417521a21aead3c44bb4f2cfedbfe0ba24521ddb3359118ed1
                                              • Instruction ID: 20382574a460fd456fbb389dd9a50c835010cd62848a5186a3ecdb10e44cfe8f
                                              • Opcode Fuzzy Hash: 92a8a60394f9c8417521a21aead3c44bb4f2cfedbfe0ba24521ddb3359118ed1
                                              • Instruction Fuzzy Hash: E721B3317042815FC712AB7C94616EE7FF6EF8B310B0445AAD4C5CF355DA269C46C7A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01347900 Relevance: .6, Instructions: 556COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a0bf10edc44d90a821a6326d129aa1fb443ec2452ccb6db182faf69b05752713
                                              • Instruction ID: d7bedf3543b6d6186f2158e4496934662de8b26800f84d00bfd8eef8deffca08
                                              • Opcode Fuzzy Hash: a0bf10edc44d90a821a6326d129aa1fb443ec2452ccb6db182faf69b05752713
                                              • Instruction Fuzzy Hash: 9B12AE31B0020ADFDB26BB38E59426D33A6FB85324B145E29E505CF755CF31EC8A8B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01344A8C Relevance: .3, Instructions: 262COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8abb1dd32c20c9f677aa5139104d7a512d5c0843e4376768254cc9a0cf9041e2
                                              • Instruction ID: 9216f9a6e4096d738f0ce1f19e9c4f65c6100725553106fe2095e9e6a528cd14
                                              • Opcode Fuzzy Hash: 8abb1dd32c20c9f677aa5139104d7a512d5c0843e4376768254cc9a0cf9041e2
                                              • Instruction Fuzzy Hash: A6B15B70E00209DFDF14CFA9D88579DBBF1AF48318F288139E855EB294EB74A845CB85
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0134935C Relevance: .2, Instructions: 250COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0e23bd38dceb99927b6fc3689e29e7587bb8101f38f1d6dc4f0f03510e5cf9ba
                                              • Instruction ID: bcf35332a748f3c772cfac3827ac1fabff656f3f3eb0e1a6c0ecaed898b71eb3
                                              • Opcode Fuzzy Hash: 0e23bd38dceb99927b6fc3689e29e7587bb8101f38f1d6dc4f0f03510e5cf9ba
                                              • Instruction Fuzzy Hash: 4CA19138A002059FDB15DB69D584BAEBBF2EF8C328F148565E906E7355DB34EC42CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01346CD7 Relevance: .1, Instructions: 135COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6e1fb4ba6fe3af1f64a141dfe8d95c798ff93578b465bfdae1748f4f5cd8084a
                                              • Instruction ID: 3c50c9cc8f18dce123cc4ba447ea586dffeaa147810652aa5650c6a4a4a550e9
                                              • Opcode Fuzzy Hash: 6e1fb4ba6fe3af1f64a141dfe8d95c798ff93578b465bfdae1748f4f5cd8084a
                                              • Instruction Fuzzy Hash: 4C5104B0D002188FDB18CFA9C889B9DBBF1BF49314F148129E819AB355D774A884CF95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01346CE0 Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f74e25d74f88b7266ee68f66f17baa193c513c0a959a3e394db1e404992c2d22
                                              • Instruction ID: 7783d08f53a6d3fda150279ee4326015c85c8a273816bdd219ddd75e00cd615c
                                              • Opcode Fuzzy Hash: f74e25d74f88b7266ee68f66f17baa193c513c0a959a3e394db1e404992c2d22
                                              • Instruction Fuzzy Hash: C65106B0D002188FDB28DFA9C985B9DBBF1FF49314F148129E819AB355D774A884CF95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 013426DC Relevance: .1, Instructions: 128COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 55bf51c5cc83fa4aa22f33d3b22df3931ca27d09b2ac3d2be606ff6c1a2a3a6a
                                              • Instruction ID: e0a6646460f365a2b6e44000fffa002d81a37ee75c723fe71c9f2b2283ce97fd
                                              • Opcode Fuzzy Hash: 55bf51c5cc83fa4aa22f33d3b22df3931ca27d09b2ac3d2be606ff6c1a2a3a6a
                                              • Instruction Fuzzy Hash: A351F071D003099FEB24DFA9D484BDEBFF1BF48314F10842AE419AB250DB75A949CB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01341128 Relevance: .1, Instructions: 125COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8b36a67075365b91205bf2bf77f7e2f6cd9577ef5c569352edf35ea99b25bc98
                                              • Instruction ID: 2914374616e2634be7c9792e3c39b8bbe01334e4730efa8d63aa9302644a28ca
                                              • Opcode Fuzzy Hash: 8b36a67075365b91205bf2bf77f7e2f6cd9577ef5c569352edf35ea99b25bc98
                                              • Instruction Fuzzy Hash: 2B51CC36A112819FD716FF38F8819A93FB6BB92314304496DD0949F36EDA706D06CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01341138 Relevance: .1, Instructions: 112COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d97ca976cc25c95cab1430cadc06ef101a886b647bb0e54a0bb0510eb7523b98
                                              • Instruction ID: a21780326e6e81f9d3e6ed4f4c0090f12a65ecb8daf8da3fea4e327fc24fc549
                                              • Opcode Fuzzy Hash: d97ca976cc25c95cab1430cadc06ef101a886b647bb0e54a0bb0510eb7523b98
                                              • Instruction Fuzzy Hash: 2651EB36A012459FC716FF28F8809A93FB6B792314304896DD094AF36EDB706D06CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0134F199 Relevance: .1, Instructions: 102COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7f91a0d98d8cb86aa31247fd89d630122b2117a97f33b531a94605af3213170b
                                              • Instruction ID: bd652a292dfe3cf78a446d8575e148d0fe187d00dc8f8af76fd103a9a08f2d01
                                              • Opcode Fuzzy Hash: 7f91a0d98d8cb86aa31247fd89d630122b2117a97f33b531a94605af3213170b
                                              • Instruction Fuzzy Hash: C6417C38E002099BDB15CFA8D49469EBBF6FF89304F148519E806EB344DB30ED42CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0134F1A8 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 28c4766ca15cb9d7010258171aec6c48b97830fd95242b88fefab732ddf4fa2c
                                              • Instruction ID: 246e8866440742f63c3f901a0c28e95d7c0458ee5eaa2e79c908f3c6864826f3
                                              • Opcode Fuzzy Hash: 28c4766ca15cb9d7010258171aec6c48b97830fd95242b88fefab732ddf4fa2c
                                              • Instruction Fuzzy Hash: EE316D38E106099BDB19DFA9D49469EBBF6FF89304F148529E806EB744DB70EC42CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 013426E8 Relevance: .1, Instructions: 90COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c8afae7c13a6d0b04f7d1936ad36c6d299565e053cab658ae534a4817f1589ac
                                              • Instruction ID: 4001615b8f40946e834d0105913ed773c97bcf4a02b890331e403fbef4fd8de4
                                              • Opcode Fuzzy Hash: c8afae7c13a6d0b04f7d1936ad36c6d299565e053cab658ae534a4817f1589ac
                                              • Instruction Fuzzy Hash: 0A41EEB0D00348DFEB14DFA9C484ADEBFF5BF48314F108029E809AB250DB75A945CB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0134099B Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2fc8e3bef8bb1abe8db5d06c59c99e6c876dac5f16c3aff6bca94ede21314252
                                              • Instruction ID: f741ab957f9659a3bd5b982d001cb3e7239733d4a378a60bd17fee0f37a22f7e
                                              • Opcode Fuzzy Hash: 2fc8e3bef8bb1abe8db5d06c59c99e6c876dac5f16c3aff6bca94ede21314252
                                              • Instruction Fuzzy Hash: 6C213431B08209D7FB2FA66886143F83BD8DB41218F50482DE796CF257DA21E945CBD2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01349249 Relevance: .1, Instructions: 80COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 58069a25c728c486f3556bab0c07e582735baa1f29b5f4125710eee370ce6d1a
                                              • Instruction ID: a1166838ff45b61855f41e3520f95079bd3af67beb2091c30de8dfdf9ae3a98a
                                              • Opcode Fuzzy Hash: 58069a25c728c486f3556bab0c07e582735baa1f29b5f4125710eee370ce6d1a
                                              • Instruction Fuzzy Hash: ED314135E0020A9BDB06CFA9D5947DEBBF2BF89308F148619E805AB345D770A846CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 013416A3 Relevance: .1, Instructions: 79COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 20b50fef15f7e2260e4da258db6862e63e8c609416bf80a6dc9045f18a0a4b4e
                                              • Instruction ID: 27662053870f13cc8514024cecf0856bd4c15b5725c0a70ab59e14869b45f560
                                              • Opcode Fuzzy Hash: 20b50fef15f7e2260e4da258db6862e63e8c609416bf80a6dc9045f18a0a4b4e
                                              • Instruction Fuzzy Hash: 312165799046005BDB23F77CE8447793FA5E745328F140A65E415CF35AD624FC828BA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01349258 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 13f46da4b13352753b149991c57c3cfce3b5cc4c0687312f4de227410a29d70e
                                              • Instruction ID: a8cbbe8439839c7850e5052f47bdffbd683499f97a279adff5e5a6c473fc0491
                                              • Opcode Fuzzy Hash: 13f46da4b13352753b149991c57c3cfce3b5cc4c0687312f4de227410a29d70e
                                              • Instruction Fuzzy Hash: 66214D34E0020A9BDB15DFA9D49479EBBF6BF89308F148619E805BB345DB70E846CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01349148 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 396115af9006d4301940005a724f5f7eb9030f53efbd6106977f0c312335952c
                                              • Instruction ID: 75c60145642ff772c077ab360bb6bc092cf7c359c92e9d3cfcd787e74588d9c8
                                              • Opcode Fuzzy Hash: 396115af9006d4301940005a724f5f7eb9030f53efbd6106977f0c312335952c
                                              • Instruction Fuzzy Hash: C2218131E002099BDB19CFA8C454ADEBBF2AF8D318F10861AEC15F7345DB70A946CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01341380 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cff2a5bf03f49f542937492c1a5c815de0522ca68e8b6e61bcf0b19a5488c932
                                              • Instruction ID: 488cb816b5b304cfa4aabe5cb28beadadf3a6998cc99ed9d5082459d8e0a0767
                                              • Opcode Fuzzy Hash: cff2a5bf03f49f542937492c1a5c815de0522ca68e8b6e61bcf0b19a5488c932
                                              • Instruction Fuzzy Hash: 2021A575A00A018BEB336628E4583697BF1EB02318F100969E046DB781DB79BCC5C742
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0107D030 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2473380061.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_107d000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 87d3eee67b1b24d0ab473a45b345803720591ab65a254b332ec4961d6a6c1840
                                              • Instruction ID: 70bcfa8f783eff409e2df2f2ef1ae4fc07288d969dfeaf45a67fcd89f79dcc7b
                                              • Opcode Fuzzy Hash: 87d3eee67b1b24d0ab473a45b345803720591ab65a254b332ec4961d6a6c1840
                                              • Instruction Fuzzy Hash: 2F212571A04200EFDB16DF94D9C0B16BBA1FF84314F24C5ADE98A0B252C336D447CBA6
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01341488 Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 165b92e4639eb8a6b90501a22cafc05863902be7d370343974aa98f5bf27b533
                                              • Instruction ID: ecc186a700edbc112b339bdad7cdf3abd53cd0551b1c43970e4f48ed41ce5221
                                              • Opcode Fuzzy Hash: 165b92e4639eb8a6b90501a22cafc05863902be7d370343974aa98f5bf27b533
                                              • Instruction Fuzzy Hash: 2F11D331F106168BDB26AFBC84502EE7BF1EF48228F1404B9D445E7301E735F8828B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01349A20 Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e4f4748bf4ae69bf1b1d083600b288ed718c1374e002a173b5f9cca924208c51
                                              • Instruction ID: 6461a72e32b30c2b51518cc4a5e4a291e69a185c6e1329a06b13ecd0e1a4b1d0
                                              • Opcode Fuzzy Hash: e4f4748bf4ae69bf1b1d083600b288ed718c1374e002a173b5f9cca924208c51
                                              • Instruction Fuzzy Hash: 43216F31B102158FEB14DB69C954BAE7BFAFF8C718F148069E505EB3A4DA71AC00CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01344F89 Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c03cc325858c5991784720d5548fb22b861afbdae85a4bb6bc443ece1fe18649
                                              • Instruction ID: f55acda96292bf42912ea6475547a17284d6367e3782644b6cd9b9283931c84d
                                              • Opcode Fuzzy Hash: c03cc325858c5991784720d5548fb22b861afbdae85a4bb6bc443ece1fe18649
                                              • Instruction Fuzzy Hash: 59212A34B00145CFDB24EB78D558AAD7BF1AF89308F100468E546EB369DB76AD06CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01349158 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 90ce4eb3f37d450b6d9c0d2cbf7bc7fadf4d08cb0bf672b67855cb92ac64e08c
                                              • Instruction ID: 809b8937de62c606f83ce34d3160ffd2113126a7c70f54adfbd64bd254036211
                                              • Opcode Fuzzy Hash: 90ce4eb3f37d450b6d9c0d2cbf7bc7fadf4d08cb0bf672b67855cb92ac64e08c
                                              • Instruction Fuzzy Hash: E3213331E002099BDB19CFA8D854A9EB7F6EF89318F10851AED15F7345DB70A945CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01341879 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a0b9c6405676bb795a5788aa6ac664814dfaa4d692da6795cab0f6f74083d0d8
                                              • Instruction ID: e5bbd153ef4dcef2fc30f0261069ae4e818189ec571cd2fb361b3c63caf7d1b6
                                              • Opcode Fuzzy Hash: a0b9c6405676bb795a5788aa6ac664814dfaa4d692da6795cab0f6f74083d0d8
                                              • Instruction Fuzzy Hash: AE218E35B00645CFEF68EB78C5547AD7BF2AB49348F100468D106EB795DB36AD80CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01341888 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cfa246e557f8df3a53c11709aa9942f008e7902fc543500590c6805ae06be1d1
                                              • Instruction ID: 2b890378b188c300ae969c443eb7388adfc339e8de335d5402edf50c9b2d1983
                                              • Opcode Fuzzy Hash: cfa246e557f8df3a53c11709aa9942f008e7902fc543500590c6805ae06be1d1
                                              • Instruction Fuzzy Hash: CF216034B00609CFEF58EB68C5147AE7BF5AF89249F100468D106EB354DB35BC81CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 013417C3 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aad2952d4e537f95392f336f8a23fc81b0840d3ee6e6930fc9d2e86ff14ca098
                                              • Instruction ID: 9d1d2f0a1bbe5289069e8ea8ff67fdc18283993bdd13cf14e5be7b898a389534
                                              • Opcode Fuzzy Hash: aad2952d4e537f95392f336f8a23fc81b0840d3ee6e6930fc9d2e86ff14ca098
                                              • Instruction Fuzzy Hash: 2C112232F006418FDB21AB7D98043AE7FF5EB89360F040929E905C3305EA34EC428B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 013416B0 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fba4cd7edb6c9130207af5ed428ebc85db5249fc271df7915aab39b4d29159d0
                                              • Instruction ID: 521b5350b213728bf7ec518a76892cdd669a3044d901005378c660d792a4a543
                                              • Opcode Fuzzy Hash: fba4cd7edb6c9130207af5ed428ebc85db5249fc271df7915aab39b4d29159d0
                                              • Instruction Fuzzy Hash: E4215739A006005BEB22FB7CE88477A3FA5E745328F104925D419CF35ADB35FC858BA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0107D006 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2473380061.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_107d000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6612fdd2646040fdbf6d50fcd6b58fdcd5ff7f77323f8d59c625b66bfe6a2825
                                              • Instruction ID: c686ae1ab900aec1e6c9bcab17b8841960cc513c5cd496105f5de840c7dff326
                                              • Opcode Fuzzy Hash: 6612fdd2646040fdbf6d50fcd6b58fdcd5ff7f77323f8d59c625b66bfe6a2825
                                              • Instruction Fuzzy Hash: 1721377550D3C09FCB13CB64D990711BFB1AF46214F29C5DBD8898F6A3C23A980ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01344F98 Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7e7d053a4aacff0d665380da57820e3889b7c1c902adbc5801b97fdd6b182473
                                              • Instruction ID: e10baed6f83aa2b3f1d522cbb88765a811863f02541c21b99a5806425ebe4c6d
                                              • Opcode Fuzzy Hash: 7e7d053a4aacff0d665380da57820e3889b7c1c902adbc5801b97fdd6b182473
                                              • Instruction Fuzzy Hash: D8213934B00204CFDB14EB78D558AAD7BF1AF89308F100468E546EB3A8DB76AD05CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01340838 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8a7534cdd0a0ca0830e08734bc474883e0ef123352b4e1fa87dc90408dd8847b
                                              • Instruction ID: 0fb595458944fd9075bd5fe6e4c4c9dd0532a332035d4ee722a1cbff50c6de11
                                              • Opcode Fuzzy Hash: 8a7534cdd0a0ca0830e08734bc474883e0ef123352b4e1fa87dc90408dd8847b
                                              • Instruction Fuzzy Hash: E511C431B042058BFB2E6A68D6147F93BE5EB41218F10497AE656CF286DA24EC418FD1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01340848 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c255172ee68dd7dbf33eca52cb8b9ac726dd40e3241c68343d9552bcb24e8aca
                                              • Instruction ID: c3bca0144e6e5fe2dde853bd15849bea085a604049f234b81b4f5e5522a0fc46
                                              • Opcode Fuzzy Hash: c255172ee68dd7dbf33eca52cb8b9ac726dd40e3241c68343d9552bcb24e8aca
                                              • Instruction Fuzzy Hash: 0F11C430B042098BFB2DAA79C6043E93AD5EB81219F104839F616CF352DA30EC414FD1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01341498 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 561348c44826f20cdc0eafb0226d921528ac8da1cbf8cbe618ae1c2bc1969efc
                                              • Instruction ID: 5b6eae7d683a4077d7636013cbecc615b2d224911964d775faa2bcb5f08ff23c
                                              • Opcode Fuzzy Hash: 561348c44826f20cdc0eafb0226d921528ac8da1cbf8cbe618ae1c2bc1969efc
                                              • Instruction Fuzzy Hash: 5A014031F106259BCB65EFBC84501EE7BF5EB58214B240479D905E7341E735E8818BD5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01349888 Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4d5caf11dbbbaea8a16c612cee1c58682a96bae74b834ea9e07f619006c48aad
                                              • Instruction ID: feceb2fe4659b18087d4473dfed482a5ad95856cea0297457a1db876b1419e0f
                                              • Opcode Fuzzy Hash: 4d5caf11dbbbaea8a16c612cee1c58682a96bae74b834ea9e07f619006c48aad
                                              • Instruction Fuzzy Hash: B101B534A002058FEB14EF65D94578EBBA5FF84314F548164D84C5F299EB70E905CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 013409CD Relevance: .0, Instructions: 41COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3a8e2702b3c9761f6c3d0ae43c12ddb28dd0c76efc9696b994219e06888f7bb7
                                              • Instruction ID: 081bb53a3fa688f73a1fde476a464dcfb9ca7b639d63d0564e244dfd5a74a4f6
                                              • Opcode Fuzzy Hash: 3a8e2702b3c9761f6c3d0ae43c12ddb28dd0c76efc9696b994219e06888f7bb7
                                              • Instruction Fuzzy Hash: 54F02726B0C2118FFE1F80B854702F83BEC8F62238B8544A6E7C8D7573F114A9A5D662
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 013480E8 Relevance: .0, Instructions: 35COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 675c74981aa68c69c974dd8c0c730eefb1e7dd6afddd7e5cc71b08f36c7d9f5c
                                              • Instruction ID: db2b259e3c7405a97606199c62e943bdd0d20e931499cfd30464687f7809b4c6
                                              • Opcode Fuzzy Hash: 675c74981aa68c69c974dd8c0c730eefb1e7dd6afddd7e5cc71b08f36c7d9f5c
                                              • Instruction Fuzzy Hash: D001A274900389AFEB16FBB4E8606ED7FB1AF41310B004699C8115F29ADF31AD06CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01347088 Relevance: .0, Instructions: 34COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 94bf748753043c735c89ed761fa3792cf6ead50590d1f96aa95c3892957e9c26
                                              • Instruction ID: c56a40ffd8e85f3c1645d42b14eafae54fff1a59917c4649ef9f7071cd76ee22
                                              • Opcode Fuzzy Hash: 94bf748753043c735c89ed761fa3792cf6ead50590d1f96aa95c3892957e9c26
                                              • Instruction Fuzzy Hash: 42F0C43AB40618CFD704EB68D598B6C77B2FF88315F5044A8E9069B3A4DB31AC52CB40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 013480F8 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2475069155.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1340000_MSBuild.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cdf294417685c78013417d2db84749846b6c21193e2bad0fa284b97db411d9f4
                                              • Instruction ID: d740009d1e4a2e280fbb0af320758e8dbf2744a9324ae6a69ebfc93a16b35931
                                              • Opcode Fuzzy Hash: cdf294417685c78013417d2db84749846b6c21193e2bad0fa284b97db411d9f4
                                              • Instruction Fuzzy Hash: BBF03134900209EFDB45FBB4E9516ED7BB5AB40700F504668C8059F359EF31AE09CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%