Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HAhJORNtiOFCEGH.exe

Overview

General Information

Sample name:HAhJORNtiOFCEGH.exe
Analysis ID:1436312
MD5:71188fae17ca6e068158080cd9be278a
SHA1:1d2aaa378a8543283ab0af492da4351557948eab
SHA256:1a220cf90de5204b1f33c388537f695421fc1388dd2ed8315efa211d0113ea6e
Tags:exe
Infos:

Detection

AgentTesla, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • HAhJORNtiOFCEGH.exe (PID: 1220 cmdline: "C:\Users\user\Desktop\HAhJORNtiOFCEGH.exe" MD5: 71188FAE17CA6E068158080CD9BE278A)
    • MSBuild.exe (PID: 1732 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.pu.edu.af", "Username": "saif.rohi@pu.edu.af", "Password": "Ro#@.com55"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.3213980028.00000000026CE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.3213980028.00000000026F9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.2008352418.0000000005990000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000000.00000002.2000500638.00000000041EE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.2000500638.00000000041EE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.HAhJORNtiOFCEGH.exe.5990000.10.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.HAhJORNtiOFCEGH.exe.2f067d8.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.HAhJORNtiOFCEGH.exe.2f17450.4.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  2.2.MSBuild.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    2.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 22 entries

                      Sigma Signatures

                      Networking

                      barindex
                      Sigma detected: MSBuild connects to smtp port
                      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.132.98.224, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 1732, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: HAhJORNtiOFCEGH.exeAvira: detected
                      Found malware configuration
                      Source: 0.2.HAhJORNtiOFCEGH.exe.4228c98.7.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.pu.edu.af", "Username": "saif.rohi@pu.edu.af", "Password": "Ro#@.com55"}
                      Multi AV Scanner detection for submitted file
                      Source: HAhJORNtiOFCEGH.exeReversingLabs: Detection: 60%
                      Source: HAhJORNtiOFCEGH.exeVirustotal: Detection: 61%Perma Link
                      Machine Learning detection for sample
                      Source: HAhJORNtiOFCEGH.exeJoe Sandbox ML: detected
                      Source: HAhJORNtiOFCEGH.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49709 version: TLS 1.0
                      Source: HAhJORNtiOFCEGH.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.41ee278.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.4228c98.7.raw.unpack, type: UNPACKEDPE
                      Source: global trafficTCP traffic: 192.168.2.5:49704 -> 103.132.98.224:587
                      Source: Joe Sandbox ViewJA3 fingerprint: 1138de370e523e824bbca92d049a3777
                      Source: global trafficTCP traffic: 192.168.2.5:49704 -> 103.132.98.224:587
                      Source: unknownHTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49709 version: TLS 1.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficDNS traffic detected: DNS query: mail.pu.edu.af
                      Source: MSBuild.exe, 00000002.00000002.3213980028.00000000026CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.pu.edu.af
                      Source: MSBuild.exe, 00000002.00000002.3217189090.0000000005A12000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3213980028.00000000026CE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3217189090.0000000005A3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/03
                      Source: MSBuild.exe, 00000002.00000002.3217189090.0000000005A12000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3213980028.00000000026CE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3217189090.0000000005A3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: MSBuild.exe, 00000002.00000002.3217189090.0000000005A12000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3213980028.00000000026CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: MSBuild.exe, 00000002.00000002.3217189090.0000000005A12000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3213980028.00000000026CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: HAhJORNtiOFCEGH.exe, 00000000.00000002.2000500638.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, HAhJORNtiOFCEGH.exe, 00000000.00000002.2000500638.0000000004B12000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3212849902.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.HAhJORNtiOFCEGH.exe.4228c98.7.raw.unpack, lBLTBzkV.cs.Net Code: h9f
                      Source: 0.2.HAhJORNtiOFCEGH.exe.41ee278.8.raw.unpack, lBLTBzkV.cs.Net Code: h9f

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.HAhJORNtiOFCEGH.exe.41ee278.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.HAhJORNtiOFCEGH.exe.4228c98.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.HAhJORNtiOFCEGH.exe.41ee278.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.HAhJORNtiOFCEGH.exe.4228c98.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeCode function: 0_2_0157EFC40_2_0157EFC4
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeCode function: 0_2_054B00400_2_054B0040
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeCode function: 0_2_054B00060_2_054B0006
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00A993702_2_00A99370
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00A94A982_2_00A94A98
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00A99BE82_2_00A99BE8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00A93E802_2_00A93E80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00A9CE702_2_00A9CE70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00A941C82_2_00A941C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B4DD002_2_05B4DD00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B4BCF02_2_05B4BCF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B43F482_2_05B43F48
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B456D82_2_05B456D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B400402_2_05B40040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B48B982_2_05B48B98
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B42AF02_2_05B42AF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B44FF82_2_05B44FF8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B432482_2_05B43248
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00A99BE02_2_00A99BE0
                      Source: HAhJORNtiOFCEGH.exe, 00000000.00000002.1997458410.0000000002EB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dllD vs HAhJORNtiOFCEGH.exe
                      Source: HAhJORNtiOFCEGH.exe, 00000000.00000002.2000500638.00000000041EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename0eb1f663-67ab-4af7-95d7-b04526baf746.exe4 vs HAhJORNtiOFCEGH.exe
                      Source: HAhJORNtiOFCEGH.exe, 00000000.00000002.2000500638.00000000041EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs HAhJORNtiOFCEGH.exe
                      Source: HAhJORNtiOFCEGH.exe, 00000000.00000002.2008125884.0000000005850000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dllD vs HAhJORNtiOFCEGH.exe
                      Source: HAhJORNtiOFCEGH.exe, 00000000.00000002.1995982294.000000000104E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs HAhJORNtiOFCEGH.exe
                      Source: HAhJORNtiOFCEGH.exe, 00000000.00000002.2008617950.0000000006470000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs HAhJORNtiOFCEGH.exe
                      Source: HAhJORNtiOFCEGH.exe, 00000000.00000002.1997458410.0000000002F95000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename0eb1f663-67ab-4af7-95d7-b04526baf746.exe4 vs HAhJORNtiOFCEGH.exe
                      Source: HAhJORNtiOFCEGH.exeBinary or memory string: OriginalFilenameJgSD.exe8 vs HAhJORNtiOFCEGH.exe
                      Source: HAhJORNtiOFCEGH.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.HAhJORNtiOFCEGH.exe.41ee278.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.HAhJORNtiOFCEGH.exe.4228c98.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.HAhJORNtiOFCEGH.exe.41ee278.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.HAhJORNtiOFCEGH.exe.4228c98.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: HAhJORNtiOFCEGH.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.HAhJORNtiOFCEGH.exe.2f17450.4.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.2f17450.4.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.2f067d8.0.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.2f067d8.0.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.4228c98.7.raw.unpack, kGWv.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.4228c98.7.raw.unpack, 84Zwl.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.4228c98.7.raw.unpack, Z80kh.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.4228c98.7.raw.unpack, R7VqEELv.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.4228c98.7.raw.unpack, iWM.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.4228c98.7.raw.unpack, tHB.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, Dc1iLNJ5UkRfSTkZN2.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, fHwdeZPJfBXj2YfMr4.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, fHwdeZPJfBXj2YfMr4.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, fHwdeZPJfBXj2YfMr4.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, Dc1iLNJ5UkRfSTkZN2.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, fHwdeZPJfBXj2YfMr4.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, fHwdeZPJfBXj2YfMr4.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, fHwdeZPJfBXj2YfMr4.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.HAhJORNtiOFCEGH.exe.2f067d8.0.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                      Source: 0.2.HAhJORNtiOFCEGH.exe.5990000.10.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                      Source: 0.2.HAhJORNtiOFCEGH.exe.2f17450.4.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                      Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@3/1@1/1
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HAhJORNtiOFCEGH.exe.logJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeMutant created: \Sessions\1\BaseNamedObjects\IWOrPDDBFuQR
                      Source: HAhJORNtiOFCEGH.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: HAhJORNtiOFCEGH.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: HAhJORNtiOFCEGH.exeReversingLabs: Detection: 60%
                      Source: HAhJORNtiOFCEGH.exeVirustotal: Detection: 61%
                      Source: unknownProcess created: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exe "C:\Users\user\Desktop\HAhJORNtiOFCEGH.exe"
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: HAhJORNtiOFCEGH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: HAhJORNtiOFCEGH.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: 0.2.HAhJORNtiOFCEGH.exe.2f17450.4.raw.unpack, XG.cs.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
                      Source: 0.2.HAhJORNtiOFCEGH.exe.2f067d8.0.raw.unpack, XG.cs.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
                      Source: 0.2.HAhJORNtiOFCEGH.exe.5990000.10.raw.unpack, XG.cs.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
                      .NET source code contains potential unpacker
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, fHwdeZPJfBXj2YfMr4.cs.Net Code: pIsqOFBfgy System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, fHwdeZPJfBXj2YfMr4.cs.Net Code: pIsqOFBfgy System.Reflection.Assembly.Load(byte[])
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B4DC95 push eax; ret 2_2_05B4DCB1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B43AD3 push ebx; retf 2_2_05B43ADA
                      Source: HAhJORNtiOFCEGH.exeStatic PE information: section name: .text entropy: 7.977281565173417
                      Source: 0.2.HAhJORNtiOFCEGH.exe.2f17450.4.raw.unpack, XG.csHigh entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.2f067d8.0.raw.unpack, XG.csHigh entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, ruQ8tI6i2Em3fNYM2u.csHigh entropy of concatenated method names: 'cieAPGKLfO', 'GeTAcffNSM', 'ynqAqvNDCk', 'iOuAU2eG9n', 'pqaAXUKDZW', 'BHTAvowi6W', 'AGCAQ1laM6', 'rd4EBIsFfV', 'icqEiw7ZOc', 'TdPENydUwW'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, zVFp8RoNdyDYkSgkGw.csHigh entropy of concatenated method names: 'jKcO0CO9p', 'g5SrTykmM', 'tEloF0K9D', 'QbL1TLuSR', 'IwIgUFuwF', 'HfXMX53AP', 'tJG53gMC1ZF0hjI6vU', 'pK4qU0ieU2HJYNLwbH', 'yY9EUQa8R', 'J3DHcjCth'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, JJSuL8prqVlGxcasRx.csHigh entropy of concatenated method names: 'yJoeU0kFwj', 'r6BeLDLZ4W', 'BG3eQ9qsIi', 'AYOQCHUZiw', 'o5EQzOJ0Jw', 'AcYeWN4wKI', 'Q62ePOFnPm', 'u9HeDusW4b', 'FhTecHdVOC', 'qIoeqkn7NA'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, NLOTVdzMnNZQB8J18m.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ClaAslQHSV', 'ahtAnrRXej', 'EalAV8g9PJ', 'W26AdXPt9F', 'zdbAEusW9m', 'wpDAAPmpH2', 'iAbAH10BtS'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, sp9Hwt3dljIZtOueZJ.csHigh entropy of concatenated method names: 'OvGEppneaC', 'h7PEfdKAmE', 'IB0E8OgexM', 'X0hEJY8dTF', 'Fs6EY6nRRv', 'YHoE7ev38I', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, MDbDD9W5C0yYFqeWAL.csHigh entropy of concatenated method names: 'ToString', 'PM5V6lPmsD', 'zGpVfN5rl0', 'k8hV8hXygN', 'oTeVJyKHv6', 'ctCV70Xu0H', 'CnkV0pxOdp', 'Cc3Vl2UFtW', 'q74VkKIHc5', 'm4ZVRRefD6'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, UFNIfkOrSlIxN2DKIB.csHigh entropy of concatenated method names: 'w1bdbLb1aF', 'BEEdZjodtP', 'ToString', 'zPFdUWPwVp', 'b5NdX5RB4x', 'PdHdLm88Z4', 'jLDdvutAqy', 'zrGdQuqfAF', 'RG7de432bA', 'CKbd3Yf0tw'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, Dc1iLNJ5UkRfSTkZN2.csHigh entropy of concatenated method names: 'PF6XYIkEla', 'feWXj4TbZ3', 'w7xXSA6RE9', 'hwsX488gyC', 'h7mXFyt5ZO', 'E0wXyxIVYv', 'RkwXBjcn9t', 'II7XiTIhhT', 'nKIXNZbhK0', 'ftNXCFKd5F'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, RPFdcvtaBxxcVHrL0K.csHigh entropy of concatenated method names: 'JaSQxjSAEI', 'cmBQXJVQ7g', 'EtrQviB6N8', 'stqQexJVUZ', 'E56Q3MTOM0', 'e9JvF7FNDQ', 'xOLvyI9YXU', 'UuRvBqeUGp', 'E0WvimF2rw', 'YbuvNQx54q'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, YlojcY4b1rUNsD4COUy.csHigh entropy of concatenated method names: 'E78AuP1OM1', 'S3FAKSGbPc', 'oFvAOCBxX0', 'qIRArvanEV', 'UQnAhVybbt', 'hS2AoMilHZ', 'uf9A1qoRZ6', 'vLtAteZ38m', 'zXVAg283Vy', 'g2EAMjZIpf'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, R2d87GuSMyBCwj2CTo.csHigh entropy of concatenated method names: 'ITtLrQESdG', 'SSHLoRB1Bs', 'JDiLtXuLMw', 'mUBLgFTLvS', 'fe4LnoQfOR', 'v3ALVgx10H', 'COsLdCTkAb', 'gSqLEjwjCc', 'TEdLAMITfu', 'vlVLH0Bj5S'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, JyL7kuewXLW11uXMkt.csHigh entropy of concatenated method names: 'jO6euw8CHr', 'AYFeKyesfF', 'UYMeOjEqrR', 'PdQerGteHN', 'UNtehYxiti', 'hqjeoRibiN', 'ChPe16Y8XD', 'scMetMh190', 'pZFegww6eW', 'be6eMVqg8n'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, yHeMFIBT9KvmrXcaWR.csHigh entropy of concatenated method names: 'TrfdiDePrj', 'e4VdCHPM0F', 'LJMEWxLTUP', 'SJuEPOtEKT', 'eNld6PRk0I', 'RBcdwqh3i6', 'vHDd2o1ji3', 'zE2dYaV67l', 'odqdjyjwSV', 'ijcdS5sUPq'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, lWH37U4U7JCjq4wYTCA.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oiHHYrbVhK', 'nUHHjluZgT', 'oFVHSo3OM8', 'BHRH4hixve', 'dYZHFRUl1I', 'lqmHyRbDLZ', 'B7OHBOA02E'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, aS4pFpaXJxb9RHadRc.csHigh entropy of concatenated method names: 'XTYEUCwyBJ', 'S30EXMZdaD', 'C0xELcXGZl', 'jBUEvPi8k6', 'g5JEQ8OJjY', 'w8BEeToxti', 'blFE3YjHvw', 'bk6EaR73M6', 'mGLEbWkbvx', 'kviEZ1t3M1'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, uiMtnU0RvnAe8rt9o0.csHigh entropy of concatenated method names: 'SkostZdh9p', 'kKQsgP3a3A', 'ct3spOytpW', 'XfVsfRPVme', 'pMdsJe4xjZ', 'IBus7anCC6', 'Weasl2ZAub', 'qobskUowJY', 'WqGsGmhW2a', 'NTqs6gd2eP'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, G3TejlwEAjCaHxvFL9.csHigh entropy of concatenated method names: 'UNw6Tc3QunRnXj1YGGO', 'pJk6sb3BsffCflGPh9R', 'V7EQEbEnKS', 'yNFQAbkZTJ', 'QisQHXeBvP', 'qvBa4K3ZGwP5DcmOxVs', 'JnYrkZ3abNrgVj2jMKj'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, fHwdeZPJfBXj2YfMr4.csHigh entropy of concatenated method names: 'zFjcxy8JJM', 'WdVcUWseZC', 'O5CcXm1wqq', 'lOecLA9og5', 'xfLcvDrmeo', 'Tm7cQbq4hL', 'DAyceRSnQS', 'FD9c3Z7qsC', 'uwxcaXFIpX', 'GbacbSDDv2'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, Iw57mIcu4Uipo3Drfu.csHigh entropy of concatenated method names: 'Dispose', 'kR1PNe6aRi', 'WZeDfj8Ehf', 'nViTT1klWO', 'siwPC0GS6G', 'I2xPz68Bet', 'ProcessDialogKey', 'JqbDW9Cs8M', 'HEXDP5YPAu', 'P6DDDlp8a3'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.6470000.11.raw.unpack, JPjDV4GsB2OQCPkt36.csHigh entropy of concatenated method names: 'fMTPe3HgFH', 'eQMP3VG0NE', 'SfhPbsC3ke', 'DtJPZrqPHF', 'NeNPn0dTDu', 'msSPVPAhHA', 'IPCE1gjUsSA4n8swhL', 'DDgXoHdpr7dfRA7x7V', 'BAePPrCfbm', 'gG3PcpOF2r'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, ruQ8tI6i2Em3fNYM2u.csHigh entropy of concatenated method names: 'cieAPGKLfO', 'GeTAcffNSM', 'ynqAqvNDCk', 'iOuAU2eG9n', 'pqaAXUKDZW', 'BHTAvowi6W', 'AGCAQ1laM6', 'rd4EBIsFfV', 'icqEiw7ZOc', 'TdPENydUwW'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, zVFp8RoNdyDYkSgkGw.csHigh entropy of concatenated method names: 'jKcO0CO9p', 'g5SrTykmM', 'tEloF0K9D', 'QbL1TLuSR', 'IwIgUFuwF', 'HfXMX53AP', 'tJG53gMC1ZF0hjI6vU', 'pK4qU0ieU2HJYNLwbH', 'yY9EUQa8R', 'J3DHcjCth'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, JJSuL8prqVlGxcasRx.csHigh entropy of concatenated method names: 'yJoeU0kFwj', 'r6BeLDLZ4W', 'BG3eQ9qsIi', 'AYOQCHUZiw', 'o5EQzOJ0Jw', 'AcYeWN4wKI', 'Q62ePOFnPm', 'u9HeDusW4b', 'FhTecHdVOC', 'qIoeqkn7NA'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, NLOTVdzMnNZQB8J18m.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ClaAslQHSV', 'ahtAnrRXej', 'EalAV8g9PJ', 'W26AdXPt9F', 'zdbAEusW9m', 'wpDAAPmpH2', 'iAbAH10BtS'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, sp9Hwt3dljIZtOueZJ.csHigh entropy of concatenated method names: 'OvGEppneaC', 'h7PEfdKAmE', 'IB0E8OgexM', 'X0hEJY8dTF', 'Fs6EY6nRRv', 'YHoE7ev38I', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, MDbDD9W5C0yYFqeWAL.csHigh entropy of concatenated method names: 'ToString', 'PM5V6lPmsD', 'zGpVfN5rl0', 'k8hV8hXygN', 'oTeVJyKHv6', 'ctCV70Xu0H', 'CnkV0pxOdp', 'Cc3Vl2UFtW', 'q74VkKIHc5', 'm4ZVRRefD6'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, UFNIfkOrSlIxN2DKIB.csHigh entropy of concatenated method names: 'w1bdbLb1aF', 'BEEdZjodtP', 'ToString', 'zPFdUWPwVp', 'b5NdX5RB4x', 'PdHdLm88Z4', 'jLDdvutAqy', 'zrGdQuqfAF', 'RG7de432bA', 'CKbd3Yf0tw'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, Dc1iLNJ5UkRfSTkZN2.csHigh entropy of concatenated method names: 'PF6XYIkEla', 'feWXj4TbZ3', 'w7xXSA6RE9', 'hwsX488gyC', 'h7mXFyt5ZO', 'E0wXyxIVYv', 'RkwXBjcn9t', 'II7XiTIhhT', 'nKIXNZbhK0', 'ftNXCFKd5F'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, RPFdcvtaBxxcVHrL0K.csHigh entropy of concatenated method names: 'JaSQxjSAEI', 'cmBQXJVQ7g', 'EtrQviB6N8', 'stqQexJVUZ', 'E56Q3MTOM0', 'e9JvF7FNDQ', 'xOLvyI9YXU', 'UuRvBqeUGp', 'E0WvimF2rw', 'YbuvNQx54q'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, YlojcY4b1rUNsD4COUy.csHigh entropy of concatenated method names: 'E78AuP1OM1', 'S3FAKSGbPc', 'oFvAOCBxX0', 'qIRArvanEV', 'UQnAhVybbt', 'hS2AoMilHZ', 'uf9A1qoRZ6', 'vLtAteZ38m', 'zXVAg283Vy', 'g2EAMjZIpf'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, R2d87GuSMyBCwj2CTo.csHigh entropy of concatenated method names: 'ITtLrQESdG', 'SSHLoRB1Bs', 'JDiLtXuLMw', 'mUBLgFTLvS', 'fe4LnoQfOR', 'v3ALVgx10H', 'COsLdCTkAb', 'gSqLEjwjCc', 'TEdLAMITfu', 'vlVLH0Bj5S'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, JyL7kuewXLW11uXMkt.csHigh entropy of concatenated method names: 'jO6euw8CHr', 'AYFeKyesfF', 'UYMeOjEqrR', 'PdQerGteHN', 'UNtehYxiti', 'hqjeoRibiN', 'ChPe16Y8XD', 'scMetMh190', 'pZFegww6eW', 'be6eMVqg8n'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, yHeMFIBT9KvmrXcaWR.csHigh entropy of concatenated method names: 'TrfdiDePrj', 'e4VdCHPM0F', 'LJMEWxLTUP', 'SJuEPOtEKT', 'eNld6PRk0I', 'RBcdwqh3i6', 'vHDd2o1ji3', 'zE2dYaV67l', 'odqdjyjwSV', 'ijcdS5sUPq'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, lWH37U4U7JCjq4wYTCA.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oiHHYrbVhK', 'nUHHjluZgT', 'oFVHSo3OM8', 'BHRH4hixve', 'dYZHFRUl1I', 'lqmHyRbDLZ', 'B7OHBOA02E'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, aS4pFpaXJxb9RHadRc.csHigh entropy of concatenated method names: 'XTYEUCwyBJ', 'S30EXMZdaD', 'C0xELcXGZl', 'jBUEvPi8k6', 'g5JEQ8OJjY', 'w8BEeToxti', 'blFE3YjHvw', 'bk6EaR73M6', 'mGLEbWkbvx', 'kviEZ1t3M1'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, uiMtnU0RvnAe8rt9o0.csHigh entropy of concatenated method names: 'SkostZdh9p', 'kKQsgP3a3A', 'ct3spOytpW', 'XfVsfRPVme', 'pMdsJe4xjZ', 'IBus7anCC6', 'Weasl2ZAub', 'qobskUowJY', 'WqGsGmhW2a', 'NTqs6gd2eP'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, G3TejlwEAjCaHxvFL9.csHigh entropy of concatenated method names: 'UNw6Tc3QunRnXj1YGGO', 'pJk6sb3BsffCflGPh9R', 'V7EQEbEnKS', 'yNFQAbkZTJ', 'QisQHXeBvP', 'qvBa4K3ZGwP5DcmOxVs', 'JnYrkZ3abNrgVj2jMKj'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, fHwdeZPJfBXj2YfMr4.csHigh entropy of concatenated method names: 'zFjcxy8JJM', 'WdVcUWseZC', 'O5CcXm1wqq', 'lOecLA9og5', 'xfLcvDrmeo', 'Tm7cQbq4hL', 'DAyceRSnQS', 'FD9c3Z7qsC', 'uwxcaXFIpX', 'GbacbSDDv2'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, Iw57mIcu4Uipo3Drfu.csHigh entropy of concatenated method names: 'Dispose', 'kR1PNe6aRi', 'WZeDfj8Ehf', 'nViTT1klWO', 'siwPC0GS6G', 'I2xPz68Bet', 'ProcessDialogKey', 'JqbDW9Cs8M', 'HEXDP5YPAu', 'P6DDDlp8a3'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.42962c0.6.raw.unpack, JPjDV4GsB2OQCPkt36.csHigh entropy of concatenated method names: 'fMTPe3HgFH', 'eQMP3VG0NE', 'SfhPbsC3ke', 'DtJPZrqPHF', 'NeNPn0dTDu', 'msSPVPAhHA', 'IPCE1gjUsSA4n8swhL', 'DDgXoHdpr7dfRA7x7V', 'BAePPrCfbm', 'gG3PcpOF2r'
                      Source: 0.2.HAhJORNtiOFCEGH.exe.5990000.10.raw.unpack, XG.csHigh entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: HAhJORNtiOFCEGH.exe PID: 1220, type: MEMORYSTR
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeMemory allocated: 1570000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeMemory allocated: 2EB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeMemory allocated: 4EB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeMemory allocated: 64F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeMemory allocated: 74F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeMemory allocated: 7730000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeMemory allocated: 8730000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: A90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2680000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 4680000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2569Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 7280Jump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exe TID: 408Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep count: 36 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2764Thread sleep count: 2569 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -99797s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2764Thread sleep count: 7280 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -99687s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -99555s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -99450s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -99324s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -99093s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -98968s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -98859s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -98750s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -98640s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -98531s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -98421s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -98312s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -98203s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -98093s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -97984s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -97874s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -97765s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -97656s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -97546s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -97437s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -97328s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -97218s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -97109s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -97000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -96890s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -96767s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -95282s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -95156s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -95046s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -94936s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -94828s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -94655s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -94546s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -94433s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -94327s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -94218s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -94109s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -93999s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -93890s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -93781s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -93671s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -93562s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -93453s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -93343s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -93234s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -93124s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -93015s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -92906s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5520Thread sleep time: -92796s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99797Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99687Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99555Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99450Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99324Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99093Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98968Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98859Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98750Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98640Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98531Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98421Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98312Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98203Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98093Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97984Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97874Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97765Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97656Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97546Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97437Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97328Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97218Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97109Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96890Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96767Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95282Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95156Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95046Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94936Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94828Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94655Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94546Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94433Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94327Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94218Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94109Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 93999Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 93890Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 93781Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 93671Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 93562Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 93453Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 93343Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 93234Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 93124Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 93015Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 92906Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 92796Jump to behavior
                      Source: MSBuild.exe, 00000002.00000002.3217189090.0000000005A12000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeQueries volume information: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HAhJORNtiOFCEGH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.41ee278.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.4228c98.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.41ee278.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.4228c98.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.3213980028.00000000026CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.3213980028.00000000026F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2000500638.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2000500638.0000000004B12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.3212849902.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.3213980028.0000000002681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: HAhJORNtiOFCEGH.exe PID: 1220, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 1732, type: MEMORYSTR
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.5990000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.2f067d8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.2f17450.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.5990000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.2f17450.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.2f067d8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.2ed35b4.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.315b5ac.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.315857c.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.3159594.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2008352418.0000000005990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1997458410.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1997458410.000000000311E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.41ee278.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.4228c98.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.41ee278.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.4228c98.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2000500638.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2000500638.0000000004B12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.3212849902.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.3213980028.0000000002681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: HAhJORNtiOFCEGH.exe PID: 1220, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 1732, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.41ee278.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.4228c98.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.41ee278.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.4228c98.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.3213980028.00000000026CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.3213980028.00000000026F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2000500638.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2000500638.0000000004B12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.3212849902.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.3213980028.0000000002681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: HAhJORNtiOFCEGH.exe PID: 1220, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 1732, type: MEMORYSTR
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.5990000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.2f067d8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.2f17450.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.5990000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.2f17450.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.2f067d8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.2ed35b4.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.315b5ac.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.315857c.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HAhJORNtiOFCEGH.exe.3159594.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2008352418.0000000005990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1997458410.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1997458410.000000000311E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		11
                      Process Injection                      		1
                      Masquerading                      		2
                      OS Credential Dumping                      		111
                      Security Software Discovery                      		Remote Services1
                      Email Collection                      		12
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		1
                      Input Capture                      		1
                      Process Discovery                      		Remote Desktop Protocol1
                      Input Capture                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)141
                      Virtualization/Sandbox Evasion                      		1
                      Credentials in Registry                      		141
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin Shares11
                      Archive Collected Data                      		1
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object Model2
                      Data from Local System                      		12
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                      Obfuscated Files or Information                      		Cached Domain Credentials24
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                      Software Packing                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      HAhJORNtiOFCEGH.exe61%ReversingLabsByteCode-MSIL.Trojan.SnakeKeyLogger
                      HAhJORNtiOFCEGH.exe61%VirustotalBrowse
                      HAhJORNtiOFCEGH.exe100%AviraHEUR/AGEN.1305452
                      HAhJORNtiOFCEGH.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      bg.microsoft.map.fastly.net0%VirustotalBrowse
                      fp2e7a.wpc.phicdn.net0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://x1.c.lencr.org/00%URL Reputationsafe
                      http://x1.i.lencr.org/00%URL Reputationsafe
                      http://x1.i.lencr.org/00%URL Reputationsafe
                      http://r3.i.lencr.org/030%Avira URL Cloudsafe
                      http://mail.pu.edu.af0%Avira URL Cloudsafe
                      http://r3.i.lencr.org/030%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      bg.microsoft.map.fastly.net
                      		199.232.210.172
                      		truefalseunknown
                      mail.pu.edu.af
                      		103.132.98.224
                      		truetrue
                        		unknown
                        fp2e7a.wpc.phicdn.net
                        		192.229.211.108
                        		truefalseunknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://r3.o.lencr.org0MSBuild.exe, 00000002.00000002.3217189090.0000000005A12000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3213980028.00000000026CE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3217189090.0000000005A3A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://mail.pu.edu.afMSBuild.exe, 00000002.00000002.3213980028.00000000026CE000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://account.dyn.com/HAhJORNtiOFCEGH.exe, 00000000.00000002.2000500638.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, HAhJORNtiOFCEGH.exe, 00000000.00000002.2000500638.0000000004B12000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3212849902.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          		high
                          http://x1.c.lencr.org/0MSBuild.exe, 00000002.00000002.3217189090.0000000005A12000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3213980028.00000000026CE000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://x1.i.lencr.org/0MSBuild.exe, 00000002.00000002.3217189090.0000000005A12000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3213980028.00000000026CE000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://r3.i.lencr.org/03MSBuild.exe, 00000002.00000002.3217189090.0000000005A12000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3213980028.00000000026CE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3217189090.0000000005A3A000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          103.132.98.224
                          		mail.pu.edu.afAfghanistan
                          		58469MOCI-AS-APMinistryofCommunicationITAFtrue

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1436312
                          Start date and time:2024-05-04 10:14:33 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 2s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:5
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:HAhJORNtiOFCEGH.exe
                          Detection:MAL
                          Classification:mal100.spre.troj.spyw.evad.winEXE@3/1@1/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 99%
                          • Number of executed functions: 75
                          • Number of non-executed functions: 3
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                          • Excluded IPs from analysis (whitelisted): 23.206.229.76, 40.68.123.157, 192.229.211.108, 199.232.210.172, 13.95.31.18, 23.206.229.80, 20.3.187.198
                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          10:15:16API Interceptor2x Sleep call for process: HAhJORNtiOFCEGH.exe modified
                          10:15:19API Interceptor61x Sleep call for process: MSBuild.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          103.132.98.224eiQXaKJ75nCjEWn.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            MehGCkAdgaX9oF0.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              wsst63fXULoBQTw.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                fp2e7a.wpc.phicdn.net43643456.exeGet hashmaliciousAgentTeslaBrowse
                                • 192.229.211.108
                                Hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                                • 192.229.211.108
                                LFfjUMuUFU.exeGet hashmaliciousAsyncRAT, PureLog Stealer, XWormBrowse
                                • 192.229.211.108
                                https://lestore.lenovo.com/detail/L109130Get hashmaliciousUnknownBrowse
                                • 192.229.211.108
                                https://www.67rwzb.cn/Get hashmaliciousUnknownBrowse
                                • 192.229.211.108
                                https://jingxinwl.com/Get hashmaliciousUnknownBrowse
                                • 192.229.211.108
                                https://vpassz.xu4nblog.com/Get hashmaliciousUnknownBrowse
                                • 192.229.211.108
                                https://rdtetsyutfuyfrxytf.azurewebsites.net/Get hashmaliciousTechSupportScamBrowse
                                • 192.229.211.108
                                https://8952627338.z28.web.core.windows.net/?phone=09-70-18-72-82Get hashmaliciousUnknownBrowse
                                • 192.229.211.108
                                https://nthturn.com/Get hashmaliciousUnknownBrowse
                                • 192.229.211.108
                                bg.microsoft.map.fastly.neteiQXaKJ75nCjEWn.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 199.232.210.172
                                Zahlungsbeleg 202405029058.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                • 199.232.214.172
                                Arrival Notice.pdf.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                • 199.232.210.172
                                Hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                                • 199.232.210.172
                                invoice PDF -2024.gz.vbsGet hashmaliciousUnknownBrowse
                                • 199.232.214.172
                                Pedido-Faturado-398731.msiGet hashmaliciousUnknownBrowse
                                • 199.232.214.172
                                LFfjUMuUFU.exeGet hashmaliciousAsyncRAT, PureLog Stealer, XWormBrowse
                                • 199.232.210.172
                                https://www.67rwzb.cn/Get hashmaliciousUnknownBrowse
                                • 199.232.214.172
                                https://jingxinwl.com/Get hashmaliciousUnknownBrowse
                                • 199.232.210.172
                                https://nthturn.com/Get hashmaliciousUnknownBrowse
                                • 199.232.214.172
                                mail.pu.edu.afeiQXaKJ75nCjEWn.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 103.132.98.224
                                MehGCkAdgaX9oF0.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 103.132.98.224
                                wsst63fXULoBQTw.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 103.132.98.224

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                MOCI-AS-APMinistryofCommunicationITAFeiQXaKJ75nCjEWn.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 103.132.98.224
                                MehGCkAdgaX9oF0.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 103.132.98.224
                                wsst63fXULoBQTw.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 103.132.98.224

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                1138de370e523e824bbca92d049a37770e46.scr.exeGet hashmaliciousAgentTeslaBrowse
                                • 23.1.237.91
                                Dekont.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 23.1.237.91
                                #U00d6deme tavsiyesi.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 23.1.237.91
                                SecuriteInfo.com.Win32.Dropper-CHS.435.30054.exeGet hashmaliciousUnknownBrowse
                                • 23.1.237.91
                                SecuriteInfo.com.W32.A-62389890.Eldorado.13265.15378.exeGet hashmaliciousUnknownBrowse
                                • 23.1.237.91
                                https://xdywna.com/Get hashmaliciousUnknownBrowse
                                • 23.1.237.91
                                https://portal.cpscompressors.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                • 23.1.237.91
                                4iVYDe0VaY.dllGet hashmaliciousLatrodectusBrowse
                                • 23.1.237.91
                                GLKJoBXIVE.dllGet hashmaliciousLatrodectusBrowse
                                • 23.1.237.91
                                MODULO_RIMBORSO_AGENZIA_ENTRATE.PDF.exeGet hashmaliciousUnknownBrowse
                                • 23.1.237.91

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HAhJORNtiOFCEGH.exe.log

                                Download File
                                Process:C:\Users\user\Desktop\HAhJORNtiOFCEGH.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1216
                                Entropy (8bit):5.34331486778365
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.959182119319668
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                File name:HAhJORNtiOFCEGH.exe
                                File size:702'464 bytes
                                MD5:71188fae17ca6e068158080cd9be278a
                                SHA1:1d2aaa378a8543283ab0af492da4351557948eab
                                SHA256:1a220cf90de5204b1f33c388537f695421fc1388dd2ed8315efa211d0113ea6e
                                SHA512:571b5a00d210bab01a662e7c214e433d930579c0c8669155de2f2a52db344e6d2e25c77e799ddf4eaf59b8da2fa5db0bae5f5f76391adf424fad1411f33d571a
                                SSDEEP:12288:O3/T3/fVrTtK3/hLHMhwhvaVE63vsad/n7PaSrgQyuZcQazHxj7mP2Dowf3/a3/:OrXVrTtKZLHM6QacP3jZcPLYODowfC
                                TLSH:4CE423C572CE9B18D56F93F6099A890107BA3A4B61B1FD1C5FC85CD17AEBF0A4B50A03
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^`3f..............0..x...8........... ........@.. ....................................@................................

                                File Icon

                                Icon Hash:0773f1fcfccc6113

                                Static PE Info

                                General

                                Entrypoint:0x4a96de
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0x6633605E [Thu May 2 09:43:58 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                aaa
                                inc edi
                                aaa
                                dec eax
                                xor eax, 42000000h
                                xor eax, 4E343531h
                                xor eax, 32414939h
                                dec ecx
                                aaa
                                aaa
                                inc ebp
                                xor al, 56h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa968c0x4f.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x2ce4.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xae0000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000xa77040xa78009587cb4676fe0a15ce01bfccead7e479False0.9616021455223881data7.977281565173417IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rsrc0xaa0000x2ce40x300050c87540272ab1dd4dfa6c90f186dff4False0.87158203125data7.429928103608448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0xae0000xc0x8006bbe1175ea1c20d81ea8ca8a0e9e3c15False0.01611328125data0.03037337037012526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0xaa1000x26cdPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9980871841336958
                                RT_GROUP_ICON0xac7e00x14data1.05
                                RT_VERSION0xac8040x2e0data0.4470108695652174
                                RT_MANIFEST0xacaf40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                May 4, 2024 10:15:15.911434889 CEST49674443192.168.2.523.1.237.91
                                May 4, 2024 10:15:15.911437988 CEST49675443192.168.2.523.1.237.91
                                May 4, 2024 10:15:16.036506891 CEST49673443192.168.2.523.1.237.91
                                May 4, 2024 10:15:21.524934053 CEST49704587192.168.2.5103.132.98.224
                                May 4, 2024 10:15:21.961452007 CEST58749704103.132.98.224192.168.2.5
                                May 4, 2024 10:15:21.961564064 CEST49704587192.168.2.5103.132.98.224
                                May 4, 2024 10:15:22.404951096 CEST58749704103.132.98.224192.168.2.5
                                May 4, 2024 10:15:22.408898115 CEST49704587192.168.2.5103.132.98.224
                                May 4, 2024 10:15:22.844288111 CEST58749704103.132.98.224192.168.2.5
                                May 4, 2024 10:15:22.844336987 CEST58749704103.132.98.224192.168.2.5
                                May 4, 2024 10:15:22.844666958 CEST49704587192.168.2.5103.132.98.224
                                May 4, 2024 10:15:23.280175924 CEST58749704103.132.98.224192.168.2.5
                                May 4, 2024 10:15:23.306988001 CEST49704587192.168.2.5103.132.98.224
                                May 4, 2024 10:15:23.745296955 CEST58749704103.132.98.224192.168.2.5
                                May 4, 2024 10:15:23.745359898 CEST58749704103.132.98.224192.168.2.5
                                May 4, 2024 10:15:23.745373011 CEST58749704103.132.98.224192.168.2.5
                                May 4, 2024 10:15:23.745558023 CEST49704587192.168.2.5103.132.98.224
                                May 4, 2024 10:15:25.152754068 CEST49704587192.168.2.5103.132.98.224
                                May 4, 2024 10:15:25.520823002 CEST49675443192.168.2.523.1.237.91
                                May 4, 2024 10:15:25.520828962 CEST49674443192.168.2.523.1.237.91
                                May 4, 2024 10:15:25.589332104 CEST58749704103.132.98.224192.168.2.5
                                May 4, 2024 10:15:25.602065086 CEST49704587192.168.2.5103.132.98.224
                                May 4, 2024 10:15:25.645940065 CEST49673443192.168.2.523.1.237.91
                                May 4, 2024 10:15:26.038556099 CEST58749704103.132.98.224192.168.2.5
                                May 4, 2024 10:15:26.046636105 CEST49704587192.168.2.5103.132.98.224
                                May 4, 2024 10:15:26.482784986 CEST58749704103.132.98.224192.168.2.5
                                May 4, 2024 10:15:26.483638048 CEST49704587192.168.2.5103.132.98.224
                                May 4, 2024 10:15:26.931365013 CEST58749704103.132.98.224192.168.2.5
                                May 4, 2024 10:15:26.931852102 CEST49704587192.168.2.5103.132.98.224
                                May 4, 2024 10:15:27.016160011 CEST4434970323.1.237.91192.168.2.5
                                May 4, 2024 10:15:27.016410112 CEST49703443192.168.2.523.1.237.91
                                May 4, 2024 10:15:27.369498014 CEST58749704103.132.98.224192.168.2.5
                                May 4, 2024 10:15:27.369779110 CEST49704587192.168.2.5103.132.98.224
                                May 4, 2024 10:15:27.844480991 CEST58749704103.132.98.224192.168.2.5
                                May 4, 2024 10:15:27.848985910 CEST58749704103.132.98.224192.168.2.5
                                May 4, 2024 10:15:27.849215031 CEST49704587192.168.2.5103.132.98.224
                                May 4, 2024 10:15:28.284934998 CEST58749704103.132.98.224192.168.2.5
                                May 4, 2024 10:15:28.284966946 CEST58749704103.132.98.224192.168.2.5
                                May 4, 2024 10:15:28.285942078 CEST49704587192.168.2.5103.132.98.224
                                May 4, 2024 10:15:28.286010027 CEST49704587192.168.2.5103.132.98.224
                                May 4, 2024 10:15:28.286010027 CEST49704587192.168.2.5103.132.98.224
                                May 4, 2024 10:15:28.286010027 CEST49704587192.168.2.5103.132.98.224
                                May 4, 2024 10:15:28.722222090 CEST58749704103.132.98.224192.168.2.5
                                May 4, 2024 10:15:28.722311974 CEST58749704103.132.98.224192.168.2.5
                                May 4, 2024 10:15:28.774641991 CEST58749704103.132.98.224192.168.2.5
                                May 4, 2024 10:15:28.817745924 CEST49704587192.168.2.5103.132.98.224
                                May 4, 2024 10:15:38.827910900 CEST49703443192.168.2.523.1.237.91
                                May 4, 2024 10:15:38.828016043 CEST49703443192.168.2.523.1.237.91
                                May 4, 2024 10:15:38.828413963 CEST49709443192.168.2.523.1.237.91
                                May 4, 2024 10:15:38.828447104 CEST4434970923.1.237.91192.168.2.5
                                May 4, 2024 10:15:38.828517914 CEST49709443192.168.2.523.1.237.91
                                May 4, 2024 10:15:38.828772068 CEST49709443192.168.2.523.1.237.91
                                May 4, 2024 10:15:38.828792095 CEST4434970923.1.237.91192.168.2.5
                                May 4, 2024 10:15:38.987411022 CEST4434970323.1.237.91192.168.2.5
                                May 4, 2024 10:15:38.987427950 CEST4434970323.1.237.91192.168.2.5
                                May 4, 2024 10:15:39.158883095 CEST4434970923.1.237.91192.168.2.5
                                May 4, 2024 10:15:39.159120083 CEST49709443192.168.2.523.1.237.91
                                May 4, 2024 10:15:58.311604977 CEST4434970923.1.237.91192.168.2.5
                                May 4, 2024 10:15:58.311683893 CEST49709443192.168.2.523.1.237.91
                                May 4, 2024 10:17:01.599334955 CEST49704587192.168.2.5103.132.98.224
                                May 4, 2024 10:17:02.039975882 CEST58749704103.132.98.224192.168.2.5
                                May 4, 2024 10:17:02.040122032 CEST58749704103.132.98.224192.168.2.5
                                May 4, 2024 10:17:02.040177107 CEST49704587192.168.2.5103.132.98.224
                                May 4, 2024 10:17:03.334038973 CEST49704587192.168.2.5103.132.98.224

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                May 4, 2024 10:15:20.600383043 CEST5993253192.168.2.51.1.1.1
                                May 4, 2024 10:15:21.507203102 CEST53599321.1.1.1192.168.2.5

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                May 4, 2024 10:15:20.600383043 CEST192.168.2.51.1.1.10xd833Standard query (0)mail.pu.edu.afA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                May 4, 2024 10:15:21.507203102 CEST1.1.1.1192.168.2.50xd833No error (0)mail.pu.edu.af103.132.98.224A (IP address)IN (0x0001)false
                                May 4, 2024 10:15:38.388042927 CEST1.1.1.1192.168.2.50x802No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                May 4, 2024 10:15:38.388042927 CEST1.1.1.1192.168.2.50x802No error (0)fp2e7a.wpc.phicdn.net192.229.211.108A (IP address)IN (0x0001)false
                                May 4, 2024 10:15:39.160177946 CEST1.1.1.1192.168.2.50xf2f4No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                May 4, 2024 10:15:39.160177946 CEST1.1.1.1192.168.2.50xf2f4No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                SMTP Packets

                                TimestampSource PortDest PortSource IPDest IPCommands
                                May 4, 2024 10:15:22.404951096 CEST58749704103.132.98.224192.168.2.5220 scloud.andc.gov.af ESMTP Postfix
                                May 4, 2024 10:15:22.408898115 CEST49704587192.168.2.5103.132.98.224EHLO 172892
                                May 4, 2024 10:15:22.844336987 CEST58749704103.132.98.224192.168.2.5250-scloud.andc.gov.af
                                250-PIPELINING
                                250-SIZE 204800000
                                250-ETRN
                                250-STARTTLS
                                250-AUTH PLAIN LOGIN
                                250-AUTH=PLAIN LOGIN
                                250-ENHANCEDSTATUSCODES
                                250-8BITMIME
                                250-DSN
                                250 CHUNKING
                                May 4, 2024 10:15:22.844666958 CEST49704587192.168.2.5103.132.98.224STARTTLS
                                May 4, 2024 10:15:23.280175924 CEST58749704103.132.98.224192.168.2.5220 2.0.0 Ready to start TLS

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:10:15:16
                                Start date:04/05/2024
                                Path:C:\Users\user\Desktop\HAhJORNtiOFCEGH.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\HAhJORNtiOFCEGH.exe"
                                Imagebase:0xb70000
                                File size:702'464 bytes
                                MD5 hash:71188FAE17CA6E068158080CD9BE278A
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2008352418.0000000005990000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2000500638.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2000500638.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2000500638.0000000004B12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2000500638.0000000004B12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1997458410.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1997458410.000000000311E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:2
                                Start time:10:15:17
                                Start date:04/05/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                Imagebase:0x450000
                                File size:262'432 bytes
                                MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3213980028.00000000026CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3213980028.00000000026F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3212849902.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3212849902.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3213980028.0000000002681000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3213980028.0000000002681000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:moderate
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:10.1%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:231
                                  Total number of Limit Nodes:8
                                  execution_graph 26452 54b70c8 26453 54b70f5 26452->26453 26462 54b6b54 26453->26462 26455 54b7285 26456 54b6b54 9 API calls 26455->26456 26457 54b72b7 26456->26457 26466 54b6b64 26457->26466 26460 54b6b64 9 API calls 26461 54b731b 26460->26461 26463 54b6b5f 26462->26463 26470 1575d24 26463->26470 26464 54ba0cb 26464->26455 26467 54b6b6f 26466->26467 26636 54b6e74 26467->26636 26469 54b72e9 26469->26460 26471 1575d2f 26470->26471 26473 157866b 26471->26473 26477 157ad18 26471->26477 26472 15786a9 26472->26464 26473->26472 26481 157ce10 26473->26481 26486 157ce00 26473->26486 26491 157ad3f 26477->26491 26495 157ad50 26477->26495 26478 157ad2e 26478->26473 26482 157ce31 26481->26482 26483 157ce55 26482->26483 26518 157d3c8 26482->26518 26522 157d3b8 26482->26522 26483->26472 26487 157ce31 26486->26487 26488 157ce55 26487->26488 26489 157d3c8 9 API calls 26487->26489 26490 157d3b8 9 API calls 26487->26490 26488->26472 26489->26488 26490->26488 26492 157ad50 26491->26492 26498 157ae48 26492->26498 26493 157ad5f 26493->26478 26497 157ae48 2 API calls 26495->26497 26496 157ad5f 26496->26478 26497->26496 26499 157ae59 26498->26499 26500 157ae7c 26498->26500 26499->26500 26506 157b0d2 26499->26506 26510 157b0e0 26499->26510 26500->26493 26501 157b080 GetModuleHandleW 26503 157b0ad 26501->26503 26502 157ae74 26502->26500 26502->26501 26503->26493 26508 157b0e0 26506->26508 26507 157b119 26507->26502 26508->26507 26514 157a228 26508->26514 26511 157b0f4 26510->26511 26512 157b119 26511->26512 26513 157a228 LoadLibraryExW 26511->26513 26512->26502 26513->26512 26515 157b6c0 LoadLibraryExW 26514->26515 26517 157b739 26515->26517 26517->26507 26519 157d3d5 26518->26519 26520 157d40f 26519->26520 26526 157cfb4 26519->26526 26520->26483 26524 157d3d5 26522->26524 26523 157d40f 26523->26483 26524->26523 26525 157cfb4 9 API calls 26524->26525 26525->26523 26527 157cfb9 26526->26527 26529 157dd20 26527->26529 26530 157d0dc 26527->26530 26529->26529 26531 157d0e7 26530->26531 26532 1575d24 9 API calls 26531->26532 26533 157dd8f 26532->26533 26536 157fb08 26533->26536 26534 157ddc9 26534->26529 26537 157fb45 26536->26537 26538 157fb39 26536->26538 26537->26534 26538->26537 26541 54b09b2 26538->26541 26550 54b09c0 26538->26550 26542 54b09c0 26541->26542 26559 54b0ef2 26542->26559 26564 54b0f20 26542->26564 26543 54b0a6e 26544 54b0a9a 26543->26544 26547 54b189b 7 API calls 26543->26547 26548 54b1872 7 API calls 26543->26548 26549 54b18a0 7 API calls 26543->26549 26547->26544 26548->26544 26549->26544 26551 54b09eb 26550->26551 26554 54b0ef2 CreateWindowExW 26551->26554 26555 54b0f20 CreateWindowExW 26551->26555 26552 54b0a6e 26553 54b0a9a 26552->26553 26579 54b1872 26552->26579 26593 54b189b 26552->26593 26603 54b18a0 26552->26603 26554->26552 26555->26552 26560 54b0ef4 26559->26560 26561 54b0fce 26560->26561 26569 54b1080 26560->26569 26574 54b1090 26560->26574 26565 54b0f4d 26564->26565 26566 54b0fce 26565->26566 26567 54b1080 CreateWindowExW 26565->26567 26568 54b1090 CreateWindowExW 26565->26568 26567->26566 26568->26566 26572 54b1090 26569->26572 26570 54b12e0 26570->26561 26571 54b18d7 CreateWindowExW 26573 54b1396 26571->26573 26572->26570 26572->26571 26573->26561 26576 54b10a5 26574->26576 26575 54b12e0 26575->26561 26576->26575 26577 54b18d7 CreateWindowExW 26576->26577 26578 54b1396 26577->26578 26578->26561 26580 54b18bc 26579->26580 26581 54b18d0 26580->26581 26582 54b18d8 CreateWindowExW 26580->26582 26587 54b1872 6 API calls 26581->26587 26612 54b18e7 26581->26612 26616 54b18d7 26581->26616 26620 54b18f0 26581->26620 26624 54b1850 26581->26624 26628 54b1450 26581->26628 26632 54b1893 26581->26632 26585 54b1a14 26582->26585 26583 54b18d5 26583->26553 26587->26583 26594 54b18a0 26593->26594 26595 54b18d5 26594->26595 26596 54b1893 CreateWindowExW 26594->26596 26597 54b1872 7 API calls 26594->26597 26598 54b1450 CreateWindowExW 26594->26598 26599 54b1850 CreateWindowExW 26594->26599 26600 54b18f0 CreateWindowExW 26594->26600 26601 54b18d7 CreateWindowExW 26594->26601 26602 54b18e7 CreateWindowExW 26594->26602 26595->26553 26596->26595 26597->26595 26598->26595 26599->26595 26600->26595 26601->26595 26602->26595 26604 54b18d5 26603->26604 26605 54b1893 CreateWindowExW 26603->26605 26606 54b1872 7 API calls 26603->26606 26607 54b1450 CreateWindowExW 26603->26607 26608 54b1850 CreateWindowExW 26603->26608 26609 54b18f0 CreateWindowExW 26603->26609 26610 54b18d7 CreateWindowExW 26603->26610 26611 54b18e7 CreateWindowExW 26603->26611 26604->26553 26605->26604 26606->26604 26607->26604 26608->26604 26609->26604 26610->26604 26611->26604 26613 54b1928 CreateWindowExW 26612->26613 26615 54b1a14 26613->26615 26617 54b1928 CreateWindowExW 26616->26617 26619 54b1a14 26617->26619 26621 54b1928 CreateWindowExW 26620->26621 26623 54b1a14 26621->26623 26625 54b1894 CreateWindowExW 26624->26625 26627 54b1a14 26625->26627 26629 54b1997 CreateWindowExW 26628->26629 26631 54b1a14 26629->26631 26631->26631 26633 54b18dc CreateWindowExW 26632->26633 26635 54b1a14 26633->26635 26637 54b6e7f 26636->26637 26639 1575d24 9 API calls 26637->26639 26638 54baec4 26638->26469 26639->26638 26696 157d4e0 26697 157d526 26696->26697 26701 157d6c0 26697->26701 26704 157d6b0 26697->26704 26698 157d613 26708 157d07c 26701->26708 26705 157d6c0 26704->26705 26706 157d07c DuplicateHandle 26705->26706 26707 157d6ee 26706->26707 26707->26698 26709 157d728 DuplicateHandle 26708->26709 26710 157d6ee 26709->26710 26710->26698 26640 151d01c 26641 151d034 26640->26641 26642 151d08e 26641->26642 26647 54b1aa8 26641->26647 26652 54b1a97 26641->26652 26657 54b2818 26641->26657 26662 54b2808 26641->26662 26648 54b1ace 26647->26648 26650 54b2808 2 API calls 26648->26650 26651 54b2818 2 API calls 26648->26651 26649 54b1aef 26649->26642 26650->26649 26651->26649 26653 54b1aa8 26652->26653 26655 54b2808 2 API calls 26653->26655 26656 54b2818 2 API calls 26653->26656 26654 54b1aef 26654->26642 26655->26654 26656->26654 26658 54b2845 26657->26658 26659 54b2877 26658->26659 26667 54b2d98 26658->26667 26672 54b2da8 26658->26672 26663 54b2815 26662->26663 26664 54b2877 26663->26664 26665 54b2d98 2 API calls 26663->26665 26666 54b2da8 2 API calls 26663->26666 26665->26664 26666->26664 26669 54b2da8 26667->26669 26668 54b2e48 26668->26659 26677 54b2e50 26669->26677 26681 54b2e60 26669->26681 26674 54b2dbc 26672->26674 26673 54b2e48 26673->26659 26675 54b2e50 2 API calls 26674->26675 26676 54b2e60 2 API calls 26674->26676 26675->26673 26676->26673 26678 54b2e60 26677->26678 26679 54b2e71 26678->26679 26684 54b4022 26678->26684 26679->26668 26682 54b2e71 26681->26682 26683 54b4022 2 API calls 26681->26683 26682->26668 26683->26682 26688 54b4040 26684->26688 26692 54b4050 26684->26692 26685 54b403a 26685->26679 26689 54b4092 26688->26689 26691 54b4099 26688->26691 26690 54b40ea CallWindowProcW 26689->26690 26689->26691 26690->26691 26691->26685 26693 54b4092 26692->26693 26695 54b4099 26692->26695 26694 54b40ea CallWindowProcW 26693->26694 26693->26695 26694->26695 26695->26685 26711 1574668 26712 157467f 26711->26712 26713 157468b 26712->26713 26717 1574798 26712->26717 26722 1574238 26713->26722 26715 15746aa 26718 15747bd 26717->26718 26726 1574898 26718->26726 26730 15748a8 26718->26730 26723 1574243 26722->26723 26738 1575ca4 26723->26738 26725 15770f8 26725->26715 26727 15748a8 26726->26727 26729 15749ac 26727->26729 26734 1574508 26727->26734 26731 15748cf 26730->26731 26732 1574508 CreateActCtxA 26731->26732 26733 15749ac 26731->26733 26732->26733 26735 1575938 CreateActCtxA 26734->26735 26737 15759fb 26735->26737 26737->26737 26739 1575caf 26738->26739 26742 1575cc4 26739->26742 26741 157719d 26741->26725 26743 1575ccf 26742->26743 26746 1575cf4 26743->26746 26745 157727a 26745->26741 26747 1575cff 26746->26747 26748 1575d24 9 API calls 26747->26748 26749 157736d 26748->26749 26749->26745

                                  Executed Functions

                                  Function 0157AE48 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1255 157ae48-157ae57 1256 157ae83-157ae87 1255->1256 1257 157ae59-157ae66 call 157a1c0 1255->1257 1258 157ae9b-157aedc 1256->1258 1259 157ae89-157ae93 1256->1259 1264 157ae7c 1257->1264 1265 157ae68 1257->1265 1266 157aede-157aee6 1258->1266 1267 157aee9-157aef7 1258->1267 1259->1258 1264->1256 1311 157ae6e call 157b0d2 1265->1311 1312 157ae6e call 157b0e0 1265->1312 1266->1267 1268 157af1b-157af1d 1267->1268 1269 157aef9-157aefe 1267->1269 1272 157af20-157af27 1268->1272 1273 157af00-157af07 call 157a1cc 1269->1273 1274 157af09 1269->1274 1270 157ae74-157ae76 1270->1264 1271 157afb8-157b078 1270->1271 1306 157b080-157b0ab GetModuleHandleW 1271->1306 1307 157b07a-157b07d 1271->1307 1276 157af34-157af3b 1272->1276 1277 157af29-157af31 1272->1277 1275 157af0b-157af19 1273->1275 1274->1275 1275->1272 1279 157af3d-157af45 1276->1279 1280 157af48-157af51 call 157a1dc 1276->1280 1277->1276 1279->1280 1286 157af53-157af5b 1280->1286 1287 157af5e-157af63 1280->1287 1286->1287 1288 157af65-157af6c 1287->1288 1289 157af81-157af8e 1287->1289 1288->1289 1291 157af6e-157af7e call 157a1ec call 157a1fc 1288->1291 1295 157afb1-157afb7 1289->1295 1296 157af90-157afae 1289->1296 1291->1289 1296->1295 1308 157b0b4-157b0c8 1306->1308 1309 157b0ad-157b0b3 1306->1309 1307->1306 1309->1308 1311->1270 1312->1270
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0157B09E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1997172873.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1570000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 3b794ebf9b45d0d53e25a82f585e98be76254dc7c6234b979adbd6d9f5d94fb3
                                  • Instruction ID: 8ee351cbb7d8648b0903965541bdd460c378e3f1f56f76d3ce979ba8bc09fad7
                                  • Opcode Fuzzy Hash: 3b794ebf9b45d0d53e25a82f585e98be76254dc7c6234b979adbd6d9f5d94fb3
                                  • Instruction Fuzzy Hash: 3F7135B0A00B058FE725DF2AE44575ABBF5FF88300F048A2DE45ADBA50DB75E845CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 054B1872 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1313 54b1872-54b18ce 1315 54b18d8-54b1956 1313->1315 1316 54b18d0 1313->1316 1319 54b1958-54b195e 1315->1319 1320 54b1961-54b1968 1315->1320 1332 54b18d0 call 54b1893 1316->1332 1333 54b18d0 call 54b1872 1316->1333 1334 54b18d0 call 54b1450 1316->1334 1335 54b18d0 call 54b1850 1316->1335 1336 54b18d0 call 54b18f0 1316->1336 1337 54b18d0 call 54b18d7 1316->1337 1338 54b18d0 call 54b18e7 1316->1338 1318 54b18d5-54b18d6 1319->1320 1321 54b196a-54b1970 1320->1321 1322 54b1973-54b1a12 CreateWindowExW 1320->1322 1321->1322 1324 54b1a1b-54b1a53 1322->1324 1325 54b1a14-54b1a1a 1322->1325 1329 54b1a60 1324->1329 1330 54b1a55-54b1a58 1324->1330 1325->1324 1331 54b1a61 1329->1331 1330->1329 1331->1331 1332->1318 1333->1318 1334->1318 1335->1318 1336->1318 1337->1318 1338->1318
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,054B1396,00000000,?), ref: 054B1A02
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2007971194.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_54b0000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: c54d7251188e670937abc1e962de03fb4b2bd2b0fd1ba7d3a34cb31636e3ab98
                                  • Instruction ID: 057207aa728f7cddba1f648268767fe2310521e25bc40eb4b6421a1f4ba4eca5
                                  • Opcode Fuzzy Hash: c54d7251188e670937abc1e962de03fb4b2bd2b0fd1ba7d3a34cb31636e3ab98
                                  • Instruction Fuzzy Hash: 4B4127B1D00349DFEF14CFA9C894ADEBBB1BF88300F24915AE419AB211D7B4A945CF60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 054B18E7 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1339 54b18e7-54b1956 1341 54b1958-54b195e 1339->1341 1342 54b1961-54b1968 1339->1342 1341->1342 1343 54b196a-54b1970 1342->1343 1344 54b1973-54b1a12 CreateWindowExW 1342->1344 1343->1344 1346 54b1a1b-54b1a53 1344->1346 1347 54b1a14-54b1a1a 1344->1347 1351 54b1a60 1346->1351 1352 54b1a55-54b1a58 1346->1352 1347->1346 1353 54b1a61 1351->1353 1352->1351 1353->1353
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,054B1396,00000000,?), ref: 054B1A02
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2007971194.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_54b0000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 7074c00342854cb707090d1610b946c2c64b35a6649342baf16e168a280d806d
                                  • Instruction ID: 05ec712df1cfda2f6473fb8a0fc55840023f99690af5df6742051cf0357141ed
                                  • Opcode Fuzzy Hash: 7074c00342854cb707090d1610b946c2c64b35a6649342baf16e168a280d806d
                                  • Instruction Fuzzy Hash: 0851D1B1D00349DFDB14CF99C994ADEBBB5FF48304F24816AE819AB210D7B4A985CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 054B18F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1354 54b18f0-54b1956 1356 54b1958-54b195e 1354->1356 1357 54b1961-54b1968 1354->1357 1356->1357 1358 54b196a-54b1970 1357->1358 1359 54b1973-54b1a12 CreateWindowExW 1357->1359 1358->1359 1361 54b1a1b-54b1a53 1359->1361 1362 54b1a14-54b1a1a 1359->1362 1366 54b1a60 1361->1366 1367 54b1a55-54b1a58 1361->1367 1362->1361 1368 54b1a61 1366->1368 1367->1366 1368->1368
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,054B1396,00000000,?), ref: 054B1A02
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2007971194.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_54b0000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 493e9f89fc1b3694d1fb58145276353d1b95062f1c4f780edda37b781be16415
                                  • Instruction ID: ae165aeedfb57e4546c1de0113966f684eb12de8431a02b455a55d940c184801
                                  • Opcode Fuzzy Hash: 493e9f89fc1b3694d1fb58145276353d1b95062f1c4f780edda37b781be16415
                                  • Instruction Fuzzy Hash: 5041D2B1D00349DFDB14CF9AC894ADEBBB5FF48314F24816AE419AB210D7B4A985CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 054B1850 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1369 54b1850-54b1956 1373 54b1958-54b195e 1369->1373 1374 54b1961-54b1968 1369->1374 1373->1374 1375 54b196a-54b1970 1374->1375 1376 54b1973-54b1a12 CreateWindowExW 1374->1376 1375->1376 1378 54b1a1b-54b1a53 1376->1378 1379 54b1a14-54b1a1a 1376->1379 1383 54b1a60 1378->1383 1384 54b1a55-54b1a58 1378->1384 1379->1378 1385 54b1a61 1383->1385 1384->1383 1385->1385
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,054B1396,00000000,?), ref: 054B1A02
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2007971194.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_54b0000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 6796821efac53adea9ff74609b0e0fe7b15ae4af4474c0de8555f277e345a131
                                  • Instruction ID: ca9c2a412c1a6b7f846263524f37f750ba9e8dae804862ba862fc357d71e1466
                                  • Opcode Fuzzy Hash: 6796821efac53adea9ff74609b0e0fe7b15ae4af4474c0de8555f277e345a131
                                  • Instruction Fuzzy Hash: EC4136B1C04349DFEB05CFA9C854ADDBFB1BF49300F24915AE409AB251D7B4A985CF60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 054B1893 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1386 54b1893-54b1956 1389 54b1958-54b195e 1386->1389 1390 54b1961-54b1968 1386->1390 1389->1390 1391 54b196a-54b1970 1390->1391 1392 54b1973-54b1a12 CreateWindowExW 1390->1392 1391->1392 1394 54b1a1b-54b1a53 1392->1394 1395 54b1a14-54b1a1a 1392->1395 1399 54b1a60 1394->1399 1400 54b1a55-54b1a58 1394->1400 1395->1394 1401 54b1a61 1399->1401 1400->1399 1401->1401
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,054B1396,00000000,?), ref: 054B1A02
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2007971194.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_54b0000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: f298247b8b3863d75dc6eeedc3d865ab703b382885976ddcff5e6cc22de33bc9
                                  • Instruction ID: 2f4840c221461aed1929057babdb340af10b5562edae5f1e26dcd9e07365aee3
                                  • Opcode Fuzzy Hash: f298247b8b3863d75dc6eeedc3d865ab703b382885976ddcff5e6cc22de33bc9
                                  • Instruction Fuzzy Hash: 874104B1D04349DFEB15CF99C894ADDBFB1BF49300F24916AE409AB250D7B4A985CF60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 054B18D7 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1402 54b18d7-54b1956 1404 54b1958-54b195e 1402->1404 1405 54b1961-54b1968 1402->1405 1404->1405 1406 54b196a-54b1970 1405->1406 1407 54b1973-54b1a12 CreateWindowExW 1405->1407 1406->1407 1409 54b1a1b-54b1a53 1407->1409 1410 54b1a14-54b1a1a 1407->1410 1414 54b1a60 1409->1414 1415 54b1a55-54b1a58 1409->1415 1410->1409 1416 54b1a61 1414->1416 1415->1414 1416->1416
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,054B1396,00000000,?), ref: 054B1A02
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2007971194.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_54b0000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 580f6b643bb82e32567202230bc9ddafa4fb1185a198201c9018fb3b80c57678
                                  • Instruction ID: 6da7146ba231b879435904420ec89991a14dce82c8e54fc0c29f74e3764f5b92
                                  • Opcode Fuzzy Hash: 580f6b643bb82e32567202230bc9ddafa4fb1185a198201c9018fb3b80c57678
                                  • Instruction Fuzzy Hash: 7541C2B1D00349DFEB14CF99C894ADEBBB1BF48304F24916AE409AB250D7B5A985CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01574508 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1417 1574508-15759f9 CreateActCtxA 1420 1575a02-1575a5c 1417->1420 1421 15759fb-1575a01 1417->1421 1428 1575a5e-1575a61 1420->1428 1429 1575a6b-1575a6f 1420->1429 1421->1420 1428->1429 1430 1575a71-1575a7d 1429->1430 1431 1575a80 1429->1431 1430->1431 1432 1575a81 1431->1432 1432->1432
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 015759E9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1997172873.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1570000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 7405a62f2feb622c254c17d60de57286dc5cecc4ed5d4826afdc7d443fe802fb
                                  • Instruction ID: 4c7cf0989221eff753008787691bcbb4b84f71bdb14dac2c8855607dfc3f5a27
                                  • Opcode Fuzzy Hash: 7405a62f2feb622c254c17d60de57286dc5cecc4ed5d4826afdc7d443fe802fb
                                  • Instruction Fuzzy Hash: 7B41D2B0C00719CBDB25DFA9C885BDDBBF5BF49304F20806AD408AB255DBB56946CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0157592D Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 015759E9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1997172873.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1570000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 02b11aef339a8b23f6d62856f03c4bb30a438f20b40ae0753df85daa68fb1580
                                  • Instruction ID: 66a98bb1819d6591d9b4b3bc2e26dda075da88b346cd2abc748d87fd35a86267
                                  • Opcode Fuzzy Hash: 02b11aef339a8b23f6d62856f03c4bb30a438f20b40ae0753df85daa68fb1580
                                  • Instruction Fuzzy Hash: 5341F2B1C00719CEDB25DFA9C885BDDBBF1BF49304F24806AD418AB251DBB5694ACF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 054B4050 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                  Download Yara Rule
                                  APIs
                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 054B4111
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2007971194.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_54b0000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID: CallProcWindow
                                  • String ID:
                                  • API String ID: 2714655100-0
                                  • Opcode ID: 4a3c3f0eed8e48d043e869e75224db32daa577334935122c873f0e102f309b01
                                  • Instruction ID: 438f23ff814f39e5eb0774413e0b86890d2cd91ce34f0793073e74777f6e6930
                                  • Opcode Fuzzy Hash: 4a3c3f0eed8e48d043e869e75224db32daa577334935122c873f0e102f309b01
                                  • Instruction Fuzzy Hash: 3741F9B9900315DFDB14CF99C448AEABBF6FB88314F24C499D519AB321D775A841CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0157D07C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0157D6EE,?,?,?,?,?), ref: 0157D7AF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1997172873.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1570000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: a0408523a0e4646249f0193c0d7dff65c5136ba7360354a4945cc197f6224d10
                                  • Instruction ID: 797158d05e8d752a4ded79c18a9bac36bd6c84bf17dbba0cdb6b6da651c26520
                                  • Opcode Fuzzy Hash: a0408523a0e4646249f0193c0d7dff65c5136ba7360354a4945cc197f6224d10
                                  • Instruction Fuzzy Hash: AF21E3B59002489FDB10CF9AD985AEEFBF9FF48310F14845AE918A7310D379A944CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0157D720 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0157D6EE,?,?,?,?,?), ref: 0157D7AF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1997172873.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1570000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: c64782dcd9fdbb4e0d3c99dddd99fbb1700438569107ca2a2e63489c44a75488
                                  • Instruction ID: 06be85e4df4799aee9700e2e51b22a16c69e790779f15f3c694d4bf52682fc89
                                  • Opcode Fuzzy Hash: c64782dcd9fdbb4e0d3c99dddd99fbb1700438569107ca2a2e63489c44a75488
                                  • Instruction Fuzzy Hash: 2E21E3B59002489FDB10CF9AD985AEEFBF9FF48310F14841AE918A7310D378A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 054B1450 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,054B1396,00000000,?), ref: 054B1A02
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2007971194.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_54b0000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: a85d66ecb0e3905023cfeeecc12911f1dca94a415aa0e7a757c5ae2ae17de96a
                                  • Instruction ID: 12b9d8301cfdbef1c0432ce4a50a94a729b873991682c0a1bb82d060330ba2bb
                                  • Opcode Fuzzy Hash: a85d66ecb0e3905023cfeeecc12911f1dca94a415aa0e7a757c5ae2ae17de96a
                                  • Instruction Fuzzy Hash: 862118B1800248EFEF14DF98C898ADDBBB5BF09344F208149E9086B260C7B5A855CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0157A228 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0157B119,00000800,00000000,00000000), ref: 0157B72A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1997172873.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1570000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: d231297a1eee3868afd72cedccdccfb068cd8b7fccb5bb83209bdfcc42540d78
                                  • Instruction ID: 00967490daa7fd3dbddcad5727769ecd95760746183a64b54b37dea0a8c96c18
                                  • Opcode Fuzzy Hash: d231297a1eee3868afd72cedccdccfb068cd8b7fccb5bb83209bdfcc42540d78
                                  • Instruction Fuzzy Hash: B911F6B69003499FDB20DF9AD448AEEFBF8FF48310F14846AD519AB210C379A545CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0157B6BA Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0157B119,00000800,00000000,00000000), ref: 0157B72A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1997172873.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1570000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: d9bd9e1ed2898921332852ae19a1a83b56a9c6037a579719ba44b824af97e9c5
                                  • Instruction ID: f2392124ed0bcb806bcb88a4c7fc28e26967682ca0fc45ae949e5c59c21214b2
                                  • Opcode Fuzzy Hash: d9bd9e1ed2898921332852ae19a1a83b56a9c6037a579719ba44b824af97e9c5
                                  • Instruction Fuzzy Hash: 861126B69003489FDB10CF9AD444ADEFBF8FB48310F14841AD519A7200C379A545CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0157B038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0157B09E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1997172873.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1570000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: e4da77a18dc306bdddf49a2edee7bcf4930a42835ceff326ac0305cae428610e
                                  • Instruction ID: e508c0502f6113eb2b0b03d08335426031a811f6dc852e69ff50cba08c9e9293
                                  • Opcode Fuzzy Hash: e4da77a18dc306bdddf49a2edee7bcf4930a42835ceff326ac0305cae428610e
                                  • Instruction Fuzzy Hash: 6D11DFB6C002498FDB20DF9AD844ADEFBF8BB88314F10845AD929A7610D379A545CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0150D1FC Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1996991888.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_150d000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5da59aabfa0369d8a1d217dff77927ee57ec66dbbcb9e9fd6caaacdb15b86f4e
                                  • Instruction ID: 50bc3dce7937587be4705b737cd552dd244ef1ca0df2df4d3362e6cb787e26b3
                                  • Opcode Fuzzy Hash: 5da59aabfa0369d8a1d217dff77927ee57ec66dbbcb9e9fd6caaacdb15b86f4e
                                  • Instruction Fuzzy Hash: 9B21A172504245DFDB06DFD8D9C4B2ABFB5FB88324F24C569E9090E296C33AD416CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0151D1D4 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1997029941.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_151d000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 60f95e4d975a64025b7c983283a2b3d3b59670c4f65ae697d406c3a0e3eee77c
                                  • Instruction ID: a6ce31b287f4962b3eaca3161b437a26e1fb858544ff0b6999af9515d0c51504
                                  • Opcode Fuzzy Hash: 60f95e4d975a64025b7c983283a2b3d3b59670c4f65ae697d406c3a0e3eee77c
                                  • Instruction Fuzzy Hash: 22210771504204DFEB06DF98D5C8F66BBB5FB84324F20CA6DD9294F25AC33AD446CA61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0151D01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1997029941.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_151d000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d3d8894ba2421052a775d14d521b86f14545d483fe9092039f27997abb72bd76
                                  • Instruction ID: 1f2d1e0af0ffb964f8cff9f85f9953e0b2902d064f035dec5dce9fe1b38c73c6
                                  • Opcode Fuzzy Hash: d3d8894ba2421052a775d14d521b86f14545d483fe9092039f27997abb72bd76
                                  • Instruction Fuzzy Hash: CF210375504204DFEB16DF68D988B26BFB5FB84314F20C96DD9090F25AD33AD446CA61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0151D006 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1997029941.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_151d000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 74adbec24daf1041e8fe4d7629611e7dcdebe6b149f2e72fd3f2811438c51432
                                  • Instruction ID: 41e4d80a901b819dd96333724b1a64bee03f274cef51692df03c2369c1844ac8
                                  • Opcode Fuzzy Hash: 74adbec24daf1041e8fe4d7629611e7dcdebe6b149f2e72fd3f2811438c51432
                                  • Instruction Fuzzy Hash: AA219D755093808FDB03CF24D994B15BF71FB46214F28C5EAD8498F2A7C33A984ACB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0150D1F7 Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1996991888.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_150d000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
                                  • Instruction ID: 0e9af823da777da3f19d57a6e7c06c5ee138a4aa5389fb33bb434ca5da0733de
                                  • Opcode Fuzzy Hash: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
                                  • Instruction Fuzzy Hash: DE219076504241DFDB06CF94D9C4B1ABF71FB84324F24C5A9DD450A656C33AD426CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0151D1CF Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1997029941.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_151d000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                  • Instruction ID: 38a5ad38b9443de53a3a032421fb7fdf7a5c30c5661afd96db8e4155a3f36de8
                                  • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                  • Instruction Fuzzy Hash: F711BB75504280DFEB02CF58C5C8B19BFB1FB84224F24C6A9D8594F69AC33AD40ACB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0150D745 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1996991888.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_150d000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d761b79071701514ad8a85a03aad382cc9f84daf9161d78104f46d2600dc57f4
                                  • Instruction ID: 2976a33572b38eaa218b53e2f5b3fc9bfb1938b0a8db7e3e48c939a107800cca
                                  • Opcode Fuzzy Hash: d761b79071701514ad8a85a03aad382cc9f84daf9161d78104f46d2600dc57f4
                                  • Instruction Fuzzy Hash: 7301AC7110438499E7229AD9CD84B66BFECFF45324F14C969ED090E2D6D2799441CA71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0150D744 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1996991888.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_150d000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 435dcf365b1540ea247d94221ad013a7568c6e51bf811dfd0165f3cc21f2c0c9
                                  • Instruction ID: 41df0b3c46998957a11f240b0afcf0f6b7f6e86bf337f3a223b454ac0c4607fb
                                  • Opcode Fuzzy Hash: 435dcf365b1540ea247d94221ad013a7568c6e51bf811dfd0165f3cc21f2c0c9
                                  • Instruction Fuzzy Hash: 8FF0C2710043849AE7218E9ACC88B66FFA8EF81634F18C45AED080E286C2799844CAB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 054B0040 Relevance: .3, Instructions: 315COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2007971194.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_54b0000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4f7d3112526d828191ae14dd0a18baa0ca11d087bdb78d3d094af5ee3a505d30
                                  • Instruction ID: 4d1f45760e4bc7fc22314fb1fbe1eaa0587f572eed5c430ddf7c994b5f93fa1f
                                  • Opcode Fuzzy Hash: 4f7d3112526d828191ae14dd0a18baa0ca11d087bdb78d3d094af5ee3a505d30
                                  • Instruction Fuzzy Hash: 3612A5B8C817468BD710CF65F84C1893BF1BBA1318BD04B19D2612B3E5DBB51A6ACF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0157EFC4 Relevance: .3, Instructions: 264COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1997172873.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1570000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 77138d94e3d18ed892e9b4e9541d956bbfb7cff24ca198c090fd0b14bf04d5e9
                                  • Instruction ID: bbd7a655143f6e584a125ba590240f6469164a799a4dd92d54e54d24de8b6b9a
                                  • Opcode Fuzzy Hash: 77138d94e3d18ed892e9b4e9541d956bbfb7cff24ca198c090fd0b14bf04d5e9
                                  • Instruction Fuzzy Hash: E3A17E36E00216CFCF06DFB8D4445AEBBB2FF85300B15856AE916AF265DB71E916CB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 054B0006 Relevance: .3, Instructions: 251COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2007971194.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_54b0000_HAhJORNtiOFCEGH.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5fe8114547e3bffbfec9eb9f343577b56123341bc7aa53205e6f68136da331d6
                                  • Instruction ID: 7918abfe76dcee7813cae2af399d9254beae3dd552afdc8a09dd5b406968c9d9
                                  • Opcode Fuzzy Hash: 5fe8114547e3bffbfec9eb9f343577b56123341bc7aa53205e6f68136da331d6
                                  • Instruction Fuzzy Hash: FAD134B8C807468BD711CF25F8481897BF1BFA1328F954B19D1616B3E1DBB819AACF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:11.9%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:25
                                  Total number of Limit Nodes:4
                                  execution_graph 27590 a90848 27591 a9084e 27590->27591 27592 a9091b 27591->27592 27595 a91488 27591->27595 27600 a9138b 27591->27600 27596 a91396 27595->27596 27597 a91480 27596->27597 27599 a91488 GlobalMemoryStatusEx 27596->27599 27605 a97088 27596->27605 27597->27591 27599->27596 27601 a91396 27600->27601 27602 a91480 27601->27602 27603 a97088 GlobalMemoryStatusEx 27601->27603 27604 a91488 GlobalMemoryStatusEx 27601->27604 27602->27591 27603->27601 27604->27601 27606 a97092 27605->27606 27607 a970ac 27606->27607 27610 5b4cf90 27606->27610 27615 5b4cf7f 27606->27615 27607->27596 27612 5b4cfa5 27610->27612 27611 5b4d1ba 27611->27607 27612->27611 27613 5b4d5d8 GlobalMemoryStatusEx 27612->27613 27614 5b4d838 GlobalMemoryStatusEx 27612->27614 27613->27612 27614->27612 27617 5b4cf90 27615->27617 27616 5b4d1ba 27616->27607 27617->27616 27618 5b4d5d8 GlobalMemoryStatusEx 27617->27618 27619 5b4d838 GlobalMemoryStatusEx 27617->27619 27618->27617 27619->27617

                                  Executed Functions

                                  Function 00A99BE8 Relevance: 3.0, Instructions: 3022COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1285b36d13a4836494f480b3b923a1e1c2f4e2366f20f054ab0712aa2994a055
                                  • Instruction ID: 0c0d23aa0d61ef8f20f3c4c3fafa2c55a803ed56f059038e704ab21688c32073
                                  • Opcode Fuzzy Hash: 1285b36d13a4836494f480b3b923a1e1c2f4e2366f20f054ab0712aa2994a055
                                  • Instruction Fuzzy Hash: 57631831D10B1A8ADB11EF68C8946A9F7B1FF99310F15C79AE05877121EB70AAD4CF81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A9CE70 Relevance: 2.3, Instructions: 2315COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4e634191c720391f86b61f7ae376f8c7f1e6bbb7764595faf88a6d6bd0d9b1b3
                                  • Instruction ID: aef3ca7a7e4ce7a2af92ed970893a9eb130495c54c91048a681c2d7f9254d7bc
                                  • Opcode Fuzzy Hash: 4e634191c720391f86b61f7ae376f8c7f1e6bbb7764595faf88a6d6bd0d9b1b3
                                  • Instruction Fuzzy Hash: 48331D31D107198ECB11EF68C8906ADF7B1FF99300F15C79AE459A7221EB70AAD5CB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A99370 Relevance: .6, Instructions: 577COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f9d06efcbd55bec2cdfc29f4854e4f00392e47c6a5ec75ba9e7db34ffb3e84a5
                                  • Instruction ID: 1717511bd2ee6a96464671961701e4a827737765521df9f30850b45247c37849
                                  • Opcode Fuzzy Hash: f9d06efcbd55bec2cdfc29f4854e4f00392e47c6a5ec75ba9e7db34ffb3e84a5
                                  • Instruction Fuzzy Hash: 8E224935B002059FDF14DFA8E984AAEBBB2EF89310F148569E909DB395DB30DC46CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A94A98 Relevance: .3, Instructions: 266COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3a70103d5a1d60c40b82b0fa0b85da11dac8b2a2c3bf3e35377bc49c3cfc7076
                                  • Instruction ID: 16e7e6b5fd9c579b8023efe44d0551a454532ad94fb0f4e7435d087b1984f27d
                                  • Opcode Fuzzy Hash: 3a70103d5a1d60c40b82b0fa0b85da11dac8b2a2c3bf3e35377bc49c3cfc7076
                                  • Instruction Fuzzy Hash: A7B13E74F002098FDF14CFA9C985B9DBBF2AF8C354F148529D419E7254EB749846CB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A93E80 Relevance: .2, Instructions: 238COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 41dc4d7d5e7b1bb16d4f3f39f6a6983321dea7c20a257d0ab9bd9ac89f21203a
                                  • Instruction ID: 25689aebb0c07cef779aef5f35b76191f636f2c862d2f95b0a0722cb26678a09
                                  • Opcode Fuzzy Hash: 41dc4d7d5e7b1bb16d4f3f39f6a6983321dea7c20a257d0ab9bd9ac89f21203a
                                  • Instruction Fuzzy Hash: A7912F71F00209DFDF14CFA9C985BDDBBF2AF88314F248129E415AB254EB749986CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A96EDD Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2381 a96edd-a96f3a call a96c38 2390 a96f3c-a96f55 call a9676c 2381->2390 2391 a96f56-a96f84 2381->2391 2397 a96f86-a96f89 2391->2397 2398 a96f8b-a96fc0 2397->2398 2399 a96fc5-a96fc8 2397->2399 2398->2399 2400 a96fd8-a96fdb 2399->2400 2401 a96fca call a97908 2399->2401 2402 a96fdd-a96fe4 2400->2402 2403 a96fef-a96ff2 2400->2403 2404 a96fd0-a96fd3 2401->2404 2405 a96fea 2402->2405 2406 a970e3-a970e9 2402->2406 2407 a97025-a97027 2403->2407 2408 a96ff4-a97008 2403->2408 2404->2400 2405->2403 2409 a97029 2407->2409 2410 a9702e-a97031 2407->2410 2413 a9700a-a9700c 2408->2413 2414 a9700e 2408->2414 2409->2410 2410->2397 2412 a97037-a97046 2410->2412 2417 a97048-a9704b 2412->2417 2418 a97070-a97086 2412->2418 2415 a97011-a97020 2413->2415 2414->2415 2415->2407 2421 a97053-a9706e 2417->2421 2418->2406 2421->2417 2421->2418
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LR]q$LR]q
                                  • API String ID: 0-3917262905
                                  • Opcode ID: 1588bd86b59aa7dd231e44abbd1cec02dbc2b16d0efde5a39e8ec564f5253f97
                                  • Instruction ID: 5c251a114d7c1685b7c02e7fef4750917e4ae8b8e9dc1024846a2263b12a956d
                                  • Opcode Fuzzy Hash: 1588bd86b59aa7dd231e44abbd1cec02dbc2b16d0efde5a39e8ec564f5253f97
                                  • Instruction Fuzzy Hash: 1D417D30B142059FDF15DB78D4547AEBBF2EF8A300F208569E406EB251DB759C46CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05B4E198 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3091 5b4e198-5b4e1b3 3092 5b4e1b5-5b4e1dc call 5b4d570 3091->3092 3093 5b4e1dd-5b4e1fc call 5b4d57c 3091->3093 3099 5b4e202-5b4e261 3093->3099 3100 5b4e1fe-5b4e201 3093->3100 3107 5b4e267-5b4e2f4 GlobalMemoryStatusEx 3099->3107 3108 5b4e263-5b4e266 3099->3108 3111 5b4e2f6-5b4e2fc 3107->3111 3112 5b4e2fd-5b4e325 3107->3112 3111->3112
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3217688859.0000000005B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_5b40000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4a3755f76a39f385d33360533f886627da91331b6d685959ba2e3a4dce88d3e8
                                  • Instruction ID: adf6134690c5775d7b61a8ad6e3eef332cbbfac2c5babda9ec8692fdc43b36df
                                  • Opcode Fuzzy Hash: 4a3755f76a39f385d33360533f886627da91331b6d685959ba2e3a4dce88d3e8
                                  • Instruction Fuzzy Hash: 81410372E143558FCB14CFB9E8447AEBBF5FF89210F1485AAD408A7240DB78A944CBD1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05B4E280 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3115 5b4e280-5b4e2be 3116 5b4e2c6-5b4e2f4 GlobalMemoryStatusEx 3115->3116 3117 5b4e2f6-5b4e2fc 3116->3117 3118 5b4e2fd-5b4e325 3116->3118 3117->3118
                                  APIs
                                  • GlobalMemoryStatusEx.KERNELBASE(8B55052F), ref: 05B4E2E7
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3217688859.0000000005B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_5b40000_MSBuild.jbxd
                                  Similarity
                                  • API ID: GlobalMemoryStatus
                                  • String ID:
                                  • API String ID: 1890195054-0
                                  • Opcode ID: 1a6472b42f0814eb8084a10392d7575948a753dc4f39f1b9abcc9543dbd60913
                                  • Instruction ID: 0932a8abf36a1ed643e4fc71ef09538dfab60e2194f63bfbafab6b4c2c01432e
                                  • Opcode Fuzzy Hash: 1a6472b42f0814eb8084a10392d7575948a753dc4f39f1b9abcc9543dbd60913
                                  • Instruction Fuzzy Hash: 7D11E4B1C006599BCB10DF9AC544BDEFBF4FF48310F14816AD418A7240D778A944CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A9F3AD Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: PH]q
                                  • API String ID: 0-3168235125
                                  • Opcode ID: ed866e90b5d1702f61c1cd32702bfb5c124eb61e1b2efb756080fbc672e67c57
                                  • Instruction ID: e329882e502e10e1d70154e395c055c5a1f52955087b670f428587219b9ff4be
                                  • Opcode Fuzzy Hash: ed866e90b5d1702f61c1cd32702bfb5c124eb61e1b2efb756080fbc672e67c57
                                  • Instruction Fuzzy Hash: 94319D30B042058FDB199B34D9A476E3BE2AFCA744F258479D406DB399EE35CC46CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A9F3C0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: PH]q
                                  • API String ID: 0-3168235125
                                  • Opcode ID: 585adae7d8d15f77bff60c09fe187e9168907fbbd3847a019a9a06074a5e217e
                                  • Instruction ID: d456ee1c6a10e162002954400958ebdc6dbaba34e4176636882947c8a9029947
                                  • Opcode Fuzzy Hash: 585adae7d8d15f77bff60c09fe187e9168907fbbd3847a019a9a06074a5e217e
                                  • Instruction Fuzzy Hash: 1531AB30B002058FDF19AB38956476F7BE6ABC9704F248478D406DB399DE35DC46CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A96F70 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LR]q
                                  • API String ID: 0-3081347316
                                  • Opcode ID: f28bd737eb88d72a4a634108657b8bb90cbf7ac14baf810a5a658071ab167d25
                                  • Instruction ID: ac38a024c262d42e2919cd54b8b53222db5fb1f58996b0fdf1e86ded0ba9d140
                                  • Opcode Fuzzy Hash: f28bd737eb88d72a4a634108657b8bb90cbf7ac14baf810a5a658071ab167d25
                                  • Instruction Fuzzy Hash: 6F314D30F102099BDF14CFA8D8547AEB7F2EF85310F208569E806EB250EB75AD46CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A96B87 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LR]q
                                  • API String ID: 0-3081347316
                                  • Opcode ID: 76acc95a058f3f145a0b87910afb6b950554afe840f93c0a753a0ac07ca80091
                                  • Instruction ID: 8c48fe479d9f2c881e42ba42908b36dd8c7aef2951824304eada5958b292a340
                                  • Opcode Fuzzy Hash: 76acc95a058f3f145a0b87910afb6b950554afe840f93c0a753a0ac07ca80091
                                  • Instruction Fuzzy Hash: 8221D83170D2805FC716EB7894A479E7FF29F86310F0445AED085CB396DA695C4AC7A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A97908 Relevance: .6, Instructions: 553COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5189079902bcc8015af0eabbc43f4253acfe4e2d544f56a1d46d736c59a02492
                                  • Instruction ID: 90cc4301b5d5e7f4a752cbea97208eed07ad626aacb9b45975a95240f7b82cc7
                                  • Opcode Fuzzy Hash: 5189079902bcc8015af0eabbc43f4253acfe4e2d544f56a1d46d736c59a02492
                                  • Instruction Fuzzy Hash: AE1260347102019BCB29AB78E89462D73A6FFCA351F548979E006CB369DF75DC46CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A94A8C Relevance: .3, Instructions: 262COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ca378329d2888469008f4d6e78674e800e5c9bc6c5d3bc7e676d64d96a332e26
                                  • Instruction ID: 7636b45e0279c0603aae6d9b56d09f2dbe5945c4681be9eb6921a5e59a63809d
                                  • Opcode Fuzzy Hash: ca378329d2888469008f4d6e78674e800e5c9bc6c5d3bc7e676d64d96a332e26
                                  • Instruction Fuzzy Hash: 17B13A70E002199FDF14CFA9C985B9DBBF1BF8C354F248129D819EB254EB749886CB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A9935C Relevance: .3, Instructions: 251COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7bcd2b6c7c658dedb47036abfe0211d3a77f1311c7da81e6ffd0689a6117e88c
                                  • Instruction ID: 5d1285f2893c84aeecab0cb1a7b78da0a7947c65b77e7e471bce8d38bdce6a9a
                                  • Opcode Fuzzy Hash: 7bcd2b6c7c658dedb47036abfe0211d3a77f1311c7da81e6ffd0689a6117e88c
                                  • Instruction Fuzzy Hash: CAA13A34B002049FCB15DF68E594AAEBBF6EF89310F248469E506EB3A5DB34DC46CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A93E74 Relevance: .2, Instructions: 237COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a3b598b93eb3b8d03dc58548cf0dd52802d136e1f91db34fce9e677ee0810b60
                                  • Instruction ID: 0fd8bbedce0f41980fd9933fa3a9a422b14b086b3fda6683b66e35652cc80e92
                                  • Opcode Fuzzy Hash: a3b598b93eb3b8d03dc58548cf0dd52802d136e1f91db34fce9e677ee0810b60
                                  • Instruction Fuzzy Hash: E5913C71F00209DFDF14CFA9C985BDDBBF1AF88314F248129E419AB254EB749986CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A94805 Relevance: .2, Instructions: 180COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 89f1b36650dc00c4f8b1cb764d5bf25ee00c771289adf72581001bfecfa620e2
                                  • Instruction ID: 9c93fcffc70dbc58d4c2106a9a6f83ca7cbac32f92c0b5c6dd780add53c7622f
                                  • Opcode Fuzzy Hash: 89f1b36650dc00c4f8b1cb764d5bf25ee00c771289adf72581001bfecfa620e2
                                  • Instruction Fuzzy Hash: 02714DB0E00249DFDF10DFA9C985BDEBBF2BF88314F148129E415A7254EB749846CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A94810 Relevance: .2, Instructions: 180COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ab9f12ea96092708bef2f1b7ae16e0abe9fba934e98aa0fa5af9027ba22fab42
                                  • Instruction ID: 722b4f83c8c420fb0c7ec9c1c272e6ea7864717dc2f9908920e348af41bfd776
                                  • Opcode Fuzzy Hash: ab9f12ea96092708bef2f1b7ae16e0abe9fba934e98aa0fa5af9027ba22fab42
                                  • Instruction Fuzzy Hash: 3F716AB0E00249DFDF10DFA9C981B9EBBF2BF88314F148129E419A7254EB749842CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A96CD4 Relevance: .1, Instructions: 135COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d21bd24b04f4e49e28da7eb6ed192efacbb0772e370d2d428f1d7f9ba4fa9a2f
                                  • Instruction ID: 5419e2694466a98c55334e68733d1244ac51f90d3b8bf1050c8878aefebfccc7
                                  • Opcode Fuzzy Hash: d21bd24b04f4e49e28da7eb6ed192efacbb0772e370d2d428f1d7f9ba4fa9a2f
                                  • Instruction Fuzzy Hash: 4A51F174E102188FDF18CFA9C889B9DBBF1FF49314F14812AE819AB295D774A844CF95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A96CE0 Relevance: .1, Instructions: 132COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 56ff28f3b4c624975a6c20ed67cdcbc33256e3ca1154c615bccb62529ecd0b5d
                                  • Instruction ID: ca4ee5bf1b818db1aeb6e09f8131f2e554430177d60f43cbd714905b8954c9ca
                                  • Opcode Fuzzy Hash: 56ff28f3b4c624975a6c20ed67cdcbc33256e3ca1154c615bccb62529ecd0b5d
                                  • Instruction Fuzzy Hash: 6F51F274E102188FDF18CFA9C885B9DBBF1BF48314F14852AE819AB391D778A844CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A926DC Relevance: .1, Instructions: 128COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 523c054281d78063113ba8c17bed5c13c9577e2300686850749429bf919b945b
                                  • Instruction ID: 7537cbe68527d8b43bf4dbf090f997b0f5bbac7d6addf6c4ff981fb4d4888a6d
                                  • Opcode Fuzzy Hash: 523c054281d78063113ba8c17bed5c13c9577e2300686850749429bf919b945b
                                  • Instruction Fuzzy Hash: 9051F0B0E003099FDB14DFAAC484BDEBBF5FF48314F24842AE419AB250DB75A945CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A91128 Relevance: .1, Instructions: 120COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 32efb67244e509c04083d26cacbc5d3eb98e3cb5c222dec1a8d59d08b08e843f
                                  • Instruction ID: eae11bcf5348e7014297c2314d0c9ddc26f0a270560e642224eccb3f88b98751
                                  • Opcode Fuzzy Hash: 32efb67244e509c04083d26cacbc5d3eb98e3cb5c222dec1a8d59d08b08e843f
                                  • Instruction Fuzzy Hash: 5D51FC38216141EFCB1AEF28F9B0E453FA5FB6EB047106B69D0015B23EDB256909EF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A91138 Relevance: .1, Instructions: 112COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 44fc7e1f07e56c230a2d8211575d0d389254dc0df3ce1080934bd357d79bdaf7
                                  • Instruction ID: 62b2a867f4a39e2688eeca3b9c81eeaf897769e7a1944957b7f4aebd8befad9a
                                  • Opcode Fuzzy Hash: 44fc7e1f07e56c230a2d8211575d0d389254dc0df3ce1080934bd357d79bdaf7
                                  • Instruction Fuzzy Hash: 4C51DA78216141EFCB19EF28F9B0E453FA5FB6EB043106B69D0015B23DDB216909EF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A996D8 Relevance: .1, Instructions: 108COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1c1a6a68b272d4850ea703887cdaf711df7210e652fd2f1e65a5af7a0e93f940
                                  • Instruction ID: 56c0e8b365ba60dd10aaf748ce579b7f4baeb77bea2243d74bae62ae1c451ad4
                                  • Opcode Fuzzy Hash: 1c1a6a68b272d4850ea703887cdaf711df7210e652fd2f1e65a5af7a0e93f940
                                  • Instruction Fuzzy Hash: D7313E75F1020AABDF249FADD58076FB7A5FB86310F20482ED51ADB384DA34DC458B92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A9F270 Relevance: .1, Instructions: 97COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 20f58d3c86eb1d6259ce39615a50af3825a1ef3975f93c4cd3108ad22d6164f6
                                  • Instruction ID: 91672516cc6d1f220a3b098b814ef023e8bffc02c58044f1675bde5684f72926
                                  • Opcode Fuzzy Hash: 20f58d3c86eb1d6259ce39615a50af3825a1ef3975f93c4cd3108ad22d6164f6
                                  • Instruction Fuzzy Hash: D6315E35F146059FCB09CFA4D89469EBBF2AF89314F108529E816EB350DB74AC46CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A9F280 Relevance: .1, Instructions: 91COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 70ae665a691fad38d171f74e711e8ede4b61a3f69e81c0e84a6d615b96374868
                                  • Instruction ID: c305ac783f387f4915b5e40d9530954203c5da22e850428435a2654b97d45938
                                  • Opcode Fuzzy Hash: 70ae665a691fad38d171f74e711e8ede4b61a3f69e81c0e84a6d615b96374868
                                  • Instruction Fuzzy Hash: 85314B35F102059FCB19CFA9E89469EBBF2AF89314F108529E816EB350DB74AC42CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A926E8 Relevance: .1, Instructions: 90COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6d1c0de4a8c3a8e43f86e7b94da033080b4abbbc1c3b4c7b8a8046b823452fb4
                                  • Instruction ID: 88a23fd7bcc0578f420b9e176cc92f6f1b3e40e4a508fae697a598a147930ef0
                                  • Opcode Fuzzy Hash: 6d1c0de4a8c3a8e43f86e7b94da033080b4abbbc1c3b4c7b8a8046b823452fb4
                                  • Instruction Fuzzy Hash: 0B41DEB0E00349AFDB14DFA9C584ADEBFF5FF48314F248429E809AB254DB75A945CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A91488 Relevance: .1, Instructions: 85COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5368de958c650c357517b737fddaaf74c801b76d9669022990042a4cd6ca2546
                                  • Instruction ID: e441a989aa51e705571c7a5ea50256316148ca78681796d1c0f15dc7ffad69ef
                                  • Opcode Fuzzy Hash: 5368de958c650c357517b737fddaaf74c801b76d9669022990042a4cd6ca2546
                                  • Instruction Fuzzy Hash: C021B0B1F053529FCF22ABB899942AD7BE0EF8A350F1544BAD446DB342E735C841CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A99248 Relevance: .1, Instructions: 82COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 39d6930f36ecc1d58d9f11b41880be4fea2173f4a3338f286650031d2029819f
                                  • Instruction ID: 27a14228ce11d2c46e6b3ec234f3c4394603b00c3a43d847b739592f999530ad
                                  • Opcode Fuzzy Hash: 39d6930f36ecc1d58d9f11b41880be4fea2173f4a3338f286650031d2029819f
                                  • Instruction Fuzzy Hash: DB315035E1020AABDF09CFA8D5946DEB7B6BF89300F10C629E405EB354DB709846CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A917C0 Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 467fad1b95b10c1514157206ec6105b643d9eed763aaae4afc979aee49802f94
                                  • Instruction ID: 124eb15ba489fc0d75029daf3a5f8dd9e25270e5ecaae69d6108f9f29a8ed18c
                                  • Opcode Fuzzy Hash: 467fad1b95b10c1514157206ec6105b643d9eed763aaae4afc979aee49802f94
                                  • Instruction Fuzzy Hash: A7213776F043429FEF219BB89C04A9E7BE5AB59320F144A65ED49C3354E734CC01CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0094D006 Relevance: .1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213156978.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_94d000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4c2bca81df1d5091901ef9eef906011e2d5e8d44fbe4b7fcf285b29d2447f64c
                                  • Instruction ID: f95a92627b2ff13cbc80290df466d33146e9df2c04198a1b978d83290f9d7bf3
                                  • Opcode Fuzzy Hash: 4c2bca81df1d5091901ef9eef906011e2d5e8d44fbe4b7fcf285b29d2447f64c
                                  • Instruction Fuzzy Hash: 08316F7550E3C49FC7138B24C894B11BF75AB57214F29C5DBD9898F2A3C23A980ACB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A99258 Relevance: .1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0d7ee623cff6d8087fb8049b9b55a13f08f6fbd5aa85e7772af21613abc69a81
                                  • Instruction ID: f12b32519951d54ff8786dbeb8aa8344bbb12439c960f8bea0190fcf625447a7
                                  • Opcode Fuzzy Hash: 0d7ee623cff6d8087fb8049b9b55a13f08f6fbd5aa85e7772af21613abc69a81
                                  • Instruction Fuzzy Hash: EC215331E10209ABDF05CFA9D4846DFF7B6BF89300F508629E405AB244DB719C46CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A94F88 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c09f5ac39a117968bba7c4fbb469e49ffe1292df694482cc774cf4a0e2e83033
                                  • Instruction ID: 8f476ae0ff882104edb4903b1e9237ff278a389e0fed3488c59f82fe63d9482b
                                  • Opcode Fuzzy Hash: c09f5ac39a117968bba7c4fbb469e49ffe1292df694482cc774cf4a0e2e83033
                                  • Instruction Fuzzy Hash: E621F730B00205CFCB54DB79D969A9D77F1EF8E315B1004A8E406EB3A5DB369D05DB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A99148 Relevance: .1, Instructions: 74COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8e4a6a4ac6b291314b56e37c7bec60656623f3c319814cf5eeb1a3b81469ee90
                                  • Instruction ID: bc98877617809818f9f8372d548cd8457e0746d9325c1f5a1685405632321a95
                                  • Opcode Fuzzy Hash: 8e4a6a4ac6b291314b56e37c7bec60656623f3c319814cf5eeb1a3b81469ee90
                                  • Instruction Fuzzy Hash: 82216235F04206ABDF19CFA9D8545DEF7F2AF89310F20862AE815AB354DB709D42CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0094D030 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213156978.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_94d000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 58a4f34545abb4533348fe1a248606e8a46cb1313a918e6fc5e87e761821b40b
                                  • Instruction ID: 1641adb98b4e3b2db35d3db0e40bd8f573bf3390da2b784f4cfb2dd02093bf23
                                  • Opcode Fuzzy Hash: 58a4f34545abb4533348fe1a248606e8a46cb1313a918e6fc5e87e761821b40b
                                  • Instruction Fuzzy Hash: 5A210479605204DFCB15DF14D9C0F26BBA9FB88314F24C96DE9094B296C37AD847CA62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A99A20 Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b3f69dac21bf83b71a875ed4769beb0a08bb6c4e9364537a130ebe66c7097e76
                                  • Instruction ID: 9e203b603141544ab2402da96efd01d2125b542577e6f6ccbeee82f8380f282f
                                  • Opcode Fuzzy Hash: b3f69dac21bf83b71a875ed4769beb0a08bb6c4e9364537a130ebe66c7097e76
                                  • Instruction Fuzzy Hash: 17218E31B10215AFDB04DB69C955BAE7BF6FB88750F208069E505EB3A0DA719C018B90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A99158 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7ab500dd7834c1124ae8d1483b473d34e5d968fab9d1172d335ab2aaadf534ee
                                  • Instruction ID: 8d77a4d6784dbc86d5bfda25fe6351acd5badcdda4c36a85f0f9dbb26c282a7d
                                  • Opcode Fuzzy Hash: 7ab500dd7834c1124ae8d1483b473d34e5d968fab9d1172d335ab2aaadf534ee
                                  • Instruction Fuzzy Hash: 00212F31F1020AABDF19CF69D85459EF7F6AF89310F20862AE815B7350DB709D45CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A916AD Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 877f302ff209ef0fc6dfd2fbc524e748e2b4dade61eb2f4010332b7cd25ed3a8
                                  • Instruction ID: c0773dd75fd08c645d48ad2391fad86368b770c68c85257d4451ad789fc1130c
                                  • Opcode Fuzzy Hash: 877f302ff209ef0fc6dfd2fbc524e748e2b4dade61eb2f4010332b7cd25ed3a8
                                  • Instruction Fuzzy Hash: B121513C7001026FDF26EB68FC84B5937A9EB49714F205A25D40ACB36DDB68DC458B92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A91888 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb869ff00776fc60a5bc77c1073281e1ada77e462a0986b482c31d7a0ba0f12a
                                  • Instruction ID: 8b8ad787579333139847209440b0209c2e2d43aa28fbb550695cfb9607ce72bf
                                  • Opcode Fuzzy Hash: fb869ff00776fc60a5bc77c1073281e1ada77e462a0986b482c31d7a0ba0f12a
                                  • Instruction Fuzzy Hash: 1F213C30B0020ACFDF54EB78C5657AE77F6AB49305F200468D506EB3A4DB369D45DBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A9138B Relevance: .1, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 40f3c266c40c2cc3a7d004a3ebbf5e0499d8844786b5837774b17be80fbab2ce
                                  • Instruction ID: ac216e64b3bffb8669f51a8124a9177faeb1f3fb5ae257c071d05e24bdcc626e
                                  • Opcode Fuzzy Hash: 40f3c266c40c2cc3a7d004a3ebbf5e0499d8844786b5837774b17be80fbab2ce
                                  • Instruction Fuzzy Hash: F521B9747112029BEF355734E98872E36E5EB4B315F100975E407CB394DA29CC80C792
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A916B0 Relevance: .1, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4ce4d0488edf3e68abee95514ec66c8d918f6b8d095cbf463912e275fd9e6c47
                                  • Instruction ID: 53123996dd67afcecc0a1a49704d62bf3e88f89738c2b43f34b0fab9b462f7ed
                                  • Opcode Fuzzy Hash: 4ce4d0488edf3e68abee95514ec66c8d918f6b8d095cbf463912e275fd9e6c47
                                  • Instruction Fuzzy Hash: 4E2151387001026FDF16EB68F884B1937A9EB49714F205A25D40ACB36DDB68DC458B92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A91885 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 472e792a6cff5adb1f6ef2e51750004cf8a1fcfdf811f188fcc1fc274cdc4763
                                  • Instruction ID: 2fd8620a6e4498555daecb168159ce0a39291c83ff5085a465dacd2f20c041a1
                                  • Opcode Fuzzy Hash: 472e792a6cff5adb1f6ef2e51750004cf8a1fcfdf811f188fcc1fc274cdc4763
                                  • Instruction Fuzzy Hash: 33213830B00216CFDF25EB78C6657AE77F2AB89305F200468D406EB3A4DB368D45DBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A94F98 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4a785548320dd772ea255783512ada2ee74f43c9cb0c20eb42dab91d7a9dffd9
                                  • Instruction ID: f669bedb17ebd9245f7e84e3085418a8b926abb331f80adfc4782eece32a6467
                                  • Opcode Fuzzy Hash: 4a785548320dd772ea255783512ada2ee74f43c9cb0c20eb42dab91d7a9dffd9
                                  • Instruction Fuzzy Hash: 9721E434B10205CFCB54EB79C969AAE77F1AB8D305F200568E406EB3A4EB369D01CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A90838 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f578c1ea034215fdde39cafe3a8707335f8c71920ce318bf4e09dd7432aee21f
                                  • Instruction ID: a93038ecaeda0e9f3dc43c0b20e21b98f1d5165aeca7239a51f3f7708e573d1b
                                  • Opcode Fuzzy Hash: f578c1ea034215fdde39cafe3a8707335f8c71920ce318bf4e09dd7432aee21f
                                  • Instruction Fuzzy Hash: A2110630B053148FEF6567B89850F7A37E0EB92390F20C97AC042CF286DA24CC418BC2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A90848 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 91c249269b71dcfe03c2e713722c32685912d60b7fff929a3a5032fcc8b7b6de
                                  • Instruction ID: 92b25c672700db29f9e5b30c62d1785ae10698c8a4e1f4a9a659d605fe178b1b
                                  • Opcode Fuzzy Hash: 91c249269b71dcfe03c2e713722c32685912d60b7fff929a3a5032fcc8b7b6de
                                  • Instruction Fuzzy Hash: 3B119134B002149FEF696B79D850B2A37E5EB96394F20C939D146CB355DA25CC818BD2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A91498 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d52ab7a49fc2c0379a970a87c7a407659dfcdecec07cd92f5befe9da1b737de6
                                  • Instruction ID: befef3bb517a2ef5f1be6087ffb370158987e588100cbb45a56a9619a8e41560
                                  • Opcode Fuzzy Hash: d52ab7a49fc2c0379a970a87c7a407659dfcdecec07cd92f5befe9da1b737de6
                                  • Instruction Fuzzy Hash: 1E014071B002169FCF65EFB885916AE7BF5EF88350B25047AD806E7301EB35C9418BD5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A99888 Relevance: .0, Instructions: 47COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9eaa52d485d67ee5b08e2fc7d7462b992e938d90bc4efcea3d73617ee5379c63
                                  • Instruction ID: 71e2d57f1595b4481be8acb98447fb0e59703037f93ace7c47bac9434077016e
                                  • Opcode Fuzzy Hash: 9eaa52d485d67ee5b08e2fc7d7462b992e938d90bc4efcea3d73617ee5379c63
                                  • Instruction Fuzzy Hash: F4017931A001048FCB14DF99E985B8BBBA5FF85310F54C574D8485B29AD774DD45CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A99A6F Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 68543ebddc75bb8fce2ed57609a72f730bcf5e02a04aff97dfda1e610f241e8b
                                  • Instruction ID: af19f2df7f59c9924d5441c8048a9447aa628ac99bd3a6d901864719d83519ac
                                  • Opcode Fuzzy Hash: 68543ebddc75bb8fce2ed57609a72f730bcf5e02a04aff97dfda1e610f241e8b
                                  • Instruction Fuzzy Hash: 59014471B00105AFDB009BADCA58BAE7BF1FF88765F258199E106EB7A5CA31DC01CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A980E8 Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1146ac015aed73c407d542d9cf3b89595a147e04e63906f3e45ef01811f51b67
                                  • Instruction ID: 8d6ca6ac0258f0f86b3a84f5534a349ab2eb6257a86e725149ddda945634c110
                                  • Opcode Fuzzy Hash: 1146ac015aed73c407d542d9cf3b89595a147e04e63906f3e45ef01811f51b67
                                  • Instruction Fuzzy Hash: A2017C34941209EFCB06EFB8F990A8D7FB5EF84300F5052B9C0059B269DB355A09CB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A97088 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d57b8af18bc903b2db944c0226a81378277ef85b9fd14cf649ba350b6df08501
                                  • Instruction ID: aba9d54ce03863f8394e66f92b8d42513e2ec5580ed82eec055855ec27346c7b
                                  • Opcode Fuzzy Hash: d57b8af18bc903b2db944c0226a81378277ef85b9fd14cf649ba350b6df08501
                                  • Instruction Fuzzy Hash: C1F01435B002188FCB14EB64D9A8B6C73B2EF89315F1044A8E506CB3A0CB35AD42CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A980F8 Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3213676672.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_a90000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 968b2d68cfb71335b1a5c458a2d9e08825ed7c78f7ce94c4de5522df30313052
                                  • Instruction ID: e4015473006dd45078fc453f6e16a28f28f13745c098b02f7defc779ffc375bb
                                  • Opcode Fuzzy Hash: 968b2d68cfb71335b1a5c458a2d9e08825ed7c78f7ce94c4de5522df30313052
                                  • Instruction Fuzzy Hash: BEF03134940209EFCB05FFB8F991A9D7BB9EF84304F505678C0049B259DB316E09CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%