Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xoRN6fxApwT8Kin.exe

Overview

General Information

Sample name:xoRN6fxApwT8Kin.exe
Analysis ID:1436313
MD5:5f051c2e92d5356803e765524197cf06
SHA1:76b88dec039bade499a7bd0f95e7c9c1f1508d45
SHA256:4ba45a9624e8fc73cf5a36e7be9966f01ada829dd88491202baff3b0bce9b6f5
Tags:exe
Infos:

Detection

AgentTesla, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Yara detected AgentTesla
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • xoRN6fxApwT8Kin.exe (PID: 2812 cmdline: "C:\Users\user\Desktop\xoRN6fxApwT8Kin.exe" MD5: 5F051C2E92D5356803E765524197CF06)
    • MSBuild.exe (PID: 5988 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.pu.edu.af", "Username": "saif.rohi@pu.edu.af", "Password": "Ro#@.com55"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.3312406521.00000000028D9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.2104726295.0000000005020000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000002.00000002.3311154081.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000002.3311154081.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.2103132118.000000000444F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.xoRN6fxApwT8Kin.exe.5020000.10.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.xoRN6fxApwT8Kin.exe.28467f4.1.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.xoRN6fxApwT8Kin.exe.285746c.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.xoRN6fxApwT8Kin.exe.5020000.10.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    0.2.xoRN6fxApwT8Kin.exe.285746c.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      Click to see the 22 entries

                      Sigma Signatures

                      Networking

                      barindex
                      Sigma detected: MSBuild connects to smtp port
                      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.132.98.224, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 5988, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49699

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3b2d248.6.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.pu.edu.af", "Username": "saif.rohi@pu.edu.af", "Password": "Ro#@.com55"}
                      Multi AV Scanner detection for submitted file
                      Source: xoRN6fxApwT8Kin.exeReversingLabs: Detection: 57%
                      Source: xoRN6fxApwT8Kin.exeVirustotal: Detection: 64%Perma Link
                      Machine Learning detection for sample
                      Source: xoRN6fxApwT8Kin.exeJoe Sandbox ML: detected
                      Source: xoRN6fxApwT8Kin.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: xoRN6fxApwT8Kin.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.3b67c68.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.3b2d248.6.raw.unpack, type: UNPACKEDPE
                      Source: global trafficTCP traffic: 192.168.2.6:49699 -> 103.132.98.224:587
                      Source: global trafficTCP traffic: 192.168.2.6:49699 -> 103.132.98.224:587
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficDNS traffic detected: DNS query: mail.pu.edu.af
                      Source: MSBuild.exe, 00000002.00000002.3312406521.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.pu.edu.af
                      Source: MSBuild.exe, 00000002.00000002.3315400430.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3311671980.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3311389172.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3312406521.0000000002861000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3315400430.0000000005C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/03
                      Source: MSBuild.exe, 00000002.00000002.3315400430.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3311671980.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3311389172.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3312406521.0000000002861000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3315400430.0000000005C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: MSBuild.exe, 00000002.00000002.3311671980.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3311671980.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3311389172.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3312406521.0000000002861000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3315400430.0000000005C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: MSBuild.exe, 00000002.00000002.3311671980.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3311671980.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3311389172.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3312406521.0000000002861000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3315400430.0000000005C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: xoRN6fxApwT8Kin.exe, 00000000.00000002.2103132118.000000000444F000.00000004.00000800.00020000.00000000.sdmp, xoRN6fxApwT8Kin.exe, 00000000.00000002.2103132118.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3311154081.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3b2d248.6.raw.unpack, lBLTBzkV.cs.Net Code: h9f
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3b67c68.8.raw.unpack, lBLTBzkV.cs.Net Code: h9f

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3b67c68.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3b2d248.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3b67c68.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3b2d248.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeCode function: 0_2_00D04B200_2_00D04B20
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeCode function: 0_2_00D0EFC40_2_00D0EFC4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00D693702_2_00D69370
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00D64A982_2_00D64A98
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00D69BE82_2_00D69BE8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00D63E802_2_00D63E80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00D6CE702_2_00D6CE70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00D641C82_2_00D641C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05D1DD102_2_05D1DD10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05D1BCF02_2_05D1BCF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05D13F482_2_05D13F48
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05D156D82_2_05D156D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05D100402_2_05D10040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05D18B982_2_05D18B98
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05D12AF02_2_05D12AF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05D14FF82_2_05D14FF8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05D132482_2_05D13248
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00D6D76F2_2_00D6D76F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00D69BE02_2_00D69BE0
                      Source: xoRN6fxApwT8Kin.exeBinary or memory string: OriginalFilename vs xoRN6fxApwT8Kin.exe
                      Source: xoRN6fxApwT8Kin.exe, 00000000.00000002.2105043466.0000000005C80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs xoRN6fxApwT8Kin.exe
                      Source: xoRN6fxApwT8Kin.exe, 00000000.00000002.2104546131.0000000004E20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dllD vs xoRN6fxApwT8Kin.exe
                      Source: xoRN6fxApwT8Kin.exe, 00000000.00000002.2095444763.00000000009CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs xoRN6fxApwT8Kin.exe
                      Source: xoRN6fxApwT8Kin.exe, 00000000.00000000.2060243395.00000000004BA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBwnU.exe8 vs xoRN6fxApwT8Kin.exe
                      Source: xoRN6fxApwT8Kin.exe, 00000000.00000002.2103132118.0000000003B2D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename0eb1f663-67ab-4af7-95d7-b04526baf746.exe4 vs xoRN6fxApwT8Kin.exe
                      Source: xoRN6fxApwT8Kin.exe, 00000000.00000002.2103132118.0000000003B2D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs xoRN6fxApwT8Kin.exe
                      Source: xoRN6fxApwT8Kin.exe, 00000000.00000002.2098586390.00000000027F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dllD vs xoRN6fxApwT8Kin.exe
                      Source: xoRN6fxApwT8Kin.exe, 00000000.00000002.2098586390.00000000028D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename0eb1f663-67ab-4af7-95d7-b04526baf746.exe4 vs xoRN6fxApwT8Kin.exe
                      Source: xoRN6fxApwT8Kin.exeBinary or memory string: OriginalFilenameBwnU.exe8 vs xoRN6fxApwT8Kin.exe
                      Source: xoRN6fxApwT8Kin.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3b67c68.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3b2d248.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3b67c68.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3b2d248.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: xoRN6fxApwT8Kin.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3b2d248.6.raw.unpack, kGWv.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3b2d248.6.raw.unpack, 84Zwl.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3b2d248.6.raw.unpack, Z80kh.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3b2d248.6.raw.unpack, R7VqEELv.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3b2d248.6.raw.unpack, iWM.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3b2d248.6.raw.unpack, tHB.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3b2d248.6.raw.unpack, YGTyRx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3b2d248.6.raw.unpack, YGTyRx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3b2d248.6.raw.unpack, YGTyRx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3b2d248.6.raw.unpack, YGTyRx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, PhxrgbBjgH8t6U3oB0.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, PhxrgbBjgH8t6U3oB0.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, PhxrgbBjgH8t6U3oB0.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, zfVtiBZNGOifsVnveL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, PhxrgbBjgH8t6U3oB0.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, PhxrgbBjgH8t6U3oB0.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, PhxrgbBjgH8t6U3oB0.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, zfVtiBZNGOifsVnveL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.xoRN6fxApwT8Kin.exe.285746c.0.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                      Source: 0.2.xoRN6fxApwT8Kin.exe.28467f4.1.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5020000.10.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                      Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@3/1@1/1
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xoRN6fxApwT8Kin.exe.logJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeMutant created: \Sessions\1\BaseNamedObjects\ICfdlS
                      Source: xoRN6fxApwT8Kin.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: xoRN6fxApwT8Kin.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: xoRN6fxApwT8Kin.exeReversingLabs: Detection: 57%
                      Source: xoRN6fxApwT8Kin.exeVirustotal: Detection: 64%
                      Source: unknownProcess created: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exe "C:\Users\user\Desktop\xoRN6fxApwT8Kin.exe"
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: xoRN6fxApwT8Kin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: xoRN6fxApwT8Kin.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5020000.10.raw.unpack, XG.cs.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
                      Source: 0.2.xoRN6fxApwT8Kin.exe.285746c.0.raw.unpack, XG.cs.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
                      Source: 0.2.xoRN6fxApwT8Kin.exe.28467f4.1.raw.unpack, XG.cs.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
                      .NET source code contains potential unpacker
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, PhxrgbBjgH8t6U3oB0.cs.Net Code: jC7bXHPjTevFtSniwxA System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, PhxrgbBjgH8t6U3oB0.cs.Net Code: jC7bXHPjTevFtSniwxA System.Reflection.Assembly.Load(byte[])
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeCode function: 0_2_04E25781 push ss; retf 0_2_04E25783
                      Source: xoRN6fxApwT8Kin.exeStatic PE information: section name: .text entropy: 7.977880616762822
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5020000.10.raw.unpack, XG.csHigh entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.285746c.0.raw.unpack, XG.csHigh entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, PBhwNVc1V9U1vwoMuXf.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'rcX7W5UVLg', 'N217o3PIwn', 'HdX7HZi9KA', 'MbV7RfPe0f', 'SJZ7juuDio', 'z1C7k90Ig7', 'afd7ERfV07'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, wmI290itSkRspP2Yhn.csHigh entropy of concatenated method names: 'TAslNyVnbM', 'thElIJakN4', 'CjFlbkoOrM', 'aTKlnTjudH', 'fRklGAytYk', 'BUIlpbEtnN', 'NkAl8VX35i', 'oHileHUNsy', 'la8lwrBgVW', 'HkMlDO2nj4'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, Ex94nwvge3GJhhVmbc.csHigh entropy of concatenated method names: 'fhAxRkh4V', 'yOFshk4Lb', 'Krc590b8K', 'kk5cDmc5n', 'nBjrX694u', 'B4UfGxwhN', 'feBiBGU355cwMmQx7W', 'CHr29x4uFZVq02yE5u', 'FyUlZjO7L', 'r0N7KUh8x'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, JLCalwryhRFlCDjQyW.csHigh entropy of concatenated method names: 'vxIn4a3GBh', 'K19ncRUb85', 'L1QbC6fJd7', 'VvUbqPfdel', 'aLKbURM7Df', 'cSpb36drJA', 'TXnbAu67Mu', 'tVpb0oE9V2', 'ugcbVwXPe5', 'BfRbtEsFxV'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, xkKOvtV16DQsu6LDgD.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'dQTYg5SdwU', 'NsoYQiq8mo', 'VnJYzTryus', 'vP6uLwVOQ8', 'j1fuMRaOsJ', 'd7OuYSbgZ7', 'RX2uup3lAM', 'Gw4KrbPcqf04KmVAYTs'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, T2PEnHuBfJpOQMBfmJ.csHigh entropy of concatenated method names: 'wB1vOnfbdQ', 'tLovrDukRK', 'ShqvJnpPmG', 'LBxvToOtts', 'XPDvqVa737', 'puJvUnL47l', 'dYIvAgL546', 'KoAv0KovSJ', 'T56vtdoCJb', 'Q2wv9Lm9VZ'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, IbRghTnpjW608ZEDMI.csHigh entropy of concatenated method names: 'tqxBwmjhpx', 'l1FBDI2SrH', 'ToString', 'IGMBN1vFmZ', 'MhXBIcTuG5', 'ASfBb4At9Q', 'QW6Bnf3PCq', 'JHyBGQgtjf', 'qL4BpIOS3u', 'lTWB8sm6yd'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, PhxrgbBjgH8t6U3oB0.csHigh entropy of concatenated method names: 'nhqu621wVN', 'J3cuNIIUdD', 'bE4uI2m7VA', 'f8GubCMsjL', 'P74unNJmdq', 'PFduGCADNi', 'jOIupluhEM', 'Vlbu8CBMZW', 'ynnueyQAdL', 'yhouwYkpjM'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, i6WVtTkkVQifLFZw2W.csHigh entropy of concatenated method names: 'ToString', 'Yubh91j19C', 'EpAhTm0nyw', 'CKehCIo1AT', 'GOWhqHL4ei', 'FxqhU2yfcD', 'S3ih3FhQGO', 'w5qhAWKY1h', 'UE4h0PQfiB', 'j2thVMtjmC'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, F4hZbHIRtlvIOY278j.csHigh entropy of concatenated method names: 'UDEbsrF6Ne', 'N7ub5OcFoH', 'HIZbOJxeFB', 'DcUbr6FIte', 'wHKbZhUKs3', 'pgfbhxQs3E', 'aLgbBVuNbb', 'FYeblffFXk', 'lPVbXxHOEG', 'iqib7qYV1O'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, yrFM9xaiufxYM9vcvO.csHigh entropy of concatenated method names: 'MmfZtig6Ba', 'NN4Zmw8Z7m', 'Lr1ZWDmSkT', 'BwPZoO0NUe', 'nuOZTyw2Cj', 'LD1ZCmrGex', 'n68ZqFrSXL', 'uNCZU0rtKF', 'iqXZ3GsdBa', 'iH7ZARPPhg'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, nY9Wqx9kXbIx7vhLQ9.csHigh entropy of concatenated method names: 'q6MB2oPiop', 'Bc8BQehA7F', 'TKSlL2RBhU', 'iT3lMhj0lL', 'rPTB95GYGa', 'jfuBmYgXG7', 'mLcBaCnXUu', 'hLlBW7w8Im', 'UjyBobd4Fc', 'qtcBHr3aIe'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, hk16jxKdareY1Imsea.csHigh entropy of concatenated method names: 'tFBpyLZIId', 'Aolpd1nwkC', 'RTQpxX2bGQ', 'Cv0pscspJG', 'j6Ep4tPCnS', 'ilrp5m6iyv', 'FMupch0DhP', 'yuopOkE26E', 'RL3prcgbLh', 'b0Mpfukhre'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, roiSL6x9axwDcmrZST.csHigh entropy of concatenated method names: 'm5dMpg0CKh', 'cdfM8H50Lv', 'vDrMw2uFwX', 'zD6MD6cQ5U', 'GdnMZuRiXA', 'bEaMh6Pkgv', 't1aPtLRbXJU5A2sRv2', 'EwPlwrML6CkIo7H7S9', 'UZhMMbNfo9', 'lMSMuV47bf'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, QhNQxfeLxuRmB2u6w5.csHigh entropy of concatenated method names: 'GoyXM4sUZJ', 'hvMXuqkRo4', 'jgLXiGfubN', 'saoXNVC5bp', 'SdSXIOMCWp', 'Gl0XnU4AaG', 'MOKXGef6Yx', 'HoKlErfxuB', 'pFWl2F1guS', 'PHElg9Wykc'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, AwxyZC3hnFHSFpYLVL.csHigh entropy of concatenated method names: 'WOPlJOVZ6O', 'BTFlTScbUu', 'HLBlCwoKi3', 'ruVlqZCBEw', 'qIqlW4w08u', 'auVlUJgkuo', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, G4T3nQhqVr1NI20gXQ.csHigh entropy of concatenated method names: 'Dispose', 'Ug9MgW5C1w', 'qgBYTTJYG8', 'VX9PPtQpqI', 'pF8MQ0Dwmf', 'kiQMzaK8mf', 'ProcessDialogKey', 'mqdYL3O9QQ', 'oheYMW6hW9', 'QsLYYo5cGa'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, zfVtiBZNGOifsVnveL.csHigh entropy of concatenated method names: 't4CIWNKtkI', 'lctIoTCEbr', 'd48IHUxX2I', 'eCnIRmL6VK', 'aWuIjBPYrH', 'RncIk9W0S4', 'aveIEmhkhA', 'zDeI296hgc', 'ckMIgIUI0c', 'CxdIQi7Aon'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, MmPFy7DM8Rnw9OAZjp.csHigh entropy of concatenated method names: 'TAfG6EBlSk', 'eY8GIqG7GP', 'HCiGnhF3in', 'j0aGpZUZZR', 'bDQG8utF9D', 'rBnnjIWpGQ', 'U1enkt73L3', 'T6wnEh64Nb', 'L9Tn280JvP', 'CT0ngF0t3B'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.5c80000.11.raw.unpack, FHPpFmcjefnK1AXRLoY.csHigh entropy of concatenated method names: 'NfcXyyXX2c', 'LI0Xdp1tuB', 'wuFXxfxxmI', 'BNdXs9lwjr', 'ACpX4l6UGu', 'CLuX5uXJMS', 'irOXc3FvNR', 'TLfXOnIa6X', 'rQSXrZGAHi', 'YeCXfpkQFg'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.28467f4.1.raw.unpack, XG.csHigh entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, PBhwNVc1V9U1vwoMuXf.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'rcX7W5UVLg', 'N217o3PIwn', 'HdX7HZi9KA', 'MbV7RfPe0f', 'SJZ7juuDio', 'z1C7k90Ig7', 'afd7ERfV07'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, wmI290itSkRspP2Yhn.csHigh entropy of concatenated method names: 'TAslNyVnbM', 'thElIJakN4', 'CjFlbkoOrM', 'aTKlnTjudH', 'fRklGAytYk', 'BUIlpbEtnN', 'NkAl8VX35i', 'oHileHUNsy', 'la8lwrBgVW', 'HkMlDO2nj4'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, Ex94nwvge3GJhhVmbc.csHigh entropy of concatenated method names: 'fhAxRkh4V', 'yOFshk4Lb', 'Krc590b8K', 'kk5cDmc5n', 'nBjrX694u', 'B4UfGxwhN', 'feBiBGU355cwMmQx7W', 'CHr29x4uFZVq02yE5u', 'FyUlZjO7L', 'r0N7KUh8x'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, JLCalwryhRFlCDjQyW.csHigh entropy of concatenated method names: 'vxIn4a3GBh', 'K19ncRUb85', 'L1QbC6fJd7', 'VvUbqPfdel', 'aLKbURM7Df', 'cSpb36drJA', 'TXnbAu67Mu', 'tVpb0oE9V2', 'ugcbVwXPe5', 'BfRbtEsFxV'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, xkKOvtV16DQsu6LDgD.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'dQTYg5SdwU', 'NsoYQiq8mo', 'VnJYzTryus', 'vP6uLwVOQ8', 'j1fuMRaOsJ', 'd7OuYSbgZ7', 'RX2uup3lAM', 'Gw4KrbPcqf04KmVAYTs'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, T2PEnHuBfJpOQMBfmJ.csHigh entropy of concatenated method names: 'wB1vOnfbdQ', 'tLovrDukRK', 'ShqvJnpPmG', 'LBxvToOtts', 'XPDvqVa737', 'puJvUnL47l', 'dYIvAgL546', 'KoAv0KovSJ', 'T56vtdoCJb', 'Q2wv9Lm9VZ'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, IbRghTnpjW608ZEDMI.csHigh entropy of concatenated method names: 'tqxBwmjhpx', 'l1FBDI2SrH', 'ToString', 'IGMBN1vFmZ', 'MhXBIcTuG5', 'ASfBb4At9Q', 'QW6Bnf3PCq', 'JHyBGQgtjf', 'qL4BpIOS3u', 'lTWB8sm6yd'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, PhxrgbBjgH8t6U3oB0.csHigh entropy of concatenated method names: 'nhqu621wVN', 'J3cuNIIUdD', 'bE4uI2m7VA', 'f8GubCMsjL', 'P74unNJmdq', 'PFduGCADNi', 'jOIupluhEM', 'Vlbu8CBMZW', 'ynnueyQAdL', 'yhouwYkpjM'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, i6WVtTkkVQifLFZw2W.csHigh entropy of concatenated method names: 'ToString', 'Yubh91j19C', 'EpAhTm0nyw', 'CKehCIo1AT', 'GOWhqHL4ei', 'FxqhU2yfcD', 'S3ih3FhQGO', 'w5qhAWKY1h', 'UE4h0PQfiB', 'j2thVMtjmC'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, F4hZbHIRtlvIOY278j.csHigh entropy of concatenated method names: 'UDEbsrF6Ne', 'N7ub5OcFoH', 'HIZbOJxeFB', 'DcUbr6FIte', 'wHKbZhUKs3', 'pgfbhxQs3E', 'aLgbBVuNbb', 'FYeblffFXk', 'lPVbXxHOEG', 'iqib7qYV1O'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, yrFM9xaiufxYM9vcvO.csHigh entropy of concatenated method names: 'MmfZtig6Ba', 'NN4Zmw8Z7m', 'Lr1ZWDmSkT', 'BwPZoO0NUe', 'nuOZTyw2Cj', 'LD1ZCmrGex', 'n68ZqFrSXL', 'uNCZU0rtKF', 'iqXZ3GsdBa', 'iH7ZARPPhg'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, nY9Wqx9kXbIx7vhLQ9.csHigh entropy of concatenated method names: 'q6MB2oPiop', 'Bc8BQehA7F', 'TKSlL2RBhU', 'iT3lMhj0lL', 'rPTB95GYGa', 'jfuBmYgXG7', 'mLcBaCnXUu', 'hLlBW7w8Im', 'UjyBobd4Fc', 'qtcBHr3aIe'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, hk16jxKdareY1Imsea.csHigh entropy of concatenated method names: 'tFBpyLZIId', 'Aolpd1nwkC', 'RTQpxX2bGQ', 'Cv0pscspJG', 'j6Ep4tPCnS', 'ilrp5m6iyv', 'FMupch0DhP', 'yuopOkE26E', 'RL3prcgbLh', 'b0Mpfukhre'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, roiSL6x9axwDcmrZST.csHigh entropy of concatenated method names: 'm5dMpg0CKh', 'cdfM8H50Lv', 'vDrMw2uFwX', 'zD6MD6cQ5U', 'GdnMZuRiXA', 'bEaMh6Pkgv', 't1aPtLRbXJU5A2sRv2', 'EwPlwrML6CkIo7H7S9', 'UZhMMbNfo9', 'lMSMuV47bf'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, QhNQxfeLxuRmB2u6w5.csHigh entropy of concatenated method names: 'GoyXM4sUZJ', 'hvMXuqkRo4', 'jgLXiGfubN', 'saoXNVC5bp', 'SdSXIOMCWp', 'Gl0XnU4AaG', 'MOKXGef6Yx', 'HoKlErfxuB', 'pFWl2F1guS', 'PHElg9Wykc'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, AwxyZC3hnFHSFpYLVL.csHigh entropy of concatenated method names: 'WOPlJOVZ6O', 'BTFlTScbUu', 'HLBlCwoKi3', 'ruVlqZCBEw', 'qIqlW4w08u', 'auVlUJgkuo', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, G4T3nQhqVr1NI20gXQ.csHigh entropy of concatenated method names: 'Dispose', 'Ug9MgW5C1w', 'qgBYTTJYG8', 'VX9PPtQpqI', 'pF8MQ0Dwmf', 'kiQMzaK8mf', 'ProcessDialogKey', 'mqdYL3O9QQ', 'oheYMW6hW9', 'QsLYYo5cGa'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, zfVtiBZNGOifsVnveL.csHigh entropy of concatenated method names: 't4CIWNKtkI', 'lctIoTCEbr', 'd48IHUxX2I', 'eCnIRmL6VK', 'aWuIjBPYrH', 'RncIk9W0S4', 'aveIEmhkhA', 'zDeI296hgc', 'ckMIgIUI0c', 'CxdIQi7Aon'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, MmPFy7DM8Rnw9OAZjp.csHigh entropy of concatenated method names: 'TAfG6EBlSk', 'eY8GIqG7GP', 'HCiGnhF3in', 'j0aGpZUZZR', 'bDQG8utF9D', 'rBnnjIWpGQ', 'U1enkt73L3', 'T6wnEh64Nb', 'L9Tn280JvP', 'CT0ngF0t3B'
                      Source: 0.2.xoRN6fxApwT8Kin.exe.3bd30d0.7.raw.unpack, FHPpFmcjefnK1AXRLoY.csHigh entropy of concatenated method names: 'NfcXyyXX2c', 'LI0Xdp1tuB', 'wuFXxfxxmI', 'BNdXs9lwjr', 'ACpX4l6UGu', 'CLuX5uXJMS', 'irOXc3FvNR', 'TLfXOnIa6X', 'rQSXrZGAHi', 'YeCXfpkQFg'
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeMemory allocated: D00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeMemory allocated: 27F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeMemory allocated: 47F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeMemory allocated: 5D00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeMemory allocated: 6D00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeMemory allocated: 6F40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeMemory allocated: 7F40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: D60000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2860000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 27A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2689Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 7159Jump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exe TID: 5432Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep count: 35 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1460Thread sleep count: 2689 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -99725s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1460Thread sleep count: 7159 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -99609s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -99500s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -99390s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -99281s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -99171s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -99062s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -98953s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -98843s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -98734s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -98624s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -98515s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -98406s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -98296s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -98187s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -98078s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -97968s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -97859s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -97749s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -97639s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -97518s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -95973s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -95854s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -95749s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -95640s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -95530s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -95415s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -95308s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -95189s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -95074s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -94968s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -94812s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -94687s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -94577s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -94468s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -94359s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -94249s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -94140s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -94031s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -93920s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -93810s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -93702s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -93592s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -93484s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -93374s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -93265s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -93156s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -93046s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -92937s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1824Thread sleep time: -92828s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99725Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99609Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99500Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99390Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99281Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99171Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99062Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98953Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98843Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98734Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98624Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98515Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98406Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98296Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98187Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98078Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97968Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97859Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97749Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97639Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97518Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95973Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95854Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95749Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95640Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95530Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95415Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95308Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95189Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95074Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94968Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94812Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94687Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94577Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94468Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94359Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94249Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94140Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94031Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 93920Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 93810Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 93702Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 93592Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 93484Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 93374Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 93265Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 93156Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 93046Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 92937Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 92828Jump to behavior
                      Source: MSBuild.exe, 00000002.00000002.3315400430.0000000005BE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeQueries volume information: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\xoRN6fxApwT8Kin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.3b67c68.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.3b2d248.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.3b67c68.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.3b2d248.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.3312406521.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.3311154081.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2103132118.000000000444F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2103132118.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.3312406521.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: xoRN6fxApwT8Kin.exe PID: 2812, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5988, type: MEMORYSTR
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.5020000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.28467f4.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.285746c.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.5020000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.285746c.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.28467f4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.28135d0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.2a995c8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.2a985b0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.2a9b5e0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2104726295.0000000005020000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2098586390.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2098586390.0000000002A5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.3b67c68.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.3b2d248.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.3b67c68.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.3b2d248.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.3311154081.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2103132118.000000000444F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2103132118.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.3312406521.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: xoRN6fxApwT8Kin.exe PID: 2812, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5988, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.3b67c68.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.3b2d248.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.3b67c68.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.3b2d248.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.3312406521.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.3311154081.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2103132118.000000000444F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2103132118.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.3312406521.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: xoRN6fxApwT8Kin.exe PID: 2812, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5988, type: MEMORYSTR
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.5020000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.28467f4.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.285746c.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.5020000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.285746c.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.28467f4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.28135d0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.2a995c8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.2a985b0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.xoRN6fxApwT8Kin.exe.2a9b5e0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2104726295.0000000005020000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2098586390.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2098586390.0000000002A5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		11
                      Process Injection                      		1
                      Masquerading                      		2
                      OS Credential Dumping                      		111
                      Security Software Discovery                      		Remote Services1
                      Email Collection                      		12
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		1
                      Input Capture                      		1
                      Process Discovery                      		Remote Desktop Protocol1
                      Input Capture                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)141
                      Virtualization/Sandbox Evasion                      		1
                      Credentials in Registry                      		141
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin Shares11
                      Archive Collected Data                      		1
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object Model2
                      Data from Local System                      		12
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                      Obfuscated Files or Information                      		Cached Domain Credentials24
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                      Software Packing                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      xoRN6fxApwT8Kin.exe58%ReversingLabsWin32.Spyware.Negasteal
                      xoRN6fxApwT8Kin.exe65%VirustotalBrowse
                      xoRN6fxApwT8Kin.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      fp2e7a.wpc.phicdn.net0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://x1.c.lencr.org/00%URL Reputationsafe
                      http://x1.i.lencr.org/00%URL Reputationsafe
                      http://mail.pu.edu.af0%Avira URL Cloudsafe
                      http://r3.i.lencr.org/030%Avira URL Cloudsafe
                      http://r3.i.lencr.org/030%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.pu.edu.af
                      		103.132.98.224
                      		truetrue
                        		unknown
                        fp2e7a.wpc.phicdn.net
                        		192.229.211.108
                        		truefalseunknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://r3.o.lencr.org0MSBuild.exe, 00000002.00000002.3315400430.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3311671980.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3311389172.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3312406521.0000000002861000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3315400430.0000000005C27000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://mail.pu.edu.afMSBuild.exe, 00000002.00000002.3312406521.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://account.dyn.com/xoRN6fxApwT8Kin.exe, 00000000.00000002.2103132118.000000000444F000.00000004.00000800.00020000.00000000.sdmp, xoRN6fxApwT8Kin.exe, 00000000.00000002.2103132118.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3311154081.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          		high
                          http://x1.c.lencr.org/0MSBuild.exe, 00000002.00000002.3311671980.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3311671980.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3311389172.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3312406521.0000000002861000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3315400430.0000000005C27000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://x1.i.lencr.org/0MSBuild.exe, 00000002.00000002.3311671980.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3311671980.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3311389172.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3312406521.0000000002861000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3315400430.0000000005C27000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://r3.i.lencr.org/03MSBuild.exe, 00000002.00000002.3315400430.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3311671980.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3311389172.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3312406521.0000000002861000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3315400430.0000000005C27000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          103.132.98.224
                          		mail.pu.edu.afAfghanistan
                          		58469MOCI-AS-APMinistryofCommunicationITAFtrue

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1436313
                          Start date and time:2024-05-04 10:15:17 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 5m 52s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:5
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:xoRN6fxApwT8Kin.exe
                          Detection:MAL
                          Classification:mal100.spre.troj.spyw.evad.winEXE@3/1@1/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 96%
                          • Number of executed functions: 72
                          • Number of non-executed functions: 1
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                          • Excluded IPs from analysis (whitelisted): 20.114.59.183, 23.206.229.80, 23.206.229.76, 192.229.211.108, 52.165.164.15, 13.85.23.206, 52.165.165.26
                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          10:16:02API Interceptor2x Sleep call for process: xoRN6fxApwT8Kin.exe modified
                          10:16:06API Interceptor62x Sleep call for process: MSBuild.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          103.132.98.224HAhJORNtiOFCEGH.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            eiQXaKJ75nCjEWn.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              MehGCkAdgaX9oF0.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                wsst63fXULoBQTw.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  fp2e7a.wpc.phicdn.netHAhJORNtiOFCEGH.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 192.229.211.108
                                  43643456.exeGet hashmaliciousAgentTeslaBrowse
                                  • 192.229.211.108
                                  Hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                                  • 192.229.211.108
                                  LFfjUMuUFU.exeGet hashmaliciousAsyncRAT, PureLog Stealer, XWormBrowse
                                  • 192.229.211.108
                                  https://lestore.lenovo.com/detail/L109130Get hashmaliciousUnknownBrowse
                                  • 192.229.211.108
                                  https://www.67rwzb.cn/Get hashmaliciousUnknownBrowse
                                  • 192.229.211.108
                                  https://jingxinwl.com/Get hashmaliciousUnknownBrowse
                                  • 192.229.211.108
                                  https://vpassz.xu4nblog.com/Get hashmaliciousUnknownBrowse
                                  • 192.229.211.108
                                  https://rdtetsyutfuyfrxytf.azurewebsites.net/Get hashmaliciousTechSupportScamBrowse
                                  • 192.229.211.108
                                  https://8952627338.z28.web.core.windows.net/?phone=09-70-18-72-82Get hashmaliciousUnknownBrowse
                                  • 192.229.211.108
                                  mail.pu.edu.afHAhJORNtiOFCEGH.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 103.132.98.224
                                  eiQXaKJ75nCjEWn.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 103.132.98.224
                                  MehGCkAdgaX9oF0.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 103.132.98.224
                                  wsst63fXULoBQTw.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 103.132.98.224

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  MOCI-AS-APMinistryofCommunicationITAFHAhJORNtiOFCEGH.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 103.132.98.224
                                  eiQXaKJ75nCjEWn.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 103.132.98.224
                                  MehGCkAdgaX9oF0.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 103.132.98.224
                                  wsst63fXULoBQTw.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 103.132.98.224

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xoRN6fxApwT8Kin.exe.log

                                  Download File
                                  Process:C:\Users\user\Desktop\xoRN6fxApwT8Kin.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1216
                                  Entropy (8bit):5.34331486778365
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.959551307417164
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  File name:xoRN6fxApwT8Kin.exe
                                  File size:698'368 bytes
                                  MD5:5f051c2e92d5356803e765524197cf06
                                  SHA1:76b88dec039bade499a7bd0f95e7c9c1f1508d45
                                  SHA256:4ba45a9624e8fc73cf5a36e7be9966f01ada829dd88491202baff3b0bce9b6f5
                                  SHA512:22b11adc57fbcea6a4af09ceff55db572cc8b973c05f31754d952a4eed6969081e658cab20cda78912a9e632c12652b3dfc66f53e11f3d750c8fd588a814d2a8
                                  SSDEEP:12288:H3/T3/fVrTtK3/I1ijxmtq9ICp/gls875z4fD/HRtkDqwAXYbVE/Tr5TR803/K3/:HrXVrTtKAowtq9FcGtkDqwjorVRhy
                                  TLSH:41E4234462EDEB1ED13FC3F42E0A4B400776BB1E6512EA4D1ED135C51DEAB4A8B50367
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a3f..............0..h...8......~.... ........@.. ....................................@................................

                                  File Icon

                                  Icon Hash:0773f1fcfccc6113

                                  Static PE Info

                                  General

                                  Entrypoint:0x4a867e
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x6633611C [Thu May 2 09:47:08 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  aaa
                                  inc edi
                                  aaa
                                  dec eax
                                  xor eax, 42000000h
                                  xor eax, 4E343531h
                                  xor eax, 32414939h
                                  dec ecx
                                  aaa
                                  aaa
                                  inc ebp
                                  xor al, 56h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xa862c0x4f.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x2ce4.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xae0000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000xa66a40xa6800bd716af570a43038fb96bfbea311c7f7False0.9612439588025525data7.977880616762822IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rsrc0xaa0000x2ce40x3000f15d6678cc8e04d15dc1f40e7b55b39aFalse0.87158203125data7.429937630761524IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0xae0000xc0x8000dab594ddb09319917057eee0a3b7130False0.015625data0.02939680787012526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_ICON0xaa1000x26cdPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9980871841336958
                                  RT_GROUP_ICON0xac7e00x14data1.05
                                  RT_VERSION0xac8040x2e0data0.4470108695652174
                                  RT_MANIFEST0xacaf40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  May 4, 2024 10:16:01.830677032 CEST49674443192.168.2.6173.222.162.64
                                  May 4, 2024 10:16:01.830679893 CEST49673443192.168.2.6173.222.162.64
                                  May 4, 2024 10:16:02.143174887 CEST49672443192.168.2.6173.222.162.64
                                  May 4, 2024 10:16:07.637532949 CEST49699587192.168.2.6103.132.98.224
                                  May 4, 2024 10:16:08.079993010 CEST58749699103.132.98.224192.168.2.6
                                  May 4, 2024 10:16:08.080149889 CEST49699587192.168.2.6103.132.98.224
                                  May 4, 2024 10:16:08.525700092 CEST58749699103.132.98.224192.168.2.6
                                  May 4, 2024 10:16:08.536982059 CEST49699587192.168.2.6103.132.98.224
                                  May 4, 2024 10:16:08.978621006 CEST58749699103.132.98.224192.168.2.6
                                  May 4, 2024 10:16:08.978641987 CEST58749699103.132.98.224192.168.2.6
                                  May 4, 2024 10:16:08.978985071 CEST49699587192.168.2.6103.132.98.224
                                  May 4, 2024 10:16:09.420753002 CEST58749699103.132.98.224192.168.2.6
                                  May 4, 2024 10:16:09.471353054 CEST49699587192.168.2.6103.132.98.224
                                  May 4, 2024 10:16:10.851033926 CEST49699587192.168.2.6103.132.98.224
                                  May 4, 2024 10:16:11.294267893 CEST58749699103.132.98.224192.168.2.6
                                  May 4, 2024 10:16:11.294310093 CEST58749699103.132.98.224192.168.2.6
                                  May 4, 2024 10:16:11.294328928 CEST58749699103.132.98.224192.168.2.6
                                  May 4, 2024 10:16:11.294435024 CEST49699587192.168.2.6103.132.98.224
                                  May 4, 2024 10:16:11.346355915 CEST49699587192.168.2.6103.132.98.224
                                  May 4, 2024 10:16:11.356385946 CEST49699587192.168.2.6103.132.98.224
                                  May 4, 2024 10:16:11.440052032 CEST49673443192.168.2.6173.222.162.64
                                  May 4, 2024 10:16:11.440053940 CEST49674443192.168.2.6173.222.162.64
                                  May 4, 2024 10:16:11.752628088 CEST49672443192.168.2.6173.222.162.64
                                  May 4, 2024 10:16:11.800679922 CEST58749699103.132.98.224192.168.2.6
                                  May 4, 2024 10:16:11.846467972 CEST49699587192.168.2.6103.132.98.224
                                  May 4, 2024 10:16:11.914387941 CEST49699587192.168.2.6103.132.98.224
                                  May 4, 2024 10:16:12.356578112 CEST58749699103.132.98.224192.168.2.6
                                  May 4, 2024 10:16:12.357618093 CEST49699587192.168.2.6103.132.98.224
                                  May 4, 2024 10:16:12.799458027 CEST58749699103.132.98.224192.168.2.6
                                  May 4, 2024 10:16:12.800743103 CEST49699587192.168.2.6103.132.98.224
                                  May 4, 2024 10:16:13.159192085 CEST44349698173.222.162.64192.168.2.6
                                  May 4, 2024 10:16:13.159388065 CEST49698443192.168.2.6173.222.162.64
                                  May 4, 2024 10:16:13.253591061 CEST58749699103.132.98.224192.168.2.6
                                  May 4, 2024 10:16:13.253931046 CEST49699587192.168.2.6103.132.98.224
                                  May 4, 2024 10:16:13.700778008 CEST58749699103.132.98.224192.168.2.6
                                  May 4, 2024 10:16:13.701153994 CEST49699587192.168.2.6103.132.98.224
                                  May 4, 2024 10:16:14.182547092 CEST58749699103.132.98.224192.168.2.6
                                  May 4, 2024 10:16:14.234062910 CEST58749699103.132.98.224192.168.2.6
                                  May 4, 2024 10:16:14.234370947 CEST49699587192.168.2.6103.132.98.224
                                  May 4, 2024 10:16:14.685085058 CEST58749699103.132.98.224192.168.2.6
                                  May 4, 2024 10:16:14.685539007 CEST58749699103.132.98.224192.168.2.6
                                  May 4, 2024 10:16:14.686222076 CEST49699587192.168.2.6103.132.98.224
                                  May 4, 2024 10:16:14.686269045 CEST49699587192.168.2.6103.132.98.224
                                  May 4, 2024 10:16:14.686285973 CEST49699587192.168.2.6103.132.98.224
                                  May 4, 2024 10:16:14.686306000 CEST49699587192.168.2.6103.132.98.224
                                  May 4, 2024 10:16:15.130297899 CEST58749699103.132.98.224192.168.2.6
                                  May 4, 2024 10:16:15.130351067 CEST58749699103.132.98.224192.168.2.6
                                  May 4, 2024 10:16:15.181576014 CEST58749699103.132.98.224192.168.2.6
                                  May 4, 2024 10:16:15.221333981 CEST49699587192.168.2.6103.132.98.224
                                  May 4, 2024 10:17:47.065613031 CEST49699587192.168.2.6103.132.98.224
                                  May 4, 2024 10:17:47.509490967 CEST58749699103.132.98.224192.168.2.6
                                  May 4, 2024 10:17:47.509659052 CEST58749699103.132.98.224192.168.2.6
                                  May 4, 2024 10:17:47.509749889 CEST49699587192.168.2.6103.132.98.224
                                  May 4, 2024 10:17:47.518764019 CEST49699587192.168.2.6103.132.98.224

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  May 4, 2024 10:16:07.047861099 CEST5557153192.168.2.61.1.1.1
                                  May 4, 2024 10:16:07.626666069 CEST53555711.1.1.1192.168.2.6

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  May 4, 2024 10:16:07.047861099 CEST192.168.2.61.1.1.10x5929Standard query (0)mail.pu.edu.afA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  May 4, 2024 10:16:07.626666069 CEST1.1.1.1192.168.2.60x5929No error (0)mail.pu.edu.af103.132.98.224A (IP address)IN (0x0001)false
                                  May 4, 2024 10:16:23.357911110 CEST1.1.1.1192.168.2.60xcd67No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                  May 4, 2024 10:16:23.357911110 CEST1.1.1.1192.168.2.60xcd67No error (0)fp2e7a.wpc.phicdn.net192.229.211.108A (IP address)IN (0x0001)false
                                  May 4, 2024 10:16:37.708683968 CEST1.1.1.1192.168.2.60xbf19No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                  May 4, 2024 10:16:37.708683968 CEST1.1.1.1192.168.2.60xbf19No error (0)fp2e7a.wpc.phicdn.net192.229.211.108A (IP address)IN (0x0001)false

                                  SMTP Packets

                                  TimestampSource PortDest PortSource IPDest IPCommands
                                  May 4, 2024 10:16:08.525700092 CEST58749699103.132.98.224192.168.2.6220 scloud.andc.gov.af ESMTP Postfix
                                  May 4, 2024 10:16:08.536982059 CEST49699587192.168.2.6103.132.98.224EHLO 960781
                                  May 4, 2024 10:16:08.978641987 CEST58749699103.132.98.224192.168.2.6250-scloud.andc.gov.af
                                  250-PIPELINING
                                  250-SIZE 204800000
                                  250-ETRN
                                  250-STARTTLS
                                  250-AUTH PLAIN LOGIN
                                  250-AUTH=PLAIN LOGIN
                                  250-ENHANCEDSTATUSCODES
                                  250-8BITMIME
                                  250-DSN
                                  250 CHUNKING
                                  May 4, 2024 10:16:08.978985071 CEST49699587192.168.2.6103.132.98.224STARTTLS
                                  May 4, 2024 10:16:09.420753002 CEST58749699103.132.98.224192.168.2.6220 2.0.0 Ready to start TLS

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:10:16:02
                                  Start date:04/05/2024
                                  Path:C:\Users\user\Desktop\xoRN6fxApwT8Kin.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\xoRN6fxApwT8Kin.exe"
                                  Imagebase:0x410000
                                  File size:698'368 bytes
                                  MD5 hash:5F051C2E92D5356803E765524197CF06
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2104726295.0000000005020000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2103132118.000000000444F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2103132118.000000000444F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2103132118.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2103132118.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2098586390.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2098586390.0000000002A5E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:10:16:03
                                  Start date:04/05/2024
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                  Imagebase:0x4e0000
                                  File size:262'432 bytes
                                  MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3312406521.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3311154081.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3311154081.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3312406521.0000000002861000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3312406521.0000000002861000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:moderate
                                  Has exited:false

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:7.3%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:93
                                    Total number of Limit Nodes:10
                                    execution_graph 14804 d0d4e0 14805 d0d526 GetCurrentProcess 14804->14805 14807 d0d571 14805->14807 14808 d0d578 GetCurrentThread 14805->14808 14807->14808 14809 d0d5b5 GetCurrentProcess 14808->14809 14810 d0d5ae 14808->14810 14811 d0d5eb 14809->14811 14810->14809 14812 d0d613 GetCurrentThreadId 14811->14812 14813 d0d644 14812->14813 14814 d04668 14815 d0467f 14814->14815 14816 d0468b 14815->14816 14820 d04798 14815->14820 14825 d04238 14816->14825 14818 d046aa 14821 d047bd 14820->14821 14829 d04898 14821->14829 14833 d048a8 14821->14833 14826 d04243 14825->14826 14841 d05ca4 14826->14841 14828 d070f8 14828->14818 14830 d048cf 14829->14830 14831 d049ac 14830->14831 14837 d04508 14830->14837 14831->14831 14834 d048cf 14833->14834 14835 d04508 CreateActCtxA 14834->14835 14836 d049ac 14834->14836 14835->14836 14838 d05938 CreateActCtxA 14837->14838 14840 d059fb 14838->14840 14842 d05caf 14841->14842 14845 d05cc4 14842->14845 14844 d0719d 14844->14828 14846 d05ccf 14845->14846 14848 d0727a 14846->14848 14849 d05cf4 14846->14849 14848->14844 14850 d05cff 14849->14850 14853 d05d24 14850->14853 14852 d0736d 14852->14848 14854 d05d2f 14853->14854 14856 d0866b 14854->14856 14859 d0ad18 14854->14859 14855 d086a9 14855->14852 14856->14855 14863 d0ce00 14856->14863 14868 d0ad50 14859->14868 14872 d0ad3f 14859->14872 14860 d0ad2e 14860->14856 14864 d0ce31 14863->14864 14865 d0ce55 14864->14865 14905 d0d3c8 14864->14905 14909 d0d3b8 14864->14909 14865->14855 14877 d0ae37 14868->14877 14885 d0ae48 14868->14885 14869 d0ad5f 14869->14860 14873 d0ad50 14872->14873 14875 d0ae37 2 API calls 14873->14875 14876 d0ae48 2 API calls 14873->14876 14874 d0ad5f 14874->14860 14875->14874 14876->14874 14878 d0ae59 14877->14878 14879 d0ae7c 14877->14879 14878->14879 14893 d0b0e0 14878->14893 14897 d0b0d3 14878->14897 14879->14869 14880 d0ae74 14880->14879 14881 d0b080 GetModuleHandleW 14880->14881 14882 d0b0ad 14881->14882 14882->14869 14886 d0ae7c 14885->14886 14887 d0ae59 14885->14887 14886->14869 14887->14886 14891 d0b0e0 LoadLibraryExW 14887->14891 14892 d0b0d3 LoadLibraryExW 14887->14892 14888 d0b080 GetModuleHandleW 14890 d0b0ad 14888->14890 14889 d0ae74 14889->14886 14889->14888 14890->14869 14891->14889 14892->14889 14894 d0b0f4 14893->14894 14896 d0b119 14894->14896 14901 d0a228 14894->14901 14896->14880 14898 d0b0f4 14897->14898 14899 d0a228 LoadLibraryExW 14898->14899 14900 d0b119 14898->14900 14899->14900 14900->14880 14902 d0b6c0 LoadLibraryExW 14901->14902 14904 d0b739 14902->14904 14904->14896 14907 d0d3d5 14905->14907 14906 d0d40f 14906->14865 14907->14906 14913 d0cfb4 14907->14913 14910 d0d3d5 14909->14910 14911 d0d40f 14910->14911 14912 d0cfb4 3 API calls 14910->14912 14911->14865 14912->14911 14914 d0cfbf 14913->14914 14916 d0dd20 14914->14916 14917 d0d0dc 14914->14917 14916->14916 14918 d0d0e7 14917->14918 14919 d05d24 3 API calls 14918->14919 14920 d0dd8f 14919->14920 14920->14916 14921 d0d728 DuplicateHandle 14922 d0d7be 14921->14922

                                    Executed Functions

                                    Function 00D04B20 Relevance: .1, Instructions: 82COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2096781701.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d00000_xoRN6fxApwT8Kin.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b9f4369a32f40ff7b89c1b4249d30d246c3009e0422d32b0c0abe60f03239ee7
                                    • Instruction ID: 9141e51e655779247adec9f13f544cd5befcfcaef3be36bdb66caf3be50e4040
                                    • Opcode Fuzzy Hash: b9f4369a32f40ff7b89c1b4249d30d246c3009e0422d32b0c0abe60f03239ee7
                                    • Instruction Fuzzy Hash: 07312823914B8A8BCB158D375C176DB7BB25B47228F04C349B9AC0F2E2D279DE56C709
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D0D4D0 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 00D0D55E
                                    • GetCurrentThread.KERNEL32 ref: 00D0D59B
                                    • GetCurrentProcess.KERNEL32 ref: 00D0D5D8
                                    • GetCurrentThreadId.KERNEL32 ref: 00D0D631
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2096781701.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d00000_xoRN6fxApwT8Kin.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: f6d426a1443f142af9ec4d4f033db36c029b8d95b7ae2fd710830b5a86d9ed8d
                                    • Instruction ID: d7fbbdb561ac451ec1f43710134610e90c9732c83abe7cd4740b841c015784de
                                    • Opcode Fuzzy Hash: f6d426a1443f142af9ec4d4f033db36c029b8d95b7ae2fd710830b5a86d9ed8d
                                    • Instruction Fuzzy Hash: 5A5186B0D013498FDB04CFA9D948B9EBFF1EF88314F248459E409A73A0DB74A944CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D0D4E0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 00D0D55E
                                    • GetCurrentThread.KERNEL32 ref: 00D0D59B
                                    • GetCurrentProcess.KERNEL32 ref: 00D0D5D8
                                    • GetCurrentThreadId.KERNEL32 ref: 00D0D631
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2096781701.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d00000_xoRN6fxApwT8Kin.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: ef9fec509a32fcfe8318fa4df065d4ace494e5650c533d4551d535d08c91bb21
                                    • Instruction ID: 690ad4b7ba292924224b6f4c5ddb6d6692821657749f044da9e14d6c18fa4faf
                                    • Opcode Fuzzy Hash: ef9fec509a32fcfe8318fa4df065d4ace494e5650c533d4551d535d08c91bb21
                                    • Instruction Fuzzy Hash: 0F5156B0D0134A8FDB14CFAADA48B9EBBF1EF88314F248459E409A7390DB749944CB65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D0AE48 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 44 d0ae48-d0ae57 45 d0ae83-d0ae87 44->45 46 d0ae59-d0ae66 call d0a1c0 44->46 48 d0ae89-d0ae93 45->48 49 d0ae9b-d0aedc 45->49 51 d0ae68 46->51 52 d0ae7c 46->52 48->49 55 d0aee9-d0aef7 49->55 56 d0aede-d0aee6 49->56 99 d0ae6e call d0b0e0 51->99 100 d0ae6e call d0b0d3 51->100 52->45 57 d0aef9-d0aefe 55->57 58 d0af1b-d0af1d 55->58 56->55 60 d0af00-d0af07 call d0a1cc 57->60 61 d0af09 57->61 63 d0af20-d0af27 58->63 59 d0ae74-d0ae76 59->52 62 d0afb8-d0b078 59->62 65 d0af0b-d0af19 60->65 61->65 94 d0b080-d0b0ab GetModuleHandleW 62->94 95 d0b07a-d0b07d 62->95 66 d0af34-d0af3b 63->66 67 d0af29-d0af31 63->67 65->63 69 d0af48-d0af51 call d0a1dc 66->69 70 d0af3d-d0af45 66->70 67->66 75 d0af53-d0af5b 69->75 76 d0af5e-d0af63 69->76 70->69 75->76 77 d0af81-d0af8e 76->77 78 d0af65-d0af6c 76->78 85 d0af90-d0afae 77->85 86 d0afb1-d0afb7 77->86 78->77 80 d0af6e-d0af7e call d0a1ec call d0a1fc 78->80 80->77 85->86 96 d0b0b4-d0b0c8 94->96 97 d0b0ad-d0b0b3 94->97 95->94 97->96 99->59 100->59
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00D0B09E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2096781701.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d00000_xoRN6fxApwT8Kin.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: b6e1c44d36281fb986243e5c5e87f218b972fb3d0d95f48151305f5195623cf2
                                    • Instruction ID: 49ebe41b638a9c717c15fdc73c903c7b20b27b213137c73b122ec3d14c87d78d
                                    • Opcode Fuzzy Hash: b6e1c44d36281fb986243e5c5e87f218b972fb3d0d95f48151305f5195623cf2
                                    • Instruction Fuzzy Hash: 667147B0A00B068FD724DF69D45575ABBF1FF88300F048A2DE44AD7A90DB75E945CBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D0592D Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 101 d0592d-d059f9 CreateActCtxA 103 d05a02-d05a5c 101->103 104 d059fb-d05a01 101->104 111 d05a6b-d05a6f 103->111 112 d05a5e-d05a61 103->112 104->103 113 d05a80 111->113 114 d05a71-d05a7d 111->114 112->111 116 d05a81 113->116 114->113 116->116
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 00D059E9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2096781701.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d00000_xoRN6fxApwT8Kin.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 44300331b57d432e4a5edfc3f102a0fb120efab3910d8ea1333cb40de2a0c131
                                    • Instruction ID: b09d24ea1cf860794a86c9c124e758f7f64d1404b65becb8a10758104a37f8ee
                                    • Opcode Fuzzy Hash: 44300331b57d432e4a5edfc3f102a0fb120efab3910d8ea1333cb40de2a0c131
                                    • Instruction Fuzzy Hash: 3441E2B0C0076DCFEB25CFA9C984B9EBBB1BF48304F24815AD409AB255DB756946CF60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D04508 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 118 d04508-d059f9 CreateActCtxA 121 d05a02-d05a5c 118->121 122 d059fb-d05a01 118->122 129 d05a6b-d05a6f 121->129 130 d05a5e-d05a61 121->130 122->121 131 d05a80 129->131 132 d05a71-d05a7d 129->132 130->129 134 d05a81 131->134 132->131 134->134
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 00D059E9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2096781701.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d00000_xoRN6fxApwT8Kin.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: d8de99fcbdead9f1f1935f310826fa8b369a4b2a0fa2bc241c29499bf86ca96c
                                    • Instruction ID: bf018c8b84dc681a4a591db52520c2562a1bc65acf35c4ecbf54dc134837aaa3
                                    • Opcode Fuzzy Hash: d8de99fcbdead9f1f1935f310826fa8b369a4b2a0fa2bc241c29499bf86ca96c
                                    • Instruction Fuzzy Hash: 59410470C0071DCFEB25CFA9C944B9EBBB5BF48304F20816AD409AB255DB756945CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D0D720 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 136 d0d720-d0d7bc DuplicateHandle 137 d0d7c5-d0d7e2 136->137 138 d0d7be-d0d7c4 136->138 138->137
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D0D7AF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2096781701.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d00000_xoRN6fxApwT8Kin.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 02e54d0483496d36beff78cb82808172c753e0fdef6f28834292d8016159b8e9
                                    • Instruction ID: 8a4c6ab0c432fc0a80b6a3306db4d21ca0a5c3789bedf4d25b1c51b302ad8f82
                                    • Opcode Fuzzy Hash: 02e54d0483496d36beff78cb82808172c753e0fdef6f28834292d8016159b8e9
                                    • Instruction Fuzzy Hash: FA2114B5800248DFDB10CFAAD585ADEBFF5FB48320F14801AE918A7350D378A944CFA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D0D728 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 141 d0d728-d0d7bc DuplicateHandle 142 d0d7c5-d0d7e2 141->142 143 d0d7be-d0d7c4 141->143 143->142
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D0D7AF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2096781701.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d00000_xoRN6fxApwT8Kin.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 6a26832e367e24ac4a016e29eddafc74f40c3456921264f149331eb5e0ff0611
                                    • Instruction ID: 51b7fd100b1b61bfd72266757b7dbdb41486139ee9172796e321dd0218cd5aad
                                    • Opcode Fuzzy Hash: 6a26832e367e24ac4a016e29eddafc74f40c3456921264f149331eb5e0ff0611
                                    • Instruction Fuzzy Hash: 6D21E4B5900249DFDB10CF9AD984ADEBBF5FB48320F14801AE918A3350D378A954CFA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D0A228 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 146 d0a228-d0b700 148 d0b702-d0b705 146->148 149 d0b708-d0b737 LoadLibraryExW 146->149 148->149 150 d0b740-d0b75d 149->150 151 d0b739-d0b73f 149->151 151->150
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D0B119,00000800,00000000,00000000), ref: 00D0B72A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2096781701.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d00000_xoRN6fxApwT8Kin.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: f3057e990738405647f5e98a8fae296b8f996fa831d9003b59d9ee999171b992
                                    • Instruction ID: 17c0544217a75b6e6ac4d51517985ec3a677f91adc19ee89c546d0dc7873d683
                                    • Opcode Fuzzy Hash: f3057e990738405647f5e98a8fae296b8f996fa831d9003b59d9ee999171b992
                                    • Instruction Fuzzy Hash: CF1117B6804309CFDB10CF9AD444BAEFBF4EB88320F14842AD519A7340C3B5A945CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D0B6BB Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 154 d0b6bb-d0b700 155 d0b702-d0b705 154->155 156 d0b708-d0b737 LoadLibraryExW 154->156 155->156 157 d0b740-d0b75d 156->157 158 d0b739-d0b73f 156->158 158->157
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D0B119,00000800,00000000,00000000), ref: 00D0B72A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2096781701.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d00000_xoRN6fxApwT8Kin.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 6f86c413fa9fcbaf443482141ff84328900125bb2e1aeea4a993cf98e913dbbe
                                    • Instruction ID: 2c87fba655f1eac022a7aa5b7a5dabff817909e1bd234d59c6669dd2c0a6058f
                                    • Opcode Fuzzy Hash: 6f86c413fa9fcbaf443482141ff84328900125bb2e1aeea4a993cf98e913dbbe
                                    • Instruction Fuzzy Hash: 9B1114B68043498FDB10CFAAD444BDEFBF4EB88320F14842AD559A7240C3B5A545CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D0B038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 161 d0b038-d0b078 162 d0b080-d0b0ab GetModuleHandleW 161->162 163 d0b07a-d0b07d 161->163 164 d0b0b4-d0b0c8 162->164 165 d0b0ad-d0b0b3 162->165 163->162 165->164
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00D0B09E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2096781701.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d00000_xoRN6fxApwT8Kin.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: f47183570e40ff5d38c845e3c776f8513a5803e28921cfd5283780c4ae908323
                                    • Instruction ID: e541ffe97cccb38685d2ae9495e48bd54c13673bffb0a8241a85c71b32f5c67c
                                    • Opcode Fuzzy Hash: f47183570e40ff5d38c845e3c776f8513a5803e28921cfd5283780c4ae908323
                                    • Instruction Fuzzy Hash: FA1102B5C046498FDB10CF9AC444BDEFBF4EB88324F14841AD429A7240D3B9A545CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CAD1FC Relevance: .1, Instructions: 76COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2095973970.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_cad000_xoRN6fxApwT8Kin.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9d44d25542e37e842392d33849895f2ee1580fc4b67715283df0778a2643c324
                                    • Instruction ID: 15c12ec2d87cb9a4b159e3ff9eca932a1accb601f6498e0abfb369b131842dfb
                                    • Opcode Fuzzy Hash: 9d44d25542e37e842392d33849895f2ee1580fc4b67715283df0778a2643c324
                                    • Instruction Fuzzy Hash: 6E2121B2504201EFCB05DF10D9C0B2ABB61FB89318F2082A9E90B0A656C336DC16CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CAD4C4 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2095973970.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_cad000_xoRN6fxApwT8Kin.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5e16c9db052bff974368c0986d606abd33488999f5d7531da0006e87f213ba53
                                    • Instruction ID: c63a55e02b5ccbea79b3685fabe86d7b6efe782df44dacf3a47c080743c4a3fb
                                    • Opcode Fuzzy Hash: 5e16c9db052bff974368c0986d606abd33488999f5d7531da0006e87f213ba53
                                    • Instruction Fuzzy Hash: 8F2145B2900241EFCB05DF14D9C0B2ABF61FB8831CF20C569E90B0B656C336D956CBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CBD01C Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2096055847.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_cbd000_xoRN6fxApwT8Kin.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 461deeef41b85bda9f6dc04021e11dccf2d8b5bddbdfd08933dff79b3cd91aad
                                    • Instruction ID: f852c8a3fc6950f7b8465608d0ea43efd7298d7e88519ece135438094dc80c58
                                    • Opcode Fuzzy Hash: 461deeef41b85bda9f6dc04021e11dccf2d8b5bddbdfd08933dff79b3cd91aad
                                    • Instruction Fuzzy Hash: FD212275604300EFCB14EF14E9C0B66BB61FB88314F20C5ADE90A0B292D37AD807CA61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CBD1D4 Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2096055847.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_cbd000_xoRN6fxApwT8Kin.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 99841b1358146a3338200896ce4dec90fef1f8615e23f4dfbce41312f0ff797d
                                    • Instruction ID: bce781474fb934feee36310a633e62efa4dd91d40b367140c3c8da2b46b70d18
                                    • Opcode Fuzzy Hash: 99841b1358146a3338200896ce4dec90fef1f8615e23f4dfbce41312f0ff797d
                                    • Instruction Fuzzy Hash: 6A213475504280EFDB04DF14D9C0B66BBA5FB84314F20C5ADE90A4B292D376DC46CB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CBD005 Relevance: .1, Instructions: 62COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2096055847.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_cbd000_xoRN6fxApwT8Kin.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ecc135126412e5822b4ec88607d88178b5668221ae446472888afa762263aac2
                                    • Instruction ID: f1f678db43261d2ce6cdc922a5961b6189dc9f6c1ea6cbd858ed4f23d2113b6a
                                    • Opcode Fuzzy Hash: ecc135126412e5822b4ec88607d88178b5668221ae446472888afa762263aac2
                                    • Instruction Fuzzy Hash: 07218E755093C08FCB02DF20D990755BF71EB46314F28C5EAD8498B2A7C33A980ACB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CAD1F7 Relevance: .1, Instructions: 57COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2095973970.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_cad000_xoRN6fxApwT8Kin.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 45d2786e60e1e4201bb004dcd9f59ae96814e242b2a6b2dda49e09682ea99c03
                                    • Instruction ID: 6469f9b3c301d2ef8a3158543d77a87ed52752c34dc66beac383f72e9c444ba2
                                    • Opcode Fuzzy Hash: 45d2786e60e1e4201bb004dcd9f59ae96814e242b2a6b2dda49e09682ea99c03
                                    • Instruction Fuzzy Hash: FB21E1B6404285CFCB06CF00D9C4B16BF72FB84314F24C2A9DC4A0B656C33AD926CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CAD4BF Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2095973970.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_cad000_xoRN6fxApwT8Kin.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                    • Instruction ID: d3c2563f872bf31330fdfc83d39eab7077a4c66e99998f09f888701e639db4df
                                    • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                    • Instruction Fuzzy Hash: CD11E6B6904284CFCB15CF10D5C4B1ABF71FB94318F24C6A9D84A0B656C33AD956CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CBD1CF Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2096055847.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_cbd000_xoRN6fxApwT8Kin.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                    • Instruction ID: c628a263cffaccaa154e36c11ccaf8d327c1c118eeaafc4146c1e0b6008c03c3
                                    • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                    • Instruction Fuzzy Hash: 9B11BB75504280DFCB01CF10C5C0B55BBA1FB84314F24C6A9D84A4B2A6C33AD84ACB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CAD745 Relevance: .0, Instructions: 45COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2095973970.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_cad000_xoRN6fxApwT8Kin.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 980c500b4a7bcece120d759ce0fde0f5dce5abe29a0f78c7e4f96767c0fe3cf1
                                    • Instruction ID: a62d5407e54864b0012bcdf1c3c2de2e17ccf760388dc4207e906ebf8d7fa0c6
                                    • Opcode Fuzzy Hash: 980c500b4a7bcece120d759ce0fde0f5dce5abe29a0f78c7e4f96767c0fe3cf1
                                    • Instruction Fuzzy Hash: 45012B71004345DAF7144E26CD84B66BF98DF42328F18C56AEE1B8A69AC6B99940C671
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CAD744 Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2095973970.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_cad000_xoRN6fxApwT8Kin.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0814282bc116a481b792153fd41b55c1bf28d76f13882db60c6b1e5d31e252ea
                                    • Instruction ID: 0a98cd12654415f9bbe0e864d215cff1d2487247a549301676e9f23545947635
                                    • Opcode Fuzzy Hash: 0814282bc116a481b792153fd41b55c1bf28d76f13882db60c6b1e5d31e252ea
                                    • Instruction Fuzzy Hash: 30F0F6714043449EF7148E15CCC8B62FF98EB81738F18C05AEE0A8B69AC3B99D44CBB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 00D0EFC4 Relevance: .3, Instructions: 264COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2096781701.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d00000_xoRN6fxApwT8Kin.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 802be132ee7be9a7343f05ecf8e1c95e414e89d24b53a5511f348e7b6906a849
                                    • Instruction ID: c4fee7663351451af1fc431fbdc445fee1534b0abd4a6516c4c59f39b140f937
                                    • Opcode Fuzzy Hash: 802be132ee7be9a7343f05ecf8e1c95e414e89d24b53a5511f348e7b6906a849
                                    • Instruction Fuzzy Hash: 5BA14E32E00205CFCF15DFA5C44069EB7B2FF85300B25857AE909AB2A6DB75ED56CB60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Execution Graph

                                    Execution Coverage:11.9%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:9
                                    Total number of Limit Nodes:2
                                    execution_graph 27544 5d1e1a8 27545 5d1e1b5 27544->27545 27546 5d1e1dd 27544->27546 27552 5d1d57c 27546->27552 27548 5d1e1fe 27550 5d1e2c6 GlobalMemoryStatusEx 27551 5d1e2f6 27550->27551 27553 5d1e280 GlobalMemoryStatusEx 27552->27553 27555 5d1e1fa 27553->27555 27555->27548 27555->27550

                                    Executed Functions

                                    Function 00D69BE8 Relevance: 2.8, Instructions: 2817COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f21351b3b81a3b89b3359c08d9f488bca8ca40b109b83644421619a072e3be14
                                    • Instruction ID: 8dab863aab76b0bdb74d6c7fe64403c83c559bfc4226a409fe9c29cf3cf7f75d
                                    • Opcode Fuzzy Hash: f21351b3b81a3b89b3359c08d9f488bca8ca40b109b83644421619a072e3be14
                                    • Instruction Fuzzy Hash: 4653F731D10B1A8ADB11EF68C8946A9F7B1FF99300F15D79AE45877121EB70AAC4CF81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D6CE70 Relevance: 2.3, Instructions: 2322COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7ec26410832899499c0898198ece1186569b28227587f72f7c87d7a60e485832
                                    • Instruction ID: d16a106405eef5c826aa3dc1ad6b22f4dee0e3b118ae1497a32958ccb9431aee
                                    • Opcode Fuzzy Hash: 7ec26410832899499c0898198ece1186569b28227587f72f7c87d7a60e485832
                                    • Instruction Fuzzy Hash: AD332D31D10B198ECB11EF68C8906ADF7B1FF99300F15D79AE458A7211EB70AAC5CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D63E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1212 d63e80-d63ee6 1214 d63f30-d63f32 1212->1214 1215 d63ee8-d63ef3 1212->1215 1216 d63f34-d63f8c 1214->1216 1215->1214 1217 d63ef5-d63f01 1215->1217 1226 d63fd6-d63fd8 1216->1226 1227 d63f8e-d63f99 1216->1227 1218 d63f24-d63f2e 1217->1218 1219 d63f03-d63f0d 1217->1219 1218->1216 1221 d63f11-d63f20 1219->1221 1222 d63f0f 1219->1222 1221->1221 1223 d63f22 1221->1223 1222->1221 1223->1218 1228 d63fda-d63ff2 1226->1228 1227->1226 1229 d63f9b-d63fa7 1227->1229 1235 d63ff4-d63fff 1228->1235 1236 d6403c-d6403e 1228->1236 1230 d63fca-d63fd4 1229->1230 1231 d63fa9-d63fb3 1229->1231 1230->1228 1233 d63fb7-d63fc6 1231->1233 1234 d63fb5 1231->1234 1233->1233 1237 d63fc8 1233->1237 1234->1233 1235->1236 1238 d64001-d6400d 1235->1238 1239 d64040-d6408e 1236->1239 1237->1230 1240 d64030-d6403a 1238->1240 1241 d6400f-d64019 1238->1241 1247 d64094-d640a2 1239->1247 1240->1239 1242 d6401d-d6402c 1241->1242 1243 d6401b 1241->1243 1242->1242 1245 d6402e 1242->1245 1243->1242 1245->1240 1248 d640a4-d640aa 1247->1248 1249 d640ab-d6410b 1247->1249 1248->1249 1256 d6410d-d64111 1249->1256 1257 d6411b-d6411f 1249->1257 1256->1257 1260 d64113 1256->1260 1258 d64121-d64125 1257->1258 1259 d6412f-d64133 1257->1259 1258->1259 1261 d64127-d6412a call d60ab8 1258->1261 1262 d64135-d64139 1259->1262 1263 d64143-d64147 1259->1263 1260->1257 1261->1259 1262->1263 1265 d6413b-d6413e call d60ab8 1262->1265 1266 d64157-d6415b 1263->1266 1267 d64149-d6414d 1263->1267 1265->1263 1270 d6415d-d64161 1266->1270 1271 d6416b-d6416f 1266->1271 1267->1266 1269 d6414f-d64152 call d60ab8 1267->1269 1269->1266 1270->1271 1275 d64163 1270->1275 1272 d64171-d64175 1271->1272 1273 d6417f 1271->1273 1272->1273 1276 d64177 1272->1276 1277 d64180 1273->1277 1275->1271 1276->1273 1277->1277
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: \VNm
                                    • API String ID: 0-2505523818
                                    • Opcode ID: 40837ca0122658b0f993e7ada5692cbb296a4dd0d25343b2660ed3efda05de80
                                    • Instruction ID: 5ec1840f390d5b5f5a8fa02fbbda7f701393bcf6447a539a14fc7e1b04b3530e
                                    • Opcode Fuzzy Hash: 40837ca0122658b0f993e7ada5692cbb296a4dd0d25343b2660ed3efda05de80
                                    • Instruction Fuzzy Hash: BA918C70E00319DFDF14CFA9C88179EBBF2AF98304F188129E415A7294EB749985CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D69370 Relevance: .6, Instructions: 620COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b2ad12a3375315e39f8412c42a46787c1b2498df8d5bcbd08f36bd3239cd9a3c
                                    • Instruction ID: b0eaeb17fc8c52d4ebf3ea637afeca87f1f767c1155805eedb73db228d8def63
                                    • Opcode Fuzzy Hash: b2ad12a3375315e39f8412c42a46787c1b2498df8d5bcbd08f36bd3239cd9a3c
                                    • Instruction Fuzzy Hash: 56328E34A102058FDB14DFA8D594BADBBB6FF88310F248569E909EB395DB70DC45CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D64A98 Relevance: .3, Instructions: 266COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: feec2f7933dde199a82795371d6ae3168df016e7b8d1b6204d3a47939caf263a
                                    • Instruction ID: 03186ed36f3736677b981e0f5ee3fc7c0cd9216fef96482342f6e572028105cb
                                    • Opcode Fuzzy Hash: feec2f7933dde199a82795371d6ae3168df016e7b8d1b6204d3a47939caf263a
                                    • Instruction Fuzzy Hash: F7B14D70E002198FDF14CFA9C8917AEBBF2AF88754F288129D815E7394EB749845CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D64810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 459 d64810-d6489c 462 d648e6-d648e8 459->462 463 d6489e-d648a9 459->463 465 d648ea-d64902 462->465 463->462 464 d648ab-d648b7 463->464 466 d648da-d648e4 464->466 467 d648b9-d648c3 464->467 472 d64904-d6490f 465->472 473 d6494c-d6494e 465->473 466->465 468 d648c7-d648d6 467->468 469 d648c5 467->469 468->468 471 d648d8 468->471 469->468 471->466 472->473 475 d64911-d6491d 472->475 474 d64950-d649a9 473->474 484 d649b2-d649d2 474->484 485 d649ab-d649b1 474->485 476 d64940-d6494a 475->476 477 d6491f-d64929 475->477 476->474 479 d6492d-d6493c 477->479 480 d6492b 477->480 479->479 481 d6493e 479->481 480->479 481->476 489 d649dc-d64a0f 484->489 485->484 492 d64a11-d64a15 489->492 493 d64a1f-d64a23 489->493 492->493 494 d64a17-d64a1a call d60ab8 492->494 495 d64a25-d64a29 493->495 496 d64a33-d64a37 493->496 494->493 495->496 498 d64a2b-d64a2e call d60ab8 495->498 499 d64a47-d64a4b 496->499 500 d64a39-d64a3d 496->500 498->496 502 d64a4d-d64a51 499->502 503 d64a5b 499->503 500->499 501 d64a3f 500->501 501->499 502->503 505 d64a53 502->505 506 d64a5c 503->506 505->503 506->506
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: \VNm$\VNm
                                    • API String ID: 0-3240778399
                                    • Opcode ID: 71bcbb75dff0320ac4a002502c03829c999cc5a9898cdb582dc514b3cc83663d
                                    • Instruction ID: f5f098857cd7c8e77408d48e903c95427ea50f6e3781341380ab287efc419757
                                    • Opcode Fuzzy Hash: 71bcbb75dff0320ac4a002502c03829c999cc5a9898cdb582dc514b3cc83663d
                                    • Instruction Fuzzy Hash: 2B717B70E00249DFDF14DFA9C88179EBBF2BF88714F188129E415AB254EB749841CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D64807 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 507 d64807-d6489c 511 d648e6-d648e8 507->511 512 d6489e-d648a9 507->512 514 d648ea-d64902 511->514 512->511 513 d648ab-d648b7 512->513 515 d648da-d648e4 513->515 516 d648b9-d648c3 513->516 521 d64904-d6490f 514->521 522 d6494c-d6494e 514->522 515->514 517 d648c7-d648d6 516->517 518 d648c5 516->518 517->517 520 d648d8 517->520 518->517 520->515 521->522 524 d64911-d6491d 521->524 523 d64950-d64962 522->523 531 d64969-d64995 523->531 525 d64940-d6494a 524->525 526 d6491f-d64929 524->526 525->523 528 d6492d-d6493c 526->528 529 d6492b 526->529 528->528 530 d6493e 528->530 529->528 530->525 532 d6499b-d649a9 531->532 533 d649b2-d649c0 532->533 534 d649ab-d649b1 532->534 537 d649c8-d649d2 533->537 534->533 538 d649dc-d64a0f 537->538 541 d64a11-d64a15 538->541 542 d64a1f-d64a23 538->542 541->542 543 d64a17-d64a1a call d60ab8 541->543 544 d64a25-d64a29 542->544 545 d64a33-d64a37 542->545 543->542 544->545 547 d64a2b-d64a2e call d60ab8 544->547 548 d64a47-d64a4b 545->548 549 d64a39-d64a3d 545->549 547->545 551 d64a4d-d64a51 548->551 552 d64a5b 548->552 549->548 550 d64a3f 549->550 550->548 551->552 554 d64a53 551->554 555 d64a5c 552->555 554->552 555->555
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: \VNm$\VNm
                                    • API String ID: 0-3240778399
                                    • Opcode ID: 4e8ac3a5792e7f970213e4f2f3b1e07ec8b9182a8e31e350cba933ff9ad47247
                                    • Instruction ID: 8981a8ac065324d0248eaa747a2e4029a682c99ac9292ed4b7dcedfc67221b45
                                    • Opcode Fuzzy Hash: 4e8ac3a5792e7f970213e4f2f3b1e07ec8b9182a8e31e350cba933ff9ad47247
                                    • Instruction Fuzzy Hash: 727167B0E00249DFDF14DFA9C88179EBBF2BF88714F188129E415AB254EB749841CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05D1E1A8 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1174 5d1e1a8-5d1e1b3 1175 5d1e1b5-5d1e1dc call 5d1d570 1174->1175 1176 5d1e1dd-5d1e1fc call 5d1d57c 1174->1176 1182 5d1e202-5d1e261 1176->1182 1183 5d1e1fe-5d1e201 1176->1183 1190 5d1e263-5d1e266 1182->1190 1191 5d1e267-5d1e2f4 GlobalMemoryStatusEx 1182->1191 1194 5d1e2f6-5d1e2fc 1191->1194 1195 5d1e2fd-5d1e325 1191->1195 1194->1195
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3315838232.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_5d10000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b9f7d9aa75b7b3d9afa562e068c81a86b4a032e627dcf5e32555898e82c543da
                                    • Instruction ID: 8b79afa1dc7f21a7d55c0943ccc4dcc07c311ff7042a3c46d82925e4f1727bfe
                                    • Opcode Fuzzy Hash: b9f7d9aa75b7b3d9afa562e068c81a86b4a032e627dcf5e32555898e82c543da
                                    • Instruction Fuzzy Hash: 6441F472E043559FDB04DFA9E8047EEBBF5EF89210F14866BD804A7291DB749841CBA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05D1D57C Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1198 5d1d57c-5d1e2f4 GlobalMemoryStatusEx 1201 5d1e2f6-5d1e2fc 1198->1201 1202 5d1e2fd-5d1e325 1198->1202 1201->1202
                                    APIs
                                    • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05D1E1FA), ref: 05D1E2E7
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3315838232.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_5d10000_MSBuild.jbxd
                                    Similarity
                                    • API ID: GlobalMemoryStatus
                                    • String ID:
                                    • API String ID: 1890195054-0
                                    • Opcode ID: f43682abf72212aa313301e1df129fc5dd705113a772e061e2afcc1bd06c9e96
                                    • Instruction ID: 1865e17a249c7776ca9bec168df80d4645123371c32f25a8d52f8d2270c11658
                                    • Opcode Fuzzy Hash: f43682abf72212aa313301e1df129fc5dd705113a772e061e2afcc1bd06c9e96
                                    • Instruction Fuzzy Hash: B01103B1C0065A9BDB10CF9AD444B9EFBF4FF48320F14816AE918A7240D778A950CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05D1E278 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1205 5d1e278-5d1e2be 1207 5d1e2c6-5d1e2f4 GlobalMemoryStatusEx 1205->1207 1208 5d1e2f6-5d1e2fc 1207->1208 1209 5d1e2fd-5d1e325 1207->1209 1208->1209
                                    APIs
                                    • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05D1E1FA), ref: 05D1E2E7
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3315838232.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_5d10000_MSBuild.jbxd
                                    Similarity
                                    • API ID: GlobalMemoryStatus
                                    • String ID:
                                    • API String ID: 1890195054-0
                                    • Opcode ID: 48809a3d0d68450da305b4ab3fe13ff0244e610190f9c8f0587b65ff7f9449c5
                                    • Instruction ID: 5f319e1017c3e03ec1d6c2e7f6ec05602a4e0953790bc9f52c78e79d4dd6cefd
                                    • Opcode Fuzzy Hash: 48809a3d0d68450da305b4ab3fe13ff0244e610190f9c8f0587b65ff7f9449c5
                                    • Instruction Fuzzy Hash: 4B1103B1C0065A9BDB10CF9AD544BDEFBB4FF48220F24816AE918A7240D778A954CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D63E74 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1278 d63e74-d63ee6 1281 d63f30-d63f32 1278->1281 1282 d63ee8-d63ef3 1278->1282 1283 d63f34-d63f8c 1281->1283 1282->1281 1284 d63ef5-d63f01 1282->1284 1293 d63fd6-d63fd8 1283->1293 1294 d63f8e-d63f99 1283->1294 1285 d63f24-d63f2e 1284->1285 1286 d63f03-d63f0d 1284->1286 1285->1283 1288 d63f11-d63f20 1286->1288 1289 d63f0f 1286->1289 1288->1288 1290 d63f22 1288->1290 1289->1288 1290->1285 1295 d63fda-d63ff2 1293->1295 1294->1293 1296 d63f9b-d63fa7 1294->1296 1302 d63ff4-d63fff 1295->1302 1303 d6403c-d6403e 1295->1303 1297 d63fca-d63fd4 1296->1297 1298 d63fa9-d63fb3 1296->1298 1297->1295 1300 d63fb7-d63fc6 1298->1300 1301 d63fb5 1298->1301 1300->1300 1304 d63fc8 1300->1304 1301->1300 1302->1303 1305 d64001-d6400d 1302->1305 1306 d64040-d64052 1303->1306 1304->1297 1307 d64030-d6403a 1305->1307 1308 d6400f-d64019 1305->1308 1313 d64059-d6408e 1306->1313 1307->1306 1309 d6401d-d6402c 1308->1309 1310 d6401b 1308->1310 1309->1309 1312 d6402e 1309->1312 1310->1309 1312->1307 1314 d64094-d640a2 1313->1314 1315 d640a4-d640aa 1314->1315 1316 d640ab-d6410b 1314->1316 1315->1316 1323 d6410d-d64111 1316->1323 1324 d6411b-d6411f 1316->1324 1323->1324 1327 d64113 1323->1327 1325 d64121-d64125 1324->1325 1326 d6412f-d64133 1324->1326 1325->1326 1328 d64127-d6412a call d60ab8 1325->1328 1329 d64135-d64139 1326->1329 1330 d64143-d64147 1326->1330 1327->1324 1328->1326 1329->1330 1332 d6413b-d6413e call d60ab8 1329->1332 1333 d64157-d6415b 1330->1333 1334 d64149-d6414d 1330->1334 1332->1330 1337 d6415d-d64161 1333->1337 1338 d6416b-d6416f 1333->1338 1334->1333 1336 d6414f-d64152 call d60ab8 1334->1336 1336->1333 1337->1338 1342 d64163 1337->1342 1339 d64171-d64175 1338->1339 1340 d6417f 1338->1340 1339->1340 1343 d64177 1339->1343 1344 d64180 1340->1344 1342->1338 1343->1340 1344->1344
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: \VNm
                                    • API String ID: 0-2505523818
                                    • Opcode ID: 5d3558b4cc517f8c25c00f756ebb273983da8b8ea67e78fd9c0a1c79d4103d1f
                                    • Instruction ID: 7d797ff96b191d2d8bf196b10b664d8c69e3f0d1e8a884327bc0e5a2ed047cf2
                                    • Opcode Fuzzy Hash: 5d3558b4cc517f8c25c00f756ebb273983da8b8ea67e78fd9c0a1c79d4103d1f
                                    • Instruction Fuzzy Hash: 49917C70E00319DFDF10CFA9C98579EBBF2BF98704F188129E415A7254EB749985CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D67903 Relevance: .6, Instructions: 556COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 3137 d67903-d67917 3138 d67919-d6791c 3137->3138 3139 d6791e-d67944 3138->3139 3140 d67949-d6794c 3138->3140 3139->3140 3141 d6794e-d67974 3140->3141 3142 d67979-d6797c 3140->3142 3141->3142 3143 d6797e-d679a4 3142->3143 3144 d679a9-d679ac 3142->3144 3143->3144 3146 d679ae-d679b0 3144->3146 3147 d679bd-d679c0 3144->3147 3351 d679b2 call d691fb 3146->3351 3352 d679b2 call d69158 3146->3352 3353 d679b2 call d69148 3146->3353 3149 d679c2-d679e8 3147->3149 3150 d679ed-d679f0 3147->3150 3149->3150 3154 d679f2-d67a18 3150->3154 3155 d67a1d-d67a20 3150->3155 3154->3155 3157 d67a22-d67a48 3155->3157 3158 d67a4d-d67a50 3155->3158 3156 d679b8 3156->3147 3157->3158 3163 d67a52-d67a78 3158->3163 3164 d67a7d-d67a80 3158->3164 3163->3164 3166 d67a82-d67a98 3164->3166 3167 d67a9d-d67aa0 3164->3167 3166->3167 3171 d67aa2-d67ac8 3167->3171 3172 d67acd-d67ad0 3167->3172 3171->3172 3178 d67ad2-d67af8 3172->3178 3179 d67afd-d67b00 3172->3179 3178->3179 3180 d67b02-d67b28 3179->3180 3181 d67b2d-d67b30 3179->3181 3180->3181 3188 d67b32-d67b58 3181->3188 3189 d67b5d-d67b60 3181->3189 3188->3189 3190 d67b62-d67b88 3189->3190 3191 d67b8d-d67b90 3189->3191 3190->3191 3197 d67b92-d67bb8 3191->3197 3198 d67bbd-d67bc0 3191->3198 3197->3198 3199 d67bc2-d67be8 3198->3199 3200 d67bed-d67bf0 3198->3200 3199->3200 3207 d67bf2-d67c18 3200->3207 3208 d67c1d-d67c20 3200->3208 3207->3208 3209 d67c22-d67c48 3208->3209 3210 d67c4d-d67c50 3208->3210 3209->3210 3217 d67c52-d67c78 3210->3217 3218 d67c7d-d67c80 3210->3218 3217->3218 3219 d67c82-d67ca8 3218->3219 3220 d67cad-d67cb0 3218->3220 3219->3220 3227 d67cb2-d67cd8 3220->3227 3228 d67cdd-d67ce0 3220->3228 3227->3228 3229 d67ce2-d67d08 3228->3229 3230 d67d0d-d67d10 3228->3230 3229->3230 3237 d67d12-d67d38 3230->3237 3238 d67d3d-d67d40 3230->3238 3237->3238 3239 d67d42-d67d68 3238->3239 3240 d67d6d-d67d70 3238->3240 3239->3240 3247 d67d72-d67d98 3240->3247 3248 d67d9d-d67da0 3240->3248 3247->3248 3249 d67da2-d67db6 3248->3249 3250 d67dbb-d67dbe 3248->3250 3249->3250 3257 d67dc0-d67de6 3250->3257 3258 d67deb-d67dee 3250->3258 3257->3258 3259 d67df0-d67e16 3258->3259 3260 d67e1b-d67e1e 3258->3260 3259->3260 3266 d67e20-d67e46 3260->3266 3267 d67e4b-d67e4e 3260->3267 3266->3267 3269 d67e50-d67e76 3267->3269 3270 d67e7b-d67e7e 3267->3270 3269->3270 3276 d67e80-d67ea6 3270->3276 3277 d67eab-d67eae 3270->3277 3276->3277 3279 d67eb0-d67ed6 3277->3279 3280 d67edb-d67ede 3277->3280 3279->3280 3285 d67ee0-d67f06 3280->3285 3286 d67f0b-d67f0e 3280->3286 3285->3286 3288 d67f10-d67f36 3286->3288 3289 d67f3b-d67f3e 3286->3289 3288->3289 3295 d67f40-d67f66 3289->3295 3296 d67f6b-d67f6e 3289->3296 3295->3296 3298 d67f70-d67f96 3296->3298 3299 d67f9b-d67f9e 3296->3299 3298->3299 3305 d67fa0-d67fc6 3299->3305 3306 d67fcb-d67fce 3299->3306 3305->3306 3308 d67fd0-d67ff6 3306->3308 3309 d67ffb-d67ffe 3306->3309 3308->3309 3315 d68000-d68026 3309->3315 3316 d6802b-d6802e 3309->3316 3315->3316 3318 d68030-d68056 3316->3318 3319 d6805b-d6805e 3316->3319 3318->3319 3325 d68060-d68086 3319->3325 3326 d6808b-d6808e 3319->3326 3325->3326 3328 d68090-d680b6 3326->3328 3329 d680bb-d680be 3326->3329 3328->3329 3335 d680c0 3329->3335 3336 d680cb-d680cd 3329->3336 3346 d680c6 3335->3346 3338 d680d4-d680d7 3336->3338 3339 d680cf 3336->3339 3338->3138 3344 d680dd-d680e3 3338->3344 3339->3338 3346->3336 3351->3156 3352->3156 3353->3156
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1679d805ffc80a5cb32aaee70b1e1974f38ae85182337617884087957f8a64fa
                                    • Instruction ID: ee58dd1a774cae8ac5720da4ef6aa8f3ccfbd112f563e0c10921b8bfe5f24ff6
                                    • Opcode Fuzzy Hash: 1679d805ffc80a5cb32aaee70b1e1974f38ae85182337617884087957f8a64fa
                                    • Instruction Fuzzy Hash: 53129530701606CBDB19AB7CE88422D37A6EBC6354B6859BDE005CB3A5CF75DD46CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D64A8C Relevance: .3, Instructions: 262COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d5d8dc2e47ab32b136786d2975f10c54971ca4a6634b2e1e11880fad90c9c9ee
                                    • Instruction ID: d2c2020cd33b7847cce780bb123a1e1b05227ef410da891b4d949ea04c163b5e
                                    • Opcode Fuzzy Hash: d5d8dc2e47ab32b136786d2975f10c54971ca4a6634b2e1e11880fad90c9c9ee
                                    • Instruction Fuzzy Hash: 02B14B70E00219CFDB10CFA9C89179EBBF1AF48754F288129D815EB394EB749885CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D6935C Relevance: .3, Instructions: 251COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 99f8195fc3a7d76f904487d80b61ade04a4d271ea079321f998676305199b5dc
                                    • Instruction ID: b72c25ab16f3f6f8301f3f1b0548b695030dc363f0b2111bb5081d932d68eeb1
                                    • Opcode Fuzzy Hash: 99f8195fc3a7d76f904487d80b61ade04a4d271ea079321f998676305199b5dc
                                    • Instruction Fuzzy Hash: E3A15034A10205CFDB15DFA4D594AADBBF6EF88310F288469E906EB395DB71DC42CB60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D66ED0 Relevance: .1, Instructions: 146COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 27c966c2f1978c11a078e7e0e735c4522e4b4bed915a849d5a89af361000d464
                                    • Instruction ID: beffb31eb0f649e9440aa7a503d0e857b19443eb14f9beec27d2d71925960b3f
                                    • Opcode Fuzzy Hash: 27c966c2f1978c11a078e7e0e735c4522e4b4bed915a849d5a89af361000d464
                                    • Instruction Fuzzy Hash: 4751B130A042499BDB15DF78D4147AEBBB6EF86314F2484AAE405EB391DB71DC458B70
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D66CD4 Relevance: .1, Instructions: 135COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bf77a7cd2bd7d6bc182d8628de704291189823ccf15c1471634e638178c97421
                                    • Instruction ID: c493fc3ac966f3e7903c3fd733d0a2f69a806e676da45f5e71b4be41d6bb65e6
                                    • Opcode Fuzzy Hash: bf77a7cd2bd7d6bc182d8628de704291189823ccf15c1471634e638178c97421
                                    • Instruction Fuzzy Hash: 0E511374E002588FDB14CFA9C884B9EBBB1FF48314F18812AE815AB351D775A844CFA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D66CE0 Relevance: .1, Instructions: 132COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 966f38cd7059a59a22e5b68cbead093d91b2a2f019fea048b788b15b95506675
                                    • Instruction ID: 313f7b24ba89d00ab554ee8564d6fabbfa3609f7b4f77d48afef614129693695
                                    • Opcode Fuzzy Hash: 966f38cd7059a59a22e5b68cbead093d91b2a2f019fea048b788b15b95506675
                                    • Instruction Fuzzy Hash: 09510374E002188FDB14CFA9C884B9EBBB1FF48314F18812AE815BB351D775A844CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D61128 Relevance: .1, Instructions: 120COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d6cc44b190c931a51f8369bd213c97cc16e107854a45360e600958a8bfd40ea2
                                    • Instruction ID: 48de062c769a3fbcc51b22cebc537868b6d34be8ba69d7e9c369a9a314395639
                                    • Opcode Fuzzy Hash: d6cc44b190c931a51f8369bd213c97cc16e107854a45360e600958a8bfd40ea2
                                    • Instruction Fuzzy Hash: 7751BE71215A82DFC70AEF28FA949453FB1EBD2305704B9EDD1009B2BADFA46905CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D61138 Relevance: .1, Instructions: 112COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9b98a867e9930c8fafc9ec3d5777231336c27ccbb16f416e162c9a8acf69ce9e
                                    • Instruction ID: 4bf996c2ec92bb28c9e23d742e3ac8538e680c7259aa9ed00d10e8527d282bb4
                                    • Opcode Fuzzy Hash: 9b98a867e9930c8fafc9ec3d5777231336c27ccbb16f416e162c9a8acf69ce9e
                                    • Instruction Fuzzy Hash: A8519871215A42DFC70AEF28FAA49553FA1FBD1305300B9EDD1009B2BADFA06906CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D61488 Relevance: .1, Instructions: 111COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ea93f50419bef37a96240725c8f952b20452e147188699c588a9473c52713a9f
                                    • Instruction ID: 813eb8b52eaf13ec6a3e6946817d1fd7b35f596fabd9510b6b32a9412f767563
                                    • Opcode Fuzzy Hash: ea93f50419bef37a96240725c8f952b20452e147188699c588a9473c52713a9f
                                    • Instruction Fuzzy Hash: 9731DE39A053519BCB21ABB898553AD7FB4EF46310F1C08BAE446D7392EB25DC81C7B1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D6F3AD Relevance: .1, Instructions: 109COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 58c4e42bdd8937a2c89625a6a7b1bd31468957c5e4eaee06d96005a244fdc9a1
                                    • Instruction ID: 405322feae4b19940d447090d2670226df3e8b5dc04bf1a14b8651e056ddcbc4
                                    • Opcode Fuzzy Hash: 58c4e42bdd8937a2c89625a6a7b1bd31468957c5e4eaee06d96005a244fdc9a1
                                    • Instruction Fuzzy Hash: C9319C30B006458FDB1AAB34E55476E7BB6AB89344F2844B9C406DB396EE35DC46CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D696D8 Relevance: .1, Instructions: 108COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8f80b3c348ee6990f3fca56224185c37f5ce8d3296b34bf2ff4f2433431981a8
                                    • Instruction ID: 8d1f86cabdd26582e230ac2fc42340e0955349cb3e837278d954d18dad15a0ac
                                    • Opcode Fuzzy Hash: 8f80b3c348ee6990f3fca56224185c37f5ce8d3296b34bf2ff4f2433431981a8
                                    • Instruction Fuzzy Hash: 6C31A274F102068BDF20DEA9D99076EF379FB86310F24442AD51AE7384D634EC45CBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D6F3C0 Relevance: .1, Instructions: 105COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 42e1488182b0f12a42b7360963441fabd23f70bff43f6a4e8cef25210e3db17b
                                    • Instruction ID: cd658f3fe14b51e5cfb2ae314a62d2a3161708674da26932f131a08709d36993
                                    • Opcode Fuzzy Hash: 42e1488182b0f12a42b7360963441fabd23f70bff43f6a4e8cef25210e3db17b
                                    • Instruction Fuzzy Hash: 7431AF307006058FDB19AB38E55466F7BA6AB89744F284478D406DB395EE31DC46C7B0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D61383 Relevance: .1, Instructions: 100COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5b8a472fd823c60ca42134eca5f9ca5ecb42719425babd775c6730be3adf16c2
                                    • Instruction ID: 776a30f01e91c34d2b7d50008ce53e505836f2cb3db7322b40caf8967fa289cd
                                    • Opcode Fuzzy Hash: 5b8a472fd823c60ca42134eca5f9ca5ecb42719425babd775c6730be3adf16c2
                                    • Instruction Fuzzy Hash: 7531C6346053428FDF16AB38E8987183B71EB83314F0829E9E506CB3B5DEA49C45CBB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D6F270 Relevance: .1, Instructions: 99COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 87de40076d4098c38ecd449d1d813b17a0f8e04a1ea5a1a960f11aad2a04987c
                                    • Instruction ID: f0be141151d6350c0a7f34de0a96a0e4d7ecbea1f8bde31b28df880fdc01b208
                                    • Opcode Fuzzy Hash: 87de40076d4098c38ecd449d1d813b17a0f8e04a1ea5a1a960f11aad2a04987c
                                    • Instruction Fuzzy Hash: D4315234E146459BCB19CFA8D85469EBBF2FF89310F248569E806E7390DB71EC45CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D66F70 Relevance: .1, Instructions: 95COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a68fa2d58cb5e11db124b6eb3957aef4edfebf0682b24ac5d50b3e7b5661b083
                                    • Instruction ID: 1c5e91172b962bcfff8bd5cc70cec176b8b2c2504c25ba5749b08d54a070ca37
                                    • Opcode Fuzzy Hash: a68fa2d58cb5e11db124b6eb3957aef4edfebf0682b24ac5d50b3e7b5661b083
                                    • Instruction Fuzzy Hash: B6314D30E102199BDB14CFA4D45479EB7B6EF85314F248569E806EB290EB71ED45CB60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D626DC Relevance: .1, Instructions: 94COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 512efacce4a27930312c1c201ff9b1f6bb9c64a6cfa3679f1e994b34511856ea
                                    • Instruction ID: 6bf2ee8b7c020a8a256e08a0c2e5d9bb88bdd431bc930d8d7520e752cb52cee4
                                    • Opcode Fuzzy Hash: 512efacce4a27930312c1c201ff9b1f6bb9c64a6cfa3679f1e994b34511856ea
                                    • Instruction Fuzzy Hash: 5041E0B090074DDFDB10CFA9C984ADEBBF5FF48714F248029E809AB254DB75A945CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D617C0 Relevance: .1, Instructions: 94COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c038a4d41a427df074923c896e32b34ac1db95f00a215bde87e425b2dd82dc92
                                    • Instruction ID: 628f1749b0d32840e390a974df6fd8360602d54b8816098db56fba9c0d7a6fb2
                                    • Opcode Fuzzy Hash: c038a4d41a427df074923c896e32b34ac1db95f00a215bde87e425b2dd82dc92
                                    • Instruction Fuzzy Hash: 5B313839E002509FDB11EB78E81875E7BA6EB84310F1C49A9E906C3354EB74DC01CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D6F280 Relevance: .1, Instructions: 91COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f1c8f32de9e8d95d44fe734ceffdcc202ce0f47327740a6aaf8a146840539139
                                    • Instruction ID: 6e8c67f7f22dfc91885d4134a5484435aaaf91b6da4e0f72e483dd965ab9929c
                                    • Opcode Fuzzy Hash: f1c8f32de9e8d95d44fe734ceffdcc202ce0f47327740a6aaf8a146840539139
                                    • Instruction Fuzzy Hash: 0D317034E146059BCB19CFA8D89469EB7F2FF89310F248529E806E7390DF70AC41CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D626E8 Relevance: .1, Instructions: 90COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bd7271d1fa1e5d4a48d9c683bfa4422ef940ae4bc2bac45f8e960ce8f881cc93
                                    • Instruction ID: 5133383352ed91d0e55d35a653066cb2c51e8f3e3ed1bd3dad9570400f3757f2
                                    • Opcode Fuzzy Hash: bd7271d1fa1e5d4a48d9c683bfa4422ef940ae4bc2bac45f8e960ce8f881cc93
                                    • Instruction Fuzzy Hash: 5F41DCB0D0074DDFDB10DFA9C984A9EBBB5FF48710F248029E809AB254DB75A945CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D69248 Relevance: .1, Instructions: 84COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8496965076a6886069a0509d3476418e0532159968a3725563dfca57eec219e7
                                    • Instruction ID: c91928d4888c76e8a4075d86b0c619f6d078849b60e4af54a90adde3f7e25aba
                                    • Opcode Fuzzy Hash: 8496965076a6886069a0509d3476418e0532159968a3725563dfca57eec219e7
                                    • Instruction Fuzzy Hash: 25317130E002499BDB05CFA4D46469EF7B6FF89300F54C56AE805AB384DB70DC46CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D616A3 Relevance: .1, Instructions: 79COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 875ca7bd6a2bd2028508957066ecaa8fa6a2994b611a77919e461275dd9a57a4
                                    • Instruction ID: c4f3cf66c7260c081dbf1214fe567cd540b3a1d0f5923b84b806d7a555b7cdc8
                                    • Opcode Fuzzy Hash: 875ca7bd6a2bd2028508957066ecaa8fa6a2994b611a77919e461275dd9a57a4
                                    • Instruction Fuzzy Hash: 8E21C93C600141DFEB12EB38E8687593B62EB81304F1C6A9DD006CB276DBA4DC458BB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D69258 Relevance: .1, Instructions: 78COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7c5d5c40400dd3b3c9b862e98b030c7a760f7fdf6ada3a02ae2b084bfcf62c28
                                    • Instruction ID: aacedd372bc7a9177f9600c1881f9279fbbc53deb8e44d4a825d2a36d1300494
                                    • Opcode Fuzzy Hash: 7c5d5c40400dd3b3c9b862e98b030c7a760f7fdf6ada3a02ae2b084bfcf62c28
                                    • Instruction Fuzzy Hash: DA214430E1024A9BDB15CFA4D5A469EF7B6FF89300F54C669E805EB384DB719C46CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D69148 Relevance: .1, Instructions: 74COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5b2db950504e032ef459b2824ff116a706fc6b697b7c948542f70d8145a1cc28
                                    • Instruction ID: d227edb3a0bbaf642b6393468be19978d7447f310c2c1fd06b8916d76bead788
                                    • Opcode Fuzzy Hash: 5b2db950504e032ef459b2824ff116a706fc6b697b7c948542f70d8145a1cc28
                                    • Instruction Fuzzy Hash: 13216230E002169BDB14CF64C86469EF7B6AF89310F64852AE816FB340DB709C45CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D64F88 Relevance: .1, Instructions: 74COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 40e49e89110edaf7b38c99826c39b0ebbd01da7150c1965cbd144f258c44614d
                                    • Instruction ID: d36fa1fac02907650d84550eacf0202b4db02d4e73329fe8e69f6f741e925750
                                    • Opcode Fuzzy Hash: 40e49e89110edaf7b38c99826c39b0ebbd01da7150c1965cbd144f258c44614d
                                    • Instruction Fuzzy Hash: B5212834A00605CFDB14DB78DA58AADBBF1AF89305F1404A8E406EB3A5DB369D41CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D1D030 Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3311917406.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d1d000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6f548b6dc00adb82c7f7671efe643590fa397fa1e78d33e35027fb63f81f3de0
                                    • Instruction ID: b26708feda8342dd1efebb99907d4239524de7d58f1dcc819abadc0156f99e91
                                    • Opcode Fuzzy Hash: 6f548b6dc00adb82c7f7671efe643590fa397fa1e78d33e35027fb63f81f3de0
                                    • Instruction Fuzzy Hash: 8E212575504204EFCB14DF14E9C0B66BB62FB88314F24C56DE9490B252CB76D886CA72
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D69A20 Relevance: .1, Instructions: 71COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7bfded0fad8b6c1e262ad5d630883044c5bf2e7825ff6e4ee92abf8266bccdce
                                    • Instruction ID: 31a32e3a90817765b1fd2cbc761148928424260d27b95cef1c9447a052dd9245
                                    • Opcode Fuzzy Hash: 7bfded0fad8b6c1e262ad5d630883044c5bf2e7825ff6e4ee92abf8266bccdce
                                    • Instruction Fuzzy Hash: A5216231B101158FEB14DBA9C964BAEBBFAFF88710F148065E505EB3A5DA71DD04C7A0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D1D005 Relevance: .1, Instructions: 71COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3311917406.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d1d000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fb7e41d889737e8e9251bf7c001f875dc5f34c9f6ed5c1394b9503a16646af68
                                    • Instruction ID: 60d55483009e2f91cad62d59c8ddad54bf304eabfca04ab447dc7ee380fb3306
                                    • Opcode Fuzzy Hash: fb7e41d889737e8e9251bf7c001f875dc5f34c9f6ed5c1394b9503a16646af68
                                    • Instruction Fuzzy Hash: F6215C7150D7C09FCB03CB24D990711BF71AB46214F29C5EBD8898F2A7C73A985ACB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D69158 Relevance: .1, Instructions: 70COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1b8aff170a94e7b27badf05951144388f861fb84fc5d2f5a9a56323db2246947
                                    • Instruction ID: 089dcc70b805ab69cbeae062cfda987a099c28f9df9e05987c83333ba98910bc
                                    • Opcode Fuzzy Hash: 1b8aff170a94e7b27badf05951144388f861fb84fc5d2f5a9a56323db2246947
                                    • Instruction Fuzzy Hash: 14216230E0021A9BDB18CF64C86459EF7B6EF89310F64C52AE815FB380DB709C45CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D61888 Relevance: .1, Instructions: 70COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b1f0a9e31eb2e1db6a28086f23e5514a9f5e593782f7548a0263e953dbda4cfd
                                    • Instruction ID: 560fc9855813671de0d01249695ab1a1a3ec5bca52a61527637b19efac62317b
                                    • Opcode Fuzzy Hash: b1f0a9e31eb2e1db6a28086f23e5514a9f5e593782f7548a0263e953dbda4cfd
                                    • Instruction Fuzzy Hash: 19211934B00245DFDF14EB78C5657AE77B2AB89341F2804A9D106EB255DB368D41CBB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D6187B Relevance: .1, Instructions: 70COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 204a0e4ce8320c2a64f4ae8d53d2f97ae8795b5ca272c5c74970789486bd58e6
                                    • Instruction ID: 5ced345b7fc014cb104a140af98502c2b79743ab2633ec60b1752fce7f708bbb
                                    • Opcode Fuzzy Hash: 204a0e4ce8320c2a64f4ae8d53d2f97ae8795b5ca272c5c74970789486bd58e6
                                    • Instruction Fuzzy Hash: BF215A346002459FDB24EB78C5647AE7BB1AF89341F2804A9D506EB295DB368C41CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D616B0 Relevance: .1, Instructions: 69COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f1d1e22a88e4f436dea75a6874421b6219a1a19b10cc1769ce28f7e733435eb6
                                    • Instruction ID: 736010730a21c8472de016069374bae78a9910f09a9cd1443ec3dfd25d35a420
                                    • Opcode Fuzzy Hash: f1d1e22a88e4f436dea75a6874421b6219a1a19b10cc1769ce28f7e733435eb6
                                    • Instruction Fuzzy Hash: C621B43C600642DBEF15EB28EC987193726E781314F186AA9E506CB375DFB8DC458BA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D64F98 Relevance: .1, Instructions: 68COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 52b035391c63e7eaf6f4cdc37d772eefee1d6b9782cd3dd5dfca9a758b1a58a0
                                    • Instruction ID: 334bc1615d7cc748d1cccc664b7c7d41fafe8bc04844140ef67d5ef7439b1fb8
                                    • Opcode Fuzzy Hash: 52b035391c63e7eaf6f4cdc37d772eefee1d6b9782cd3dd5dfca9a758b1a58a0
                                    • Instruction Fuzzy Hash: FD21FA34700605CFDB14EB78D958AAD7BF1AF89305F1004A8E506EB3A5DB36DD41CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D60848 Relevance: .1, Instructions: 62COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d9356311dd39a74ca98336f12163593d73d85da92f5ad6f962376618e71a3e69
                                    • Instruction ID: 359c7fef52ff44e9876c7fafe2b18ede26956609a0fbc42acaaca559652a5185
                                    • Opcode Fuzzy Hash: d9356311dd39a74ca98336f12163593d73d85da92f5ad6f962376618e71a3e69
                                    • Instruction Fuzzy Hash: 44118F30B002098BEF15AB79D81472B3B65EB85314F28857AD246CF395DA61CC818BE1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D60838 Relevance: .1, Instructions: 62COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3b9132466d162afae104e6b3f225ffd6dcaafcf13fbf06ae9dd8a678415022e3
                                    • Instruction ID: c6882921db1f918d3ec15929e35d74cf8886c37cd9413ea96096338e492ca897
                                    • Opcode Fuzzy Hash: 3b9132466d162afae104e6b3f225ffd6dcaafcf13fbf06ae9dd8a678415022e3
                                    • Instruction Fuzzy Hash: 1911E730A013098BEF16BB75981472B3F65EB42310F28857AD546CF2C2DA61CC448BF1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D66B87 Relevance: .1, Instructions: 58COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 90671566fe5d304eeea8384ea3629333a820ef7728fde689f8657507a8f2fd0f
                                    • Instruction ID: a47e383feb878d874567c580ae09e3629026d14288d1a1944e7d50ce4b3b70a9
                                    • Opcode Fuzzy Hash: 90671566fe5d304eeea8384ea3629333a820ef7728fde689f8657507a8f2fd0f
                                    • Instruction Fuzzy Hash: 1011CE317002059FC315AB78C4147AE7BE6FF8A711F1448AAD149CB782EF768C8287E1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D61498 Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 22fe7eee87aeb2267b56d442f28995f171e950c3e517fbe7abf07d6d944da833
                                    • Instruction ID: 73bd2a54fa4921812b8a4ab25965e7e113ef61f5d678ab9d15f30d7099903dea
                                    • Opcode Fuzzy Hash: 22fe7eee87aeb2267b56d442f28995f171e950c3e517fbe7abf07d6d944da833
                                    • Instruction Fuzzy Hash: 7E010035A012259FCB25EFB984511AEBBF5EF88311B29047AD806E7301EB35D941CBF5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D69888 Relevance: .0, Instructions: 47COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 56ea8432965785d7ef72813c4ae888a2e1902a9cb91833a96db64ad9202e7a85
                                    • Instruction ID: 92f6a261f4f0e7915472500c947cf32c5fa6d3cfc3c3b2a1a730bc05d134245a
                                    • Opcode Fuzzy Hash: 56ea8432965785d7ef72813c4ae888a2e1902a9cb91833a96db64ad9202e7a85
                                    • Instruction Fuzzy Hash: D301B530A002048BDB14DF55D94578EBB75FF84310F648168D90C6F29AEBB09E05CBB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D680E8 Relevance: .0, Instructions: 40COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f36ff4b1ffc9dcc9ff9379d2f9d292d432d0e8b66187c554f1bd409973ebedcb
                                    • Instruction ID: 79b2071e3695abdc307e4cd75e1dc5b7217a5b6c0a1d255ae5836e2e6048c78b
                                    • Opcode Fuzzy Hash: f36ff4b1ffc9dcc9ff9379d2f9d292d432d0e8b66187c554f1bd409973ebedcb
                                    • Instruction Fuzzy Hash: A3018F3090128ADFDB06FBB8F99169D7FB1EF81300F1062ADC505AB2A5DF741A049B51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D67088 Relevance: .0, Instructions: 34COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b9d3fd0d0213ec9c6a61d3d3d28cb3666a15c312b6980670d5e2d536a7ff32d1
                                    • Instruction ID: b49566ceed3d7a1e9b4aee9fdb30b846ac18e0199f2a7ee21915330a9e3e30e5
                                    • Opcode Fuzzy Hash: b9d3fd0d0213ec9c6a61d3d3d28cb3666a15c312b6980670d5e2d536a7ff32d1
                                    • Instruction Fuzzy Hash: 0AF0C435B016088FC714EB74D998B6D77B2EF89215F5044A8E506DB3A4DB35AD42CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D680F8 Relevance: .0, Instructions: 33COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3312082227.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_d60000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a4f15d3c87fbfb98d5909ac7e1d44be83dd1ef5edcdab72aeda4169869114335
                                    • Instruction ID: fec747a58033cce0c27016c5302bdac800264269baab53c36b4a16ca76912da6
                                    • Opcode Fuzzy Hash: a4f15d3c87fbfb98d5909ac7e1d44be83dd1ef5edcdab72aeda4169869114335
                                    • Instruction Fuzzy Hash: 8DF0623090114ADFDB45FFB8F99169D7BB5EB80300F5066ADC104AB2A5EFB12F049BA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%