Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rPaymentAdvice-PDF.exe

Overview

General Information

Sample name:rPaymentAdvice-PDF.exe
Analysis ID:1455406
MD5:cc74321fe70654e82ead4093093b0116
SHA1:68e74f568066c31b0f2b2a2837b5ce072b0857af
SHA256:8819d137ba69b96b3f3c28cca74603e86c4ecea2c821e5332452a51258176439
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rPaymentAdvice-PDF.exe (PID: 3620 cmdline: "C:\Users\user\Desktop\rPaymentAdvice-PDF.exe" MD5: CC74321FE70654E82EAD4093093B0116)
    • MSBuild.exe (PID: 4196 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
    • WerFault.exe (PID: 5048 cmdline: C:\Windows\system32\WerFault.exe -u -p 3620 -s 1152 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.motek.ro", "Username": "office@motek.ro", "Password": "[_QR4eY?2cHe"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    00000003.00000002.3384403596.0000000002C59000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.2186188137.0000024E10C79000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.2186188137.0000024E10C79000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000003.00000002.3382092463.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.MSBuild.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              3.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                3.2.MSBuild.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x334d9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3354b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x335d5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33667:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x336d1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33743:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x337d9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33869:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    Networking

                    barindex
                    Sigma detected: MSBuild connects to smtp port
                    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 212.146.84.76, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 4196, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49715

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.motek.ro", "Username": "office@motek.ro", "Password": "[_QR4eY?2cHe"}
                    Multi AV Scanner detection for submitted file
                    Source: rPaymentAdvice-PDF.exeReversingLabs: Detection: 26%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rPaymentAdvice-PDF.exe PID: 3620, type: MEMORYSTR
                    Source: rPaymentAdvice-PDF.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: indoC:\Windows\System.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185081185.000000B9477A1000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdbo source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: 0C:\Windows\System.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185081185.000000B9477A1000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: System.Core.ni.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: symbols\dll\System.pdb.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185081185.000000B9477A1000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2187838193.0000024E6C387000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbll source: rPaymentAdvice-PDF.exe, 00000000.00000002.2187838193.0000024E6C387000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.pdb?lN source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA21000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: assembly\GAC_MSC:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185081185.000000B9477A1000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: System.Xml.ni.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdbRSDS source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbjc' source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Users\user\Desktop\rPaymentAdvice-PDF.PDBm source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Configuration.ni.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: System.Configuration.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\System.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.pdb\ source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbA source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: System.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA21000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.pdbp`Oq4 source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb@ source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA21000.00000004.00000020.00020000.00000000.sdmp, WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: System.Drawing.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb}#_ source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA21000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: System.pdbSystem.pdbpdbtem.pdbGAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185081185.000000B9477A1000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb* source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\dll\System.pdbc source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERFFAD.tmp.dmp.6.dr
                    Source: global trafficTCP traffic: 192.168.2.6:49715 -> 212.146.84.76:587
                    Source: global trafficTCP traffic: 192.168.2.6:55813 -> 162.159.36.2:53
                    Source: Joe Sandbox ViewASN Name: GTSCEGTSCentralEuropeAntelGermanyCZ GTSCEGTSCentralEuropeAntelGermanyCZ
                    Source: global trafficTCP traffic: 192.168.2.6:49715 -> 212.146.84.76:587
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 2.19.126.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 2.19.126.163
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: mail.motek.ro
                    Source: MSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.motek.ro
                    Source: MSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://motek.ro
                    Source: MSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3383297469.0000000000F0D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F4E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                    Source: MSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3383297469.0000000000F0D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F4E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                    Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
                    Source: MSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3383297469.0000000000F0D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F4E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: MSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3383297469.0000000000F0D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F4E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2186188137.0000024E10C79000.00000004.00000800.00020000.00000000.sdmp, rPaymentAdvice-PDF.exe, 00000000.00000002.2186188137.0000024E1028F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3382092463.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, SKTzxzsJw.cs.Net Code: cOd8BoX
                    Source: 0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.raw.unpack, SKTzxzsJw.cs.Net Code: cOd8BoX

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: rPaymentAdvice-PDF.exe
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeCode function: 0_2_00007FFD346849080_2_00007FFD34684908
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeCode function: 0_2_00007FFD3468ADD00_2_00007FFD3468ADD0
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeCode function: 0_2_00007FFD346831F00_2_00007FFD346831F0
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeCode function: 0_2_00007FFD3468B9F20_2_00007FFD3468B9F2
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeCode function: 0_2_00007FFD3468DB4A0_2_00007FFD3468DB4A
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeCode function: 0_2_00007FFD3468E3080_2_00007FFD3468E308
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeCode function: 0_2_00007FFD346917090_2_00007FFD34691709
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeCode function: 0_2_00007FFD346870070_2_00007FFD34687007
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeCode function: 0_2_00007FFD34680E650_2_00007FFD34680E65
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeCode function: 0_2_00007FFD34680EFA0_2_00007FFD34680EFA
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeCode function: 0_2_00007FFD3478026B0_2_00007FFD3478026B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_02A94A983_2_02A94A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_02A99B403_2_02A99B40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_02A93E803_2_02A93E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_02A9CDC03_2_02A9CDC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_02A941C83_2_02A941C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0576DD203_2_0576DD20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0576BD283_2_0576BD28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05769AF03_2_05769AF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05763F483_2_05763F48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05764FF83_2_05764FF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_057656D83_2_057656D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_057600403_2_05760040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0576322B3_2_0576322B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05762AF83_2_05762AF8
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3620 -s 1152
                    Source: rPaymentAdvice-PDF.exeStatic PE information: No import functions for PE file found
                    Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2186188137.0000024E10C79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename5522c644-5386-4d0c-b3dc-cccb0f430efa.exe4 vs rPaymentAdvice-PDF.exe
                    Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2186188137.0000024E1028F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename5522c644-5386-4d0c-b3dc-cccb0f430efa.exe4 vs rPaymentAdvice-PDF.exe
                    Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2186188137.0000024E1028F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUcorasewogitiwug: vs rPaymentAdvice-PDF.exe
                    Source: rPaymentAdvice-PDF.exe, 00000000.00000000.2131800063.0000024E6C202000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIluluxove: vs rPaymentAdvice-PDF.exe
                    Source: rPaymentAdvice-PDF.exeBinary or memory string: OriginalFilenameIluluxove: vs rPaymentAdvice-PDF.exe
                    Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: rPaymentAdvice-PDF.exe, --.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA21000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb}#_
                    Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA21000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
                    Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winEXE@4/5@1/1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3620
                    Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\1f16400a-6eae-41a4-9738-e694aecad83eJump to behavior
                    Source: rPaymentAdvice-PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: rPaymentAdvice-PDF.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: rPaymentAdvice-PDF.exeReversingLabs: Detection: 26%
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeFile read: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe "C:\Users\user\Desktop\rPaymentAdvice-PDF.exe"
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3620 -s 1152
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: rPaymentAdvice-PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: rPaymentAdvice-PDF.exeStatic file information: File size 2613780 > 1048576
                    Source: rPaymentAdvice-PDF.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: rPaymentAdvice-PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: indoC:\Windows\System.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185081185.000000B9477A1000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdbo source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: 0C:\Windows\System.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185081185.000000B9477A1000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: System.Core.ni.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: symbols\dll\System.pdb.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185081185.000000B9477A1000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2187838193.0000024E6C387000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbll source: rPaymentAdvice-PDF.exe, 00000000.00000002.2187838193.0000024E6C387000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.pdb?lN source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA21000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: assembly\GAC_MSC:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185081185.000000B9477A1000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: System.Xml.ni.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdbRSDS source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbjc' source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Users\user\Desktop\rPaymentAdvice-PDF.PDBm source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Configuration.ni.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: System.Configuration.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\System.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.pdb\ source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbA source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: System.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA21000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.pdbp`Oq4 source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb@ source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA21000.00000004.00000020.00020000.00000000.sdmp, WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: System.Drawing.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb}#_ source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA21000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: System.pdbSystem.pdbpdbtem.pdbGAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185081185.000000B9477A1000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb* source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\dll\System.pdbc source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERFFAD.tmp.dmp.6.dr
                    Source: rPaymentAdvice-PDF.exeStatic PE information: 0x864F4AF4 [Tue May 28 08:44:36 2041 UTC]
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeCode function: 0_2_00007FFD34686240 push edi; retn 5F4Ch0_2_00007FFD346862D6
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeCode function: 0_2_00007FFD34683DEE push es; ret 0_2_00007FFD34683DEF
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeCode function: 0_2_00007FFD3478026B push esp; retf 4810h0_2_00007FFD34780312
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeCode function: 0_2_00007FFD34781798 push eax; ret 0_2_00007FFD34781799
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: rPaymentAdvice-PDF.exe PID: 3620, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeMemory allocated: 24E6C530000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeMemory allocated: 24E6DEC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2A50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2BE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 4BE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2326Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 6138Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3260Thread sleep count: 2326 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -99859s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3260Thread sleep count: 6138 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -99750s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -99640s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -99526s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -99406s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -99296s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -99137s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -99031s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -98922s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -98812s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -98703s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -98594s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -98469s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -98359s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -98250s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -98140s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -98031s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -97922s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -97810s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -97703s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -97593s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -97481s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -97374s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -97263s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -97152s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -97045s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -96937s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -96827s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -96718s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -96609s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -96499s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -96390s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -96281s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -96172s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -96062s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -95953s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -95843s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -95734s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -95625s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -95515s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -95406s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99526Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99296Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99137Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97810Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97593Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97481Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97374Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97263Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97152Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97045Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96937Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96827Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96718Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96499Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96390Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95843Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Amcache.hve.6.drBinary or memory string: VMware
                    Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
                    Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.6.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
                    Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.6.drBinary or memory string: vmci.sys
                    Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                    Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
                    Source: MSBuild.exe, 00000003.00000002.3388722812.0000000005F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|
                    Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.6.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: rPaymentAdvice-PDF.exe, --.csReference to suspicious API methods: LoadLibrary(_3227_A9B7_31C8(_321F_3200_3211_3215_31D3._3218_31C4_31CA_31D5_31E5_A97D_31E8_3209))
                    Source: rPaymentAdvice-PDF.exe, --.csReference to suspicious API methods: GetProcAddress(intPtr, _3227_A9B7_31C8(_321F_3200_3211_3215_31D3._3201_3207_31C3_A9B4))
                    Source: rPaymentAdvice-PDF.exe, --.csReference to suspicious API methods: VirtualProtect(procAddress, (uint)array.Length, 64u, out _320B_3225_31E4_31C4_3223_A9B6_D7FF_3198)
                    Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, zOS.csReference to suspicious API methods: _120HqGy.OpenProcess(_2pIt.DuplicateHandle, bInheritHandle: true, (uint)iVE.ProcessID)
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: A50008Jump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeQueries volume information: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                    Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3384403596.0000000002C59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2186188137.0000024E10C79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3382092463.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2186188137.0000024E1028F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rPaymentAdvice-PDF.exe PID: 3620, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4196, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2186188137.0000024E10C79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3382092463.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2186188137.0000024E1028F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rPaymentAdvice-PDF.exe PID: 3620, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4196, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3384403596.0000000002C59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2186188137.0000024E10C79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3382092463.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2186188137.0000024E1028F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rPaymentAdvice-PDF.exe PID: 3620, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4196, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		311
                    Process Injection                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		231
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		12
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API                    		Boot or Logon Initialization Scripts1
                    DLL Side-Loading                    		151
                    Virtualization/Sandbox Evasion                    		1
                    Input Capture                    		1
                    Process Discovery                    		Remote Desktop Protocol1
                    Input Capture                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)311
                    Process Injection                    		1
                    Credentials in Registry                    		151
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares11
                    Archive Collected Data                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Deobfuscate/Decode Files or Information                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object Model2
                    Data from Local System                    		12
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Obfuscated Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Timestomp                    		Cached Domain Credentials24
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    rPaymentAdvice-PDF.exe26%ReversingLabsWin64.Trojan.GenSteal

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://upx.sf.net0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://motek.ro0%Avira URL Cloudsafe
                    http://x1.c.lencr.org/00%Avira URL Cloudsafe
                    http://x1.i.lencr.org/00%Avira URL Cloudsafe
                    http://r3.o.lencr.org00%Avira URL Cloudsafe
                    http://mail.motek.ro0%Avira URL Cloudsafe
                    http://r3.i.lencr.org/00%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    bg.microsoft.map.fastly.net
                    		199.232.210.172
                    		truefalse
                      		unknown
                      motek.ro
                      		212.146.84.76
                      		truetrue
                        		unknown
                        fp2e7a.wpc.phicdn.net
                        		192.229.221.95
                        		truefalse
                          		unknown
                          mail.motek.ro
                          		unknown
                          		unknowntrue
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://r3.o.lencr.org0MSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3383297469.0000000000F0D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F4E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F7B000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://upx.sf.netAmcache.hve.6.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://account.dyn.com/rPaymentAdvice-PDF.exe, 00000000.00000002.2186188137.0000024E10C79000.00000004.00000800.00020000.00000000.sdmp, rPaymentAdvice-PDF.exe, 00000000.00000002.2186188137.0000024E1028F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3382092463.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://mail.motek.roMSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://motek.roMSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://x1.c.lencr.org/0MSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3383297469.0000000000F0D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F4E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F7B000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://x1.i.lencr.org/0MSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3383297469.0000000000F0D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F4E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F7B000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://r3.i.lencr.org/0MSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3383297469.0000000000F0D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F4E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F7B000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            212.146.84.76
                            		motek.roRomania
                            		5588GTSCEGTSCentralEuropeAntelGermanyCZtrue

                            General Information

                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1455406
                            Start date and time:2024-06-11 19:46:14 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 49s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:12
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:rPaymentAdvice-PDF.exe
                            Detection:MAL
                            Classification:mal100.spre.troj.spyw.expl.evad.winEXE@4/5@1/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 78%
                            • Number of executed functions: 58
                            • Number of non-executed functions: 2
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 40.113.110.67, 40.126.31.73, 40.126.31.67, 20.190.159.71, 20.190.159.23, 20.190.159.75, 20.190.159.2, 20.190.159.0, 20.190.159.4, 192.229.221.95, 104.208.16.94, 199.232.210.172, 184.28.90.27, 40.127.169.103, 52.165.164.15, 20.242.39.171
                            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, wns.notify.trafficmanager.net, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, onedsblobprdcus16.centralus.cloudapp.azure.com, glb.sls.prod.dcat.dsp.trafficmanager.net, client.wns.windows.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtSetInformationFile calls found.
                            • VT rate limit hit for: rPaymentAdvice-PDF.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            13:47:10API Interceptor42x Sleep call for process: MSBuild.exe modified
                            13:47:13API Interceptor1x Sleep call for process: WerFault.exe modified

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            bg.microsoft.map.fastly.netzb1.exeGet hashmaliciousUnknownBrowse
                            • 199.232.210.172
                            https://drive.google.com/file/d/1rUX5pF_yChUfocjQZEgSZVDbnTsCbsyI/view?usp=sharing_eil_m&ts=66679781Get hashmaliciousUnknownBrowse
                            • 199.232.210.172
                            https://workspace.cftc.gov/cedc903c-09bb-4a95-bb76-9b133af0550f/?action=replyGet hashmaliciousUnknownBrowse
                            • 199.232.210.172
                            file.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                            • 199.232.210.172
                            https://mcfp.felk.cvut.czGet hashmaliciousPhisherBrowse
                            • 199.232.210.172
                            https://info.virtualhealth.com/e3t/Ctc/GB+113/cmmfD04/VWRD9T8N6WzjN8MJTHvTlRp-W842MfZ5g9NL_N6-TN-l3qgyTW7Y8-PT6lZ3mfW56Rjx787zhFxW4_YPND6r6flrW4BlJlg1DphdCVWC28Z4PpMbRW6GGMRN2bfpFdW7hSWPP6KFbcRW4PBy7c6n3dRqN7ztR5NtV-d9W1y6F6Z799h-lN1ZbvtmQ73TLW5ShFj48-W2NPW1L2f016vN6bSW45yp6K7Xp_V9W1fy0nl6xLNR_N5n9x3txmtWFN2nZ6w9QgWwJW1rlxcq4rmPQZW2D31f_3FjFXjN7D51x8lx574V_S2G96X3V3rW3xJHsh5zkBZjW6M_Gg24KcjVwW2wm07P9jh6znVyVtyJ6VBB3ZW80wlHc6H0YX2W1stJK56XtGc2f45z9Cx04Get hashmaliciousUnknownBrowse
                            • 199.232.214.172
                            http://www.tlyrxy.skyliexhys.comGet hashmaliciousUnknownBrowse
                            • 199.232.214.172
                            http://www.tlyrxy.skyliexhys.comGet hashmaliciousUnknownBrowse
                            • 199.232.214.172
                            https://deyangming.angebotfilesoffer.top/Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                            • 199.232.210.172
                            https://thetechglitch.com/Get hashmaliciousUnknownBrowse
                            • 199.232.214.172
                            fp2e7a.wpc.phicdn.nethttps://34.75.2o2.lol/XZXlZcys3Y0lMeE9qTWRaYisvV2ozVCtKTk9jbmZUSEdiYTZpTS9BYmpHY1I5Q3lSanAxam16TnE1Ly8zaitNeWxyTzBVQWhCS1VjcExjT0xsb284a2FQR1RLMkF3NGpiOVVvVHp4R2h6M3NmOWRIQmlQdmY2clJOcm11TXM2TDNadXUrUGxmclIwVGpyc3ViVndCME9RWXltbDl4QkZiNDVqRUhuVzNpZCs1cmNhS0s2bVk1ZWY3K0VCTG5FQzByWWJBTU53TGVvSjV2MXFBMitJQmgtLUNmdVg1bG1UOGdhbzNBaTQtLU9YTW5YNHNaYnFhVDM5V3BKaGVUZWc9PQ==?cid=2059126474Get hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://drive.google.com/file/d/1rUX5pF_yChUfocjQZEgSZVDbnTsCbsyI/view?usp=sharing_eil_m&ts=66679781Get hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            file.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                            • 192.229.221.95
                            https://workspace.cftc.gov/cedc903c-09bb-4a95-bb76-9b133af0550f/?action=replyGet hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            http://www.chanamais.com/Get hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            file.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                            • 192.229.221.95
                            https://na2.docusign.net/Member/EmailStart.aspx?a=d9cc73d9-ae0f-4253-a792-b28e8e553025&acct=61cb9522-75f6-4286-9c9e-e0f21cfcb28c&er=7c01d5b5-65de-4226-821a-b71d7d0d5623&c=E,1,Js_dcjgNrYNrel1HuUzofphnyLHztW0huM_6dgU6JXOMHy6LrFNyRz9u0XbDVY5U7gRSOASLaSlWJc5pS8NIpp_k-HIIGeO2F0BtBCErZxdMks2Qmw,,&typo=1Get hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://mcfp.felk.cvut.czGet hashmaliciousPhisherBrowse
                            • 192.229.221.95
                            https://info.virtualhealth.com/e3t/Ctc/GB+113/cmmfD04/VWRD9T8N6WzjN8MJTHvTlRp-W842MfZ5g9NL_N6-TN-l3qgyTW7Y8-PT6lZ3mfW56Rjx787zhFxW4_YPND6r6flrW4BlJlg1DphdCVWC28Z4PpMbRW6GGMRN2bfpFdW7hSWPP6KFbcRW4PBy7c6n3dRqN7ztR5NtV-d9W1y6F6Z799h-lN1ZbvtmQ73TLW5ShFj48-W2NPW1L2f016vN6bSW45yp6K7Xp_V9W1fy0nl6xLNR_N5n9x3txmtWFN2nZ6w9QgWwJW1rlxcq4rmPQZW2D31f_3FjFXjN7D51x8lx574V_S2G96X3V3rW3xJHsh5zkBZjW6M_Gg24KcjVwW2wm07P9jh6znVyVtyJ6VBB3ZW80wlHc6H0YX2W1stJK56XtGc2f45z9Cx04Get hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://rrohlo.ac-page.com/paymentconfirmationGet hashmaliciousHTMLPhisherBrowse
                            • 192.229.221.95

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            GTSCEGTSCentralEuropeAntelGermanyCZOrdine_nr.24061168372.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                            • 185.146.87.128
                            pilnie wymagana wycena dlaprojektu suwalki (1).vbsGet hashmaliciousGuLoaderBrowse
                            • 109.205.90.147
                            QSX0atAPpN.elfGet hashmaliciousMiraiBrowse
                            • 91.120.152.19
                            YfM6hAPQaS.elfGet hashmaliciousMiraiBrowse
                            • 94.42.225.10
                            9W8C6mXhAB.elfGet hashmaliciousMiraiBrowse
                            • 94.42.250.26
                            mpsl.elfGet hashmaliciousMiraiBrowse
                            • 46.13.53.8
                            SMLUVN#U00cd FORMUL#U00c1#U0158-pdf.pif.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                            • 31.14.12.234
                            5dzdxe7bVc.elfGet hashmaliciousMiraiBrowse
                            • 194.213.46.247
                            ZAMOWIEN.EXE.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                            • 185.146.87.128
                            td2RgV6HyP.exeGet hashmaliciousSystemBCBrowse
                            • 188.240.2.189

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rPaymentAdvice-P_7067ea40173c6bca932f69650b72adac4cc52d8_897d0994_fa2abc5b-2323-451c-b16b-90c9e3ef8be0\Report.wer

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.1634753436511065
                            Encrypted:false
                            SSDEEP:192:JCr0ofla1Oi0VeWpRaWz3S9l/gCZFv82zuiFFZ24lO8r:O0otaSVBpRa4ifE2zuiFFY4lO8r
                            MD5:AA2997089778CAEEAF45A5A0C048CD82
                            SHA1:417FDBC31B73AD59B98D6BD7AB46653140FEAB6D
                            SHA-256:A4C5607BF4A8E60A61D3E24CD6F75C63776D009AB4DBA6358A87AA5A8AF27D69
                            SHA-512:D175AEAFB53462AF13A22234B096A070DF9E84F530A380D522ED05565BF79926CB1C2B5F57B5D4DB378F5498F7FF50EBE921DBA42F4E1CC999C7957C12068515
                            Malicious:false
                            Reputation:low
                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.2.6.0.1.6.2.9.8.2.9.4.6.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.2.6.0.1.6.3.0.5.1.6.9.7.0.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.2.a.b.c.5.b.-.2.3.2.3.-.4.5.1.c.-.b.1.6.b.-.9.0.c.9.e.3.e.f.8.b.e.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.5.3.1.b.f.8.b.-.3.5.b.f.-.4.e.c.a.-.9.4.4.9.-.6.8.b.8.2.2.a.4.7.4.c.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.P.a.y.m.e.n.t.A.d.v.i.c.e.-.P.D.F...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.l.u.l.u.x.o.v.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.2.4.-.0.0.0.1.-.0.0.1.5.-.f.1.a.a.-.0.1.6.1.2.7.b.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.0.8.9.a.1.2.b.8.4.4.0.8.5.b.7.2.c.7.c.2.3.2.1.8.a.7.0.e.a.d.6.0.0.0.0.0.0.0.0.!.0.0.0.0.6.8.e.7.4.f.5.6.8.0.6.6.c.3.1.b.0.f.2.b.2.a.2.8.3.7.b.5.c.e.0.7.2.b.0.8.5.7.a.f.!.r.P.a.y.m.e.

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER183.tmp.WERInternalMetadata.xml

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):8912
                            Entropy (8bit):3.711066349047004
                            Encrypted:false
                            SSDEEP:192:R6l7wVeJ91ZPwJ6Y2D97gogmfZIS0epr089bU4DfaR8m:R6lXJ/ZP26Yg7gogmffbUEfaf
                            MD5:59A852A989183917C29247C244E8F0F2
                            SHA1:015CCDB4F81E915B1E076FEB07953B75795A68A8
                            SHA-256:0EAC9AFA8355701203BC37471F7AD229EDC961005DAD526FC0FC67F8A005484C
                            SHA-512:98172C8FC3F1BA969E0364C90E748F51A976C0E24E88D9AB468FC2F97058E916C701250BC9A050E3C9358A93AC38AA0E47D0D809165599FEACE7DAC4047FACBB
                            Malicious:false
                            Reputation:low
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.6.2.0.<./.P.i.

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C2.tmp.xml

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):4857
                            Entropy (8bit):4.524786232894984
                            Encrypted:false
                            SSDEEP:48:cvIwWl8zsjJg771I9FCWpW8VY85Ym8M4J6sE6FNTeTyq8v5sET5dhIBOd:uIjf9I7uD7VToJmyeTW71zIAd
                            MD5:2E03A5ABEB34B02A176BF99BC6788267
                            SHA1:B3B5B7B2DCB99F83BED61D32A8D2AA9DBF7DD59F
                            SHA-256:7A7A38EFCAC650A4271A870FCB136A5D94A3319322AB3BEDF306FE9FA40E4C1D
                            SHA-512:1AE1BA186ADE2FCCCC29186E5088D44547B236B542777A620A2DA9D6C10821229D2981AE3B2EE9B025F8215F4D7E55550367505A7BF3D1FCCDF08429F6AD74CF
                            Malicious:false
                            Reputation:low
                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="363409" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERFFAD.tmp.dmp

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:Mini DuMP crash report, 16 streams, Tue Jun 11 17:47:10 2024, 0x1205a4 type
                            Category:dropped
                            Size (bytes):482481
                            Entropy (8bit):3.585596037280979
                            Encrypted:false
                            SSDEEP:6144:T8gYzePoqUH0W3QwXTw5zqkbhbkQN3o9mVFIK0/xng:BYjqUH0WQwXTib3Cg
                            MD5:D5D8C8B60558EBCABBB2D7334A052133
                            SHA1:A48BB031B595B41EC53EECF513663B8A9A140268
                            SHA-256:D0ABA6D32D2A5B453121084F7C41E56AD4857767C44AB3730DAE9DF0D6248054
                            SHA-512:5750AA48516B1E818159963E87A250ECCF92B531C9F5EA6F020E357935738405316820B2DA67DBD477CB1561E518C62CBA99998103FBC5A556AB579A69E84C39
                            Malicious:false
                            Reputation:low
                            Preview:MDMP..a..... .........hf............................4.......$.... ......."... ......TX..X...........l.......8...........T...........`-..Q/...........C...........E..............................................................................eJ......LF......Lw......................T.......$.....hf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\appcompat\Programs\Amcache.hve

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:MS Windows registry file, NT/2000 or above
                            Category:dropped
                            Size (bytes):1835008
                            Entropy (8bit):4.4691333758830405
                            Encrypted:false
                            SSDEEP:6144:kzZfpi6ceLPx9skLmb0fLZWSP3aJG8nAgeiJRMMhA2zX4WABluuNFjDH5S:KZHtLZWOKnMM6bFpXj4
                            MD5:7CA0E16B29C77E2DB0E87B5E32FE91A3
                            SHA1:A7C1C47D8EB5F480DE6E403B2EC33380035D0FFA
                            SHA-256:656283DD1E542EFA3726274374346E12F9A4A62AC2C38CC4B856711E68742020
                            SHA-512:AE45B769DC53F96D9326AE0565BFEF091EEA5812ECBD3890928B51939947F5F93DE32E67DBBD624A97A202EF6CCD3512AF1810A4A2689389614065F57057CEF8
                            Malicious:false
                            Reputation:low
                            Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..&b'...............................................................................................................................................................................................................................................................................................................................................+.1V........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            Static File Info

                            General

                            File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):4.745052609995144
                            TrID:
                            • Win64 Executable GUI Net Framework (217006/5) 49.88%
                            • Win64 Executable GUI (202006/5) 46.43%
                            • Win64 Executable (generic) (12005/4) 2.76%
                            • Generic Win/DOS Executable (2004/3) 0.46%
                            • DOS Executable Generic (2002/1) 0.46%
                            File name:rPaymentAdvice-PDF.exe
                            File size:2'613'780 bytes
                            MD5:cc74321fe70654e82ead4093093b0116
                            SHA1:68e74f568066c31b0f2b2a2837b5ce072b0857af
                            SHA256:8819d137ba69b96b3f3c28cca74603e86c4ecea2c821e5332452a51258176439
                            SHA512:e02dc05c21788129ee7509daf307b48632fb76d72ad0c01bd5bae78962a0e3c5b3e78052ca6db9a5f5d31d7b3e3ccbc77385a28a62b208385158a5852d897214
                            SSDEEP:12288:KP6pSfs5iMrbVM48GaHeRlPKlBEM9JVmkGkJ+yXiR0kVOmPiBR6y:KSIfspZRaHUlCR9JVYci05m6BR6y
                            TLSH:C2C51155B263AE4BFC9A4275D4E034F109FD6D2331FAA25FEF821CA691927FC02446B1
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....JO..........."...0.]................ ....@...... ....................................`................................

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x400000
                            Entrypoint Section:
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x864F4AF4 [Tue May 28 08:44:36 2041 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:

                            Entrypoint Preview

                            Instruction
                            dec ebp
                            pop edx
                            nop
                            add byte ptr [ebx], al
                            add byte ptr [eax], al
                            add byte ptr [eax+eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x9e4.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                            IMAGE_DIRECTORY_ENTRY_DEBUG0xb1a00x38.text
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x925d0x940080f737d13de9c0324f797a5829ca123aFalse0.5640836148648649data6.371425468205272IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0xc0000x9e40xa00de6ce812b86c1485eea247616e078f5dFalse0.31171875data4.127915122439665IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0xc0b80x3a0data0.4859913793103448
                            RT_VERSION0xc4580x3a0dataEnglishUnited States0.4870689655172414
                            RT_MANIFEST0xc7f80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jun 11, 2024 19:47:05.364284039 CEST49674443192.168.2.6173.222.162.64
                            Jun 11, 2024 19:47:05.364284039 CEST49673443192.168.2.6173.222.162.64
                            Jun 11, 2024 19:47:05.692512989 CEST49672443192.168.2.6173.222.162.64
                            Jun 11, 2024 19:47:11.651597977 CEST49715587192.168.2.6212.146.84.76
                            Jun 11, 2024 19:47:11.656829119 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:11.657011986 CEST49715587192.168.2.6212.146.84.76
                            Jun 11, 2024 19:47:12.677642107 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:12.678028107 CEST49715587192.168.2.6212.146.84.76
                            Jun 11, 2024 19:47:12.688040018 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:12.951570034 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:12.951874971 CEST49715587192.168.2.6212.146.84.76
                            Jun 11, 2024 19:47:12.956803083 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:13.221443892 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:13.225975037 CEST49715587192.168.2.6212.146.84.76
                            Jun 11, 2024 19:47:13.230818033 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:13.503258944 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:13.503304958 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:13.503340960 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:13.503376961 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:13.503391027 CEST49715587192.168.2.6212.146.84.76
                            Jun 11, 2024 19:47:13.503443956 CEST49715587192.168.2.6212.146.84.76
                            Jun 11, 2024 19:47:13.563231945 CEST49715587192.168.2.6212.146.84.76
                            Jun 11, 2024 19:47:13.568075895 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:13.831501007 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:13.843555927 CEST49715587192.168.2.6212.146.84.76
                            Jun 11, 2024 19:47:13.848407030 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:14.112457037 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:14.116955042 CEST49715587192.168.2.6212.146.84.76
                            Jun 11, 2024 19:47:14.123064995 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:14.387032032 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:14.399949074 CEST49715587192.168.2.6212.146.84.76
                            Jun 11, 2024 19:47:14.404999018 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:14.966567993 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:14.966928005 CEST49715587192.168.2.6212.146.84.76
                            Jun 11, 2024 19:47:14.971720934 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:14.973642111 CEST49673443192.168.2.6173.222.162.64
                            Jun 11, 2024 19:47:14.973720074 CEST49674443192.168.2.6173.222.162.64
                            Jun 11, 2024 19:47:15.235213041 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:15.235557079 CEST49715587192.168.2.6212.146.84.76
                            Jun 11, 2024 19:47:15.240367889 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:15.301764011 CEST49672443192.168.2.6173.222.162.64
                            Jun 11, 2024 19:47:15.633728981 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:15.633955002 CEST49715587192.168.2.6212.146.84.76
                            Jun 11, 2024 19:47:15.638840914 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:15.901952028 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:15.902702093 CEST49715587192.168.2.6212.146.84.76
                            Jun 11, 2024 19:47:15.902792931 CEST49715587192.168.2.6212.146.84.76
                            Jun 11, 2024 19:47:15.902867079 CEST49715587192.168.2.6212.146.84.76
                            Jun 11, 2024 19:47:15.902867079 CEST49715587192.168.2.6212.146.84.76
                            Jun 11, 2024 19:47:15.907566071 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:15.907623053 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:15.907766104 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:15.907932997 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:16.205813885 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:47:16.254925966 CEST49715587192.168.2.6212.146.84.76
                            Jun 11, 2024 19:47:25.995182037 CEST49705443192.168.2.6173.222.162.64
                            Jun 11, 2024 19:47:25.995559931 CEST49724443192.168.2.6173.222.162.64
                            Jun 11, 2024 19:47:25.995610952 CEST44349724173.222.162.64192.168.2.6
                            Jun 11, 2024 19:47:25.995846033 CEST49724443192.168.2.6173.222.162.64
                            Jun 11, 2024 19:47:25.995923042 CEST49724443192.168.2.6173.222.162.64
                            Jun 11, 2024 19:47:25.995939016 CEST44349724173.222.162.64192.168.2.6
                            Jun 11, 2024 19:47:26.000179052 CEST44349705173.222.162.64192.168.2.6
                            Jun 11, 2024 19:47:27.010385990 CEST44349724173.222.162.64192.168.2.6
                            Jun 11, 2024 19:47:27.010456085 CEST49724443192.168.2.6173.222.162.64
                            Jun 11, 2024 19:47:52.217619896 CEST5581353192.168.2.6162.159.36.2
                            Jun 11, 2024 19:47:52.223841906 CEST5355813162.159.36.2192.168.2.6
                            Jun 11, 2024 19:47:52.223947048 CEST5581353192.168.2.6162.159.36.2
                            Jun 11, 2024 19:47:52.223985910 CEST5581353192.168.2.6162.159.36.2
                            Jun 11, 2024 19:47:52.229672909 CEST5355813162.159.36.2192.168.2.6
                            Jun 11, 2024 19:47:52.865334988 CEST5355813162.159.36.2192.168.2.6
                            Jun 11, 2024 19:47:52.866178989 CEST5581353192.168.2.6162.159.36.2
                            Jun 11, 2024 19:47:52.871273041 CEST5355813162.159.36.2192.168.2.6
                            Jun 11, 2024 19:47:52.871339083 CEST5581353192.168.2.6162.159.36.2
                            Jun 11, 2024 19:48:45.146063089 CEST4970480192.168.2.62.19.126.163
                            Jun 11, 2024 19:48:45.153090000 CEST80497042.19.126.163192.168.2.6
                            Jun 11, 2024 19:48:45.153306961 CEST4970480192.168.2.62.19.126.163
                            Jun 11, 2024 19:48:51.552035093 CEST49715587192.168.2.6212.146.84.76
                            Jun 11, 2024 19:48:51.557054996 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:48:51.820661068 CEST58749715212.146.84.76192.168.2.6
                            Jun 11, 2024 19:48:51.825716972 CEST49715587192.168.2.6212.146.84.76

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jun 11, 2024 19:47:11.533725977 CEST6535353192.168.2.61.1.1.1
                            Jun 11, 2024 19:47:11.625935078 CEST53653531.1.1.1192.168.2.6
                            Jun 11, 2024 19:47:52.216974974 CEST5352537162.159.36.2192.168.2.6
                            Jun 11, 2024 19:47:52.884290934 CEST53583031.1.1.1192.168.2.6

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Jun 11, 2024 19:47:11.533725977 CEST192.168.2.61.1.1.10x6434Standard query (0)mail.motek.roA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Jun 11, 2024 19:47:11.625935078 CEST1.1.1.1192.168.2.60x6434No error (0)mail.motek.romotek.roCNAME (Canonical name)IN (0x0001)false
                            Jun 11, 2024 19:47:11.625935078 CEST1.1.1.1192.168.2.60x6434No error (0)motek.ro212.146.84.76A (IP address)IN (0x0001)false
                            Jun 11, 2024 19:47:12.739255905 CEST1.1.1.1192.168.2.60x8d0aNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                            Jun 11, 2024 19:47:12.739255905 CEST1.1.1.1192.168.2.60x8d0aNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                            Jun 11, 2024 19:47:14.076679945 CEST1.1.1.1192.168.2.60x90a4No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                            Jun 11, 2024 19:47:14.076679945 CEST1.1.1.1192.168.2.60x90a4No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                            SMTP Packets

                            TimestampSource PortDest PortSource IPDest IPCommands
                            Jun 11, 2024 19:47:12.677642107 CEST58749715212.146.84.76192.168.2.6220-server30.romania-webhosting.com ESMTP Exim 4.96.2 #2 Tue, 11 Jun 2024 20:47:11 +0300
                            220-We do not authorize the use of this system to transport unsolicited,
                            220 and/or bulk e-mail.
                            Jun 11, 2024 19:47:12.678028107 CEST49715587192.168.2.6212.146.84.76EHLO 284992
                            Jun 11, 2024 19:47:12.951570034 CEST58749715212.146.84.76192.168.2.6250-server30.romania-webhosting.com Hello 284992 [173.254.250.91]
                            250-SIZE 52428800
                            250-8BITMIME
                            250-PIPELINING
                            250-PIPECONNECT
                            250-AUTH PLAIN LOGIN
                            250-STARTTLS
                            250 HELP
                            Jun 11, 2024 19:47:12.951874971 CEST49715587192.168.2.6212.146.84.76STARTTLS
                            Jun 11, 2024 19:47:13.221443892 CEST58749715212.146.84.76192.168.2.6220 TLS go ahead

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:13:47:07
                            Start date:11/06/2024
                            Path:C:\Users\user\Desktop\rPaymentAdvice-PDF.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\rPaymentAdvice-PDF.exe"
                            Imagebase:0x24e6c200000
                            File size:2'613'780 bytes
                            MD5 hash:CC74321FE70654E82EAD4093093B0116
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2186188137.0000024E10C79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2186188137.0000024E10C79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2186188137.0000024E1028F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2186188137.0000024E1028F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:3
                            Start time:13:47:09
                            Start date:11/06/2024
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                            Imagebase:0x8e0000
                            File size:262'432 bytes
                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3384403596.0000000002C59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3382092463.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3382092463.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:moderate
                            Has exited:false

                            General

                            Target ID:6
                            Start time:13:47:09
                            Start date:11/06/2024
                            Path:C:\Windows\System32\WerFault.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\WerFault.exe -u -p 3620 -s 1152
                            Imagebase:0x7ff70f970000
                            File size:570'736 bytes
                            MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:11.2%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:13
                              Total number of Limit Nodes:0
                              execution_graph 13387 7ffd3468bf35 13389 7ffd3468bec8 13387->13389 13388 7ffd3468bed4 13389->13388 13390 7ffd3469b06b VirtualProtect 13389->13390 13391 7ffd3469b0b1 13390->13391 13392 7ffd3468bdfb 13393 7ffd3468be05 13392->13393 13394 7ffd3469b06b VirtualProtect 13393->13394 13395 7ffd3468bed4 13393->13395 13396 7ffd3469b0b1 13394->13396 13383 7ffd34685c0a 13386 7ffd34685c19 VirtualProtect 13383->13386 13385 7ffd34685cf1 13386->13385

                              Executed Functions

                              Function 00007FFD346831F0 Relevance: 10.2, Strings: 7, Instructions: 1422COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190301521.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd34680000_rPaymentAdvice-PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID: 9q4$(=q4$H:q4$H:q4$H:q4$d$!q4
                              • API String ID: 0-3247378605
                              • Opcode ID: 59552f41aef587fce8f33c37fe1b3225b8c3f7adb43bea3f445995099379a9b8
                              • Instruction ID: 81fa2b0330180ffedae1f570e0b7902d9630b1d59a83649c3415cdcb67034732
                              • Opcode Fuzzy Hash: 59552f41aef587fce8f33c37fe1b3225b8c3f7adb43bea3f445995099379a9b8
                              • Instruction Fuzzy Hash: 8F923731B0CA594FE7E5DF2888A56F577E1FF96310B0441BAD58EC7293EE28AC428741
                              Function 00007FFD34687007 Relevance: 4.2, Strings: 3, Instructions: 441COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 241 7ffd34687007-7ffd34687009 242 7ffd3468707c 241->242 243 7ffd3468700b-7ffd3468706e 241->243 245 7ffd3468707d-7ffd34687100 call 7ffd34686c50 242->245 249 7ffd34687074-7ffd3468707b 243->249 250 7ffd346872e6-7ffd34687319 243->250 280 7ffd34687162-7ffd34687175 245->280 249->242 249->245 258 7ffd34687323-7ffd3468732a 250->258 259 7ffd3468731b-7ffd34687322 250->259 260 7ffd34687360 258->260 261 7ffd3468732c-7ffd3468733e 258->261 259->258 264 7ffd34687361-7ffd34687371 260->264 266 7ffd34687372-7ffd346873a1 261->266 267 7ffd34687340-7ffd34687342 261->267 279 7ffd346873a4-7ffd346873da 266->279 270 7ffd34687344-7ffd34687347 call 7ffd34686d20 267->270 271 7ffd3468734c-7ffd34687352 267->271 270->271 271->264 275 7ffd34687354-7ffd3468735d 271->275 275->260 279->279 283 7ffd346873dc 279->283 281 7ffd34687102-7ffd3468712c call 7ffd34686f70 * 2 call 7ffd34686f78 280->281 282 7ffd34687177-7ffd34687179 280->282 281->280 284 7ffd346871d2-7ffd346871e5 282->284 286 7ffd3468717b-7ffd346871b9 call 7ffd34686f70 * 2 call 7ffd34680230 284->286 287 7ffd346871e7-7ffd346871e9 284->287 312 7ffd346871c0-7ffd346871d0 286->312 290 7ffd3468728e-7ffd346872a1 287->290 293 7ffd346871ee-7ffd34687220 call 7ffd34686f70 290->293 294 7ffd346872a7-7ffd346872cd 290->294 304 7ffd34687222-7ffd34687238 293->304 305 7ffd3468723a-7ffd3468723b 293->305 309 7ffd346872d4-7ffd346872e5 294->309 307 7ffd3468723d-7ffd34687287 call 7ffd34684908 call 7ffd34686d28 304->307 305->307 315 7ffd3468728c 307->315 312->284 315->290
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190301521.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd34680000_rPaymentAdvice-PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID: H$Xjq4$fish
                              • API String ID: 0-916339006
                              • Opcode ID: fd505f0604466a814f78024a6fd0e431da9f47d10fa02f68ac3099434e0e2607
                              • Instruction ID: 513209848d46383dab05f47d3cb437a41ad0765548275b2a4215d4ab2461a1fb
                              • Opcode Fuzzy Hash: fd505f0604466a814f78024a6fd0e431da9f47d10fa02f68ac3099434e0e2607
                              • Instruction Fuzzy Hash: 52C1293171CB990FE799AB6898B51F577E1EF97211B04017EE58BC72D3DD1CA8029381
                              Function 00007FFD3478026B Relevance: 3.0, Strings: 1, Instructions: 1767COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190807386.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd34780000_rPaymentAdvice-PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID: A
                              • API String ID: 0-3554254475
                              • Opcode ID: 7b15e1a6c453b515279f330856cc800aa30ee891d9008702212c149d7443911f
                              • Instruction ID: b9096f98931eec66f10dd1ff455928bd5309cc9773377b14523ca15e056689ec
                              • Opcode Fuzzy Hash: 7b15e1a6c453b515279f330856cc800aa30ee891d9008702212c149d7443911f
                              • Instruction Fuzzy Hash: 94C218B2A0D7C58FEB95DB2488A65A47BE0FF57301F1A05FAC189C7193D92C7806D781
                              Function 00007FFD3468B9F2 Relevance: 2.5, APIs: 1, Instructions: 1014COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 901 7ffd3468b9f2-7ffd3468ba0a 903 7ffd3468ba0c-7ffd3468ba0d 901->903 904 7ffd3468ba40-7ffd3468ba51 901->904 905 7ffd3468ba0e 903->905 906 7ffd3468ba0f-7ffd3468ba28 903->906 910 7ffd3468ba5c-7ffd3468ba5e 904->910 905->906 906->905 915 7ffd3468ba2a 906->915 912 7ffd3468ba60-7ffd3468ba6a 910->912 916 7ffd3468ba6c-7ffd3468ba8a 912->916 917 7ffd3468baa0-7ffd3468baaa 912->917 915->912 918 7ffd3468ba2c-7ffd3468ba39 915->918 926 7ffd3468bac0-7ffd3468baca 916->926 931 7ffd3468ba8c-7ffd3468ba9f 916->931 922 7ffd3468baab-7ffd3468babf 917->922 923 7ffd3468bae0-7ffd3468baea 917->923 918->904 922->926 929 7ffd3468baec-7ffd3468baf1 923->929 930 7ffd3468bb20-7ffd3468bb32 923->930 936 7ffd3468bacc-7ffd3468bad1 926->936 937 7ffd3468bb00-7ffd3468bb08 926->937 941 7ffd3468bb68-7ffd3468bb86 930->941 942 7ffd3468bb34-7ffd3468bb52 930->942 931->917 936->910 937->930 950 7ffd3468bb88-7ffd3468bb92 941->950 942->950 951 7ffd3468bb54-7ffd3468bb62 942->951 955 7ffd3468bbc8-7ffd3468bbd2 950->955 956 7ffd3468bb94-7ffd3468bbc6 950->956 954 7ffd3468bb63-7ffd3468bb66 951->954 954->941 959 7ffd3468bc08-7ffd3468bc12 955->959 960 7ffd3468bbd4-7ffd3468bbd9 955->960 956->955 966 7ffd3468bc48-7ffd3468bc56 959->966 967 7ffd3468bc14-7ffd3468bc26 959->967 960->954 963 7ffd3468bbdb-7ffd3468bbf2 960->963 973 7ffd3468bc28-7ffd3468bc46 963->973 974 7ffd3468bbf4-7ffd3468bbf9 963->974 977 7ffd3468bc5a-7ffd3468bc61 966->977 967->973 973->966 979 7ffd3468bc98-7ffd3468bc9e 977->979 980 7ffd3468bc64-7ffd3468bc89 977->980 986 7ffd3468bc9f-7ffd3468bca8 979->986 990 7ffd3468bc8c-7ffd3468bc97 980->990 991 7ffd3468bcc0-7ffd3468bcc9 980->991 992 7ffd3468bcaa 986->992 990->979 998 7ffd3468bcca 991->998 994 7ffd3468bcac-7ffd3468bcbf 992->994 995 7ffd3468bce0-7ffd3468bcea 992->995 994->991 1002 7ffd3468bcec-7ffd3468bcf1 995->1002 1003 7ffd3468bd20-7ffd3468bd3a 995->1003 1000 7ffd3468bccc-7ffd3468bcd1 998->1000 1001 7ffd3468bd00-7ffd3468bd1a 998->1001 1000->977 1000->995 1012 7ffd3468bd1c-7ffd3468bd1f 1001->1012 1013 7ffd3468bd50-7ffd3468bd58 1001->1013 1014 7ffd3468bd3c-7ffd3468bd41 1003->1014 1015 7ffd3468bd70-7ffd3468bd7a 1003->1015 1012->1003 1021 7ffd3468bd59-7ffd3468bd5a 1013->1021 1014->998 1020 7ffd3468bd43-7ffd3468bd4e 1014->1020 1022 7ffd3468bd7c-7ffd3468bd8f 1015->1022 1023 7ffd3468bdb0-7ffd3468bdce 1015->1023 1020->1013 1024 7ffd3468bd5c-7ffd3468bd6e 1021->1024 1025 7ffd3468bd90-7ffd3468bd9a 1021->1025 1022->1025 1035 7ffd3468bdd0-7ffd3468bdd1 1023->1035 1024->1015 1034 7ffd3468bd9c-7ffd3468bdaf 1025->1034 1025->1035 1034->1023 1035->1021
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190301521.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd34680000_rPaymentAdvice-PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7407640976a57028be84db39e0d8d3fccbd5d1feb4b5fc44242720a8f57c2bd0
                              • Instruction ID: edb07380956e39188fdcd2295b9e8bd3d95cbb9c6718d7f87be1c18de4671805
                              • Opcode Fuzzy Hash: 7407640976a57028be84db39e0d8d3fccbd5d1feb4b5fc44242720a8f57c2bd0
                              • Instruction Fuzzy Hash: 0462F772A0D6A24FE756AFAC94F60F67BE0EF52318B0801BAE1DDCB093DD1D74468641
                              Function 00007FFD3468ADD0 Relevance: 2.2, Strings: 1, Instructions: 934COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1038 7ffd3468add0-7ffd3468fbb5 1040 7ffd3468fbb7-7ffd3468fbfe 1038->1040 1041 7ffd3468fbff-7ffd3468fc29 1038->1041 1040->1041 1043 7ffd3468fc2b-7ffd3468fc40 1041->1043 1044 7ffd3468fc42 1041->1044 1046 7ffd3468fc44-7ffd3468fc49 1043->1046 1044->1046 1048 7ffd3468fd46-7ffd3468fd66 1046->1048 1049 7ffd3468fc4f-7ffd3468fc5e 1046->1049 1051 7ffd3468fdb7-7ffd3468fdc2 1048->1051 1053 7ffd3468fc68-7ffd3468fc69 1049->1053 1054 7ffd3468fc60-7ffd3468fc66 1049->1054 1055 7ffd3468fd68-7ffd3468fd6e 1051->1055 1056 7ffd3468fdc4-7ffd3468fdd3 1051->1056 1059 7ffd3468fc6b-7ffd3468fc8e 1053->1059 1054->1059 1057 7ffd34690232-7ffd3469024a 1055->1057 1058 7ffd3468fd74-7ffd3468fd95 call 7ffd3468adb0 1055->1058 1065 7ffd3468fdd5-7ffd3468fde7 1056->1065 1066 7ffd3468fde9 1056->1066 1068 7ffd3469024c-7ffd34690287 call 7ffd3468afe0 1057->1068 1069 7ffd34690294-7ffd346902c1 call 7ffd34687b80 1057->1069 1075 7ffd3468fd9a-7ffd3468fdb4 1058->1075 1064 7ffd3468fce3-7ffd3468fcee 1059->1064 1070 7ffd3468fc90-7ffd3468fc96 1064->1070 1071 7ffd3468fcf0-7ffd3468fd07 1064->1071 1067 7ffd3468fdeb-7ffd3468fdf0 1065->1067 1066->1067 1073 7ffd3468fdf6-7ffd3468fe18 call 7ffd3468adb0 1067->1073 1074 7ffd3468fe7c-7ffd3468fe90 1067->1074 1119 7ffd34690289-7ffd34690292 1068->1119 1120 7ffd346902d1-7ffd346902db 1068->1120 1116 7ffd346902cc-7ffd346902cf 1069->1116 1117 7ffd346902c3-7ffd346902cb 1069->1117 1070->1057 1076 7ffd3468fc9c-7ffd3468fce0 call 7ffd3468adb0 1070->1076 1087 7ffd3468fd36-7ffd3468fd41 call 7ffd3468ae38 1071->1087 1088 7ffd3468fd09-7ffd3468fd2f call 7ffd3468adb0 1071->1088 1107 7ffd3468fe46-7ffd3468fe47 1073->1107 1108 7ffd3468fe1a-7ffd3468fe44 1073->1108 1077 7ffd3468fee0-7ffd3468feef 1074->1077 1078 7ffd3468fe92-7ffd3468fe98 1074->1078 1075->1051 1076->1064 1103 7ffd3468fefc 1077->1103 1104 7ffd3468fef1-7ffd3468fefa 1077->1104 1083 7ffd3468feb7-7ffd3468fecf 1078->1083 1084 7ffd3468fe9a-7ffd3468feb5 1078->1084 1101 7ffd3468fed8-7ffd3468fedb 1083->1101 1084->1083 1087->1074 1088->1087 1109 7ffd34690088-7ffd3469009d 1101->1109 1112 7ffd3468fefe-7ffd3468ff03 1103->1112 1104->1112 1122 7ffd3468fe49-7ffd3468fe50 1107->1122 1108->1122 1125 7ffd346900dd 1109->1125 1126 7ffd3469009f-7ffd346900db 1109->1126 1113 7ffd3468ff09-7ffd3468ff0c 1112->1113 1114 7ffd3469020f-7ffd34690210 1112->1114 1123 7ffd3468ff0e-7ffd3468ff2b call 7ffd346801c0 1113->1123 1124 7ffd3468ff54 1113->1124 1130 7ffd34690213 1114->1130 1116->1120 1117->1116 1119->1069 1127 7ffd346902e6-7ffd346902f7 1120->1127 1128 7ffd346902dd-7ffd346902e5 1120->1128 1122->1074 1131 7ffd3468fe52-7ffd3468fe77 call 7ffd3468add8 1122->1131 1123->1124 1173 7ffd3468ff2d-7ffd3468ff52 1123->1173 1136 7ffd3468ff56-7ffd3468ff5b 1124->1136 1139 7ffd346900df-7ffd346900e4 1125->1139 1126->1139 1134 7ffd346902f9-7ffd34690301 1127->1134 1135 7ffd34690302-7ffd3469034f call 7ffd3468d860 1127->1135 1128->1127 1137 7ffd34690215-7ffd34690222 1130->1137 1138 7ffd346901a6-7ffd346901a7 1130->1138 1154 7ffd346901fe-7ffd3469020e 1131->1154 1134->1135 1181 7ffd34690361 1135->1181 1182 7ffd34690351-7ffd3469035f 1135->1182 1146 7ffd3469005c-7ffd3469007f 1136->1146 1147 7ffd3468ff61-7ffd3468ff6d 1136->1147 1142 7ffd34690223 1137->1142 1141 7ffd346901a8 1138->1141 1138->1142 1150 7ffd346900e6-7ffd3469013d call 7ffd34687ab8 1139->1150 1151 7ffd34690154-7ffd34690168 1139->1151 1152 7ffd34690229-7ffd3469022b 1141->1152 1153 7ffd346901a9 1141->1153 1142->1152 1163 7ffd34690085-7ffd34690086 1146->1163 1147->1057 1159 7ffd3468ff73-7ffd3468ff82 1147->1159 1172 7ffd346901ae-7ffd346901b4 1150->1172 1200 7ffd3469013f-7ffd34690143 1150->1200 1155 7ffd346901b7-7ffd346901c3 call 7ffd3468a010 1151->1155 1156 7ffd3469016a-7ffd34690195 call 7ffd34687ab8 1151->1156 1152->1057 1161 7ffd346901aa-7ffd346901ab 1153->1161 1162 7ffd346901f0-7ffd346901fb 1153->1162 1174 7ffd346901c4-7ffd346901dc 1155->1174 1186 7ffd3469019a-7ffd346901a2 1156->1186 1168 7ffd3468ff95-7ffd3468ffa2 call 7ffd346801c0 1159->1168 1169 7ffd3468ff84-7ffd3468ff93 1159->1169 1161->1172 1162->1154 1163->1109 1183 7ffd3468ffa8-7ffd3468ffae 1168->1183 1169->1183 1172->1155 1173->1136 1174->1057 1177 7ffd346901de-7ffd346901ee 1174->1177 1177->1162 1187 7ffd34690363-7ffd34690368 1181->1187 1182->1187 1188 7ffd3468ffb0-7ffd3468ffdd 1183->1188 1189 7ffd3468ffe3-7ffd3468ffe8 1183->1189 1186->1130 1191 7ffd346901a4-7ffd346901a5 1186->1191 1192 7ffd3469036a-7ffd3469037d call 7ffd34684970 1187->1192 1193 7ffd3469037f-7ffd34690385 1187->1193 1188->1189 1189->1057 1196 7ffd3468ffee-7ffd3469000e 1189->1196 1191->1138 1197 7ffd3469038c-7ffd34690393 1192->1197 1193->1197 1198 7ffd34690387 call 7ffd34687ad0 1193->1198 1205 7ffd34690010-7ffd34690021 1196->1205 1206 7ffd34690022-7ffd34690052 call 7ffd3468b0a0 1196->1206 1198->1197 1200->1174 1204 7ffd34690145-7ffd3469014f 1200->1204 1204->1151 1205->1206 1210 7ffd34690057-7ffd3469005a 1206->1210 1210->1109
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190301521.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd34680000_rPaymentAdvice-PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID: #W_L
                              • API String ID: 0-3094981593
                              • Opcode ID: e3fdc5988b805013a54a636ad35626eb4109e5108b11e7f161289f126114d0dd
                              • Instruction ID: 86bf133a663a451484813e103421e99c2a993ff5544b7ea6d37e629f6f67521c
                              • Opcode Fuzzy Hash: e3fdc5988b805013a54a636ad35626eb4109e5108b11e7f161289f126114d0dd
                              • Instruction Fuzzy Hash: 5B52A930B08A594FDBACDF28D4A56B977E1FF56301B1401BED58EC7292DE28EC429741
                              Function 00007FFD34684908 Relevance: 1.9, Strings: 1, Instructions: 689COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1211 7ffd34684908-7ffd346874e1 call 7ffd346873a0 1218 7ffd34687504-7ffd34687513 1211->1218 1219 7ffd346874e3-7ffd346874f9 call 7ffd346873a0 call 7ffd346873f0 1218->1219 1220 7ffd34687515-7ffd3468752f call 7ffd346873a0 call 7ffd346873f0 1218->1220 1229 7ffd34687530-7ffd34687580 1219->1229 1230 7ffd346874fb-7ffd34687502 1219->1230 1234 7ffd34687582-7ffd34687587 call 7ffd34686d20 1229->1234 1235 7ffd3468758c-7ffd346875c3 1229->1235 1230->1218 1234->1235 1238 7ffd346877bf-7ffd346877ea 1235->1238 1239 7ffd346875c9-7ffd346875d4 1235->1239 1251 7ffd34687820-7ffd34687829 1238->1251 1252 7ffd346877ec-7ffd3468781f 1238->1252 1240 7ffd34687648-7ffd3468764d 1239->1240 1241 7ffd346875d6-7ffd346875e4 1239->1241 1242 7ffd346876c0-7ffd346876ca 1240->1242 1243 7ffd3468764f-7ffd3468765b 1240->1243 1241->1238 1244 7ffd346875ea-7ffd346875f9 1241->1244 1246 7ffd346876ec-7ffd346876f4 1242->1246 1247 7ffd346876cc-7ffd346876d9 call 7ffd34686d40 1242->1247 1243->1238 1248 7ffd34687661-7ffd34687674 1243->1248 1249 7ffd3468762d-7ffd34687638 1244->1249 1250 7ffd346875fb-7ffd3468762b 1244->1250 1253 7ffd346876f7-7ffd34687702 1246->1253 1272 7ffd346876de-7ffd346876ea 1247->1272 1248->1253 1249->1238 1258 7ffd3468763e-7ffd34687646 1249->1258 1250->1249 1263 7ffd34687679-7ffd3468767c 1250->1263 1254 7ffd3468782a 1251->1254 1255 7ffd34687846-7ffd34687870 1251->1255 1252->1251 1253->1238 1260 7ffd34687708-7ffd34687718 1253->1260 1261 7ffd3468782b-7ffd34687831 1254->1261 1258->1240 1258->1241 1260->1238 1266 7ffd3468771e-7ffd3468772b 1260->1266 1267 7ffd34687833-7ffd34687844 1261->1267 1268 7ffd34687871-7ffd346878c5 1261->1268 1269 7ffd34687692-7ffd3468769a 1263->1269 1270 7ffd3468767e-7ffd3468768e 1263->1270 1266->1238 1273 7ffd34687731-7ffd34687751 1266->1273 1267->1255 1267->1261 1289 7ffd346878d9-7ffd34687911 1268->1289 1290 7ffd346878c7-7ffd346878d7 1268->1290 1269->1238 1275 7ffd346876a0-7ffd346876bf 1269->1275 1270->1269 1272->1246 1273->1238 1283 7ffd34687753-7ffd34687762 1273->1283 1285 7ffd34687764-7ffd3468776f 1283->1285 1286 7ffd346877ad-7ffd346877be 1283->1286 1285->1286 1292 7ffd34687771-7ffd346877a8 call 7ffd34686d40 1285->1292 1297 7ffd34687913-7ffd34687919 1289->1297 1298 7ffd34687968-7ffd3468796f 1289->1298 1290->1289 1292->1286 1297->1298 1300 7ffd3468791b-7ffd3468791c 1297->1300 1301 7ffd346879b2-7ffd346879db 1298->1301 1302 7ffd34687971-7ffd34687972 1298->1302 1303 7ffd3468791f-7ffd34687922 1300->1303 1304 7ffd34687975-7ffd34687978 1302->1304 1307 7ffd346879dc-7ffd346879f1 1303->1307 1308 7ffd34687928-7ffd34687935 1303->1308 1304->1307 1309 7ffd3468797a-7ffd3468798b 1304->1309 1319 7ffd346879f3-7ffd346879fa 1307->1319 1320 7ffd346879fb-7ffd34687a0e 1307->1320 1311 7ffd34687961-7ffd34687966 1308->1311 1312 7ffd34687937-7ffd3468795e 1308->1312 1313 7ffd3468798d-7ffd34687993 1309->1313 1314 7ffd346879a9-7ffd346879b0 1309->1314 1311->1298 1311->1303 1312->1311 1313->1307 1315 7ffd34687995-7ffd346879a5 1313->1315 1314->1301 1314->1304 1315->1314 1319->1320
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190301521.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd34680000_rPaymentAdvice-PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID: d
                              • API String ID: 0-2564639436
                              • Opcode ID: ac9b89acdd60a74f601956a8ecc1027985f7429933bb4b4cae436509979f9d14
                              • Instruction ID: a6a98e0ea4df5821a06daf0934c6b80277b8ef3217b2de503c1d6d5e74c84681
                              • Opcode Fuzzy Hash: ac9b89acdd60a74f601956a8ecc1027985f7429933bb4b4cae436509979f9d14
                              • Instruction Fuzzy Hash: FE125531B1CA690FE799DF2888E15B177E0EF42315B1442BAD59EC7197DE28F842C381
                              Function 00007FFD34691709 Relevance: 1.6, Instructions: 1575COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190301521.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd34680000_rPaymentAdvice-PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 482a9a817e5a2c5bc6fad11635d255fcf5c1d42712e875316be2781cc5247448
                              • Instruction ID: 631f7128ce51015693bee02e4ed8fa3d52a3fe0f9833efb356b771863a043978
                              • Opcode Fuzzy Hash: 482a9a817e5a2c5bc6fad11635d255fcf5c1d42712e875316be2781cc5247448
                              • Instruction Fuzzy Hash: DFB2473061CB994FE359DF2884A04F577E1FF96301B1449BED58AC72A6DE38E846C781
                              Function 00007FFD3468DB4A Relevance: .7, Instructions: 738COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190301521.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd34680000_rPaymentAdvice-PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 53e648e735ce0172004b0ca0e4384c16795707401ef258baae2a3a15db3e547f
                              • Instruction ID: f9a43f42a0d6284583b522845b6670309cec310d5e85f8fdfffc991fb2473ef9
                              • Opcode Fuzzy Hash: 53e648e735ce0172004b0ca0e4384c16795707401ef258baae2a3a15db3e547f
                              • Instruction Fuzzy Hash: 5F326A3270CA954FE389DF2884A11F577E2FF96300B1445BED58AC72A3DD2CA842D781
                              Function 00007FFD3468E308 Relevance: .5, Instructions: 520COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190301521.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd34680000_rPaymentAdvice-PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 77c7fb7e89197a456d31a9a060d171f23ef5817d83c2a4a1eb4e37fe67f48fd2
                              • Instruction ID: 3d5d246bf57d17351282219f8a8dcefe14945cb4fc929e4a9bad1581ce61379e
                              • Opcode Fuzzy Hash: 77c7fb7e89197a456d31a9a060d171f23ef5817d83c2a4a1eb4e37fe67f48fd2
                              • Instruction Fuzzy Hash: 77F1693160CB564FE358CF28C4A51B977D2FF92301B14467ED5CAC72A5DE2CE8429782
                              Function 00007FFD34685C0A Relevance: 1.6, APIs: 1, Instructions: 141memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1505 7ffd34685c0a-7ffd34685c17 1506 7ffd34685c22-7ffd34685c33 1505->1506 1507 7ffd34685c19-7ffd34685c21 1505->1507 1508 7ffd34685c3e-7ffd34685c49 1506->1508 1509 7ffd34685c35-7ffd34685c3d 1506->1509 1507->1506 1510 7ffd34685cbb-7ffd34685cef VirtualProtect 1508->1510 1511 7ffd34685c4b-7ffd34685cba 1508->1511 1509->1508 1513 7ffd34685cf1 1510->1513 1514 7ffd34685cf7-7ffd34685d1f 1510->1514 1511->1510 1513->1514
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190301521.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd34680000_rPaymentAdvice-PDF.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: 7ae960112caee9acd5c63b166b3771499fd2aa423377be46eb5c48b4bbcd2fb9
                              • Instruction ID: b54700923594a61c4e213dac10ef88e56824cacaa47c666a1358cd84c1bf154c
                              • Opcode Fuzzy Hash: 7ae960112caee9acd5c63b166b3771499fd2aa423377be46eb5c48b4bbcd2fb9
                              • Instruction Fuzzy Hash: D841263090CB888FD719DFA898566E97FF1EF66321F0402AFD049D3192CB686856CB91
                              Function 00007FFD347810C9 Relevance: .2, Instructions: 150COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190807386.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd34780000_rPaymentAdvice-PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 18d454a293bae40697248504df7bf566a5a2372ae7f3cdc2788af8faf16e7827
                              • Instruction ID: 9101c8c0cfaa88ce1918fb9cdb43e0678e49525cfe5fb7cfae0f329430d0e9f1
                              • Opcode Fuzzy Hash: 18d454a293bae40697248504df7bf566a5a2372ae7f3cdc2788af8faf16e7827
                              • Instruction Fuzzy Hash: 49413E76A0DAC98FDB96DF14C8E65E87FA0FF56301B0501EAC08AC7593DA29B841D381
                              Function 00007FFD34780A04 Relevance: .0, Instructions: 20COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190807386.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd34780000_rPaymentAdvice-PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9d53de0bb73280b0af5815dcce0256cfe87b928a935f32107c018a478b5ab42f
                              • Instruction ID: 677cc5005005f157d541fa9f8035b0e869e305de226a9c2619ffbf5ce9de92f0
                              • Opcode Fuzzy Hash: 9d53de0bb73280b0af5815dcce0256cfe87b928a935f32107c018a478b5ab42f
                              • Instruction Fuzzy Hash: 50E0E530A146288ADB64DA58DC81BD9B3B1EB89200F0041E5D54DA3252CA306A84CF42

                              Non-executed Functions

                              Function 00007FFD34680EFA Relevance: 2.8, Strings: 2, Instructions: 264COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190301521.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd34680000_rPaymentAdvice-PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID: 5M_^$6M_I
                              • API String ID: 0-2018393683
                              • Opcode ID: 1e0c58f0a4d1072d32b96bf7ca2018481dee561a6b768df42c74963d4e2c1446
                              • Instruction ID: 6f5bef077d9c943b7311e3001914931c8e1e161cf3716b4edc3344533b467749
                              • Opcode Fuzzy Hash: 1e0c58f0a4d1072d32b96bf7ca2018481dee561a6b768df42c74963d4e2c1446
                              • Instruction Fuzzy Hash: DD715B53F1D5A50AE7217BACB8650FABB94EF9233974803BBD1D8DB097AC1864468780
                              Function 00007FFD34680E65 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190301521.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd34680000_rPaymentAdvice-PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID: 6M_I
                              • API String ID: 0-3194347101
                              • Opcode ID: c38651cf03f64c414e6faa3a0f6599866b860a3d6de2465d0a201af289c00ddb
                              • Instruction ID: 0d9e53968613dd77458be19849d84b5344f75ff449c3e15484d2f1a60c455fe7
                              • Opcode Fuzzy Hash: c38651cf03f64c414e6faa3a0f6599866b860a3d6de2465d0a201af289c00ddb
                              • Instruction Fuzzy Hash: D0A10B53B0D6A54BD7216BACB8650FABB64EF9233A70803FBD1C8DB093DD1864468791

                              Execution Graph

                              Execution Coverage:7.5%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:3
                              Total number of Limit Nodes:0
                              execution_graph 26459 576e2a0 26460 576e2e6 GlobalMemoryStatusEx 26459->26460 26461 576e316 26460->26461

                              Executed Functions

                              Function 02A99B40 Relevance: 2.8, Instructions: 2811COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6750253b68ed2fb91eccd499235327b1b926090cc389f5b6b6dd5ecee54e3ec7
                              • Instruction ID: a03d1deb7e6b1426e8f73c7e710dc8a855d7b5eea6f8702ac0bd8da8651ab586
                              • Opcode Fuzzy Hash: 6750253b68ed2fb91eccd499235327b1b926090cc389f5b6b6dd5ecee54e3ec7
                              • Instruction Fuzzy Hash: E253E931D10B1A8ADB51EF69C880599F7B1EF99300F11D79AE4587B121FF70AAD4CB81
                              Function 02A9CDC0 Relevance: 2.3, Instructions: 2303COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7a00e727b7eb5bcf778331ec854b188ae5a8b71179a670eb1c885caa1f13f197
                              • Instruction ID: b40c10b3dd7ea8544cf2f7222aadd2dd3f585f140bf90224a7d8e6b9136f1c57
                              • Opcode Fuzzy Hash: 7a00e727b7eb5bcf778331ec854b188ae5a8b71179a670eb1c885caa1f13f197
                              • Instruction Fuzzy Hash: 59331D31D10B198EDB11EF69C8806ADF7B1FF99300F15C79AE459A7211EB70AAC5CB81
                              Function 02A93E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1052 2a93e80-2a93ee6 1054 2a93ee8-2a93ef3 1052->1054 1055 2a93f30-2a93f32 1052->1055 1054->1055 1056 2a93ef5-2a93f01 1054->1056 1057 2a93f34-2a93f8c 1055->1057 1058 2a93f03-2a93f0d 1056->1058 1059 2a93f24-2a93f2e 1056->1059 1066 2a93f8e-2a93f99 1057->1066 1067 2a93fd6-2a93fd8 1057->1067 1060 2a93f0f 1058->1060 1061 2a93f11-2a93f20 1058->1061 1059->1057 1060->1061 1061->1061 1063 2a93f22 1061->1063 1063->1059 1066->1067 1068 2a93f9b-2a93fa7 1066->1068 1069 2a93fda-2a93ff2 1067->1069 1070 2a93fa9-2a93fb3 1068->1070 1071 2a93fca-2a93fd4 1068->1071 1076 2a9403c-2a9403e 1069->1076 1077 2a93ff4-2a93fff 1069->1077 1072 2a93fb5 1070->1072 1073 2a93fb7-2a93fc6 1070->1073 1071->1069 1072->1073 1073->1073 1075 2a93fc8 1073->1075 1075->1071 1078 2a94040-2a9408e 1076->1078 1077->1076 1079 2a94001-2a9400d 1077->1079 1087 2a94094-2a940a2 1078->1087 1080 2a9400f-2a94019 1079->1080 1081 2a94030-2a9403a 1079->1081 1082 2a9401b 1080->1082 1083 2a9401d-2a9402c 1080->1083 1081->1078 1082->1083 1083->1083 1085 2a9402e 1083->1085 1085->1081 1088 2a940ab-2a9410b 1087->1088 1089 2a940a4-2a940aa 1087->1089 1096 2a9411b-2a9411f 1088->1096 1097 2a9410d-2a94111 1088->1097 1089->1088 1099 2a9412f-2a94133 1096->1099 1100 2a94121-2a94125 1096->1100 1097->1096 1098 2a94113 1097->1098 1098->1096 1101 2a94143-2a94147 1099->1101 1102 2a94135-2a94139 1099->1102 1100->1099 1103 2a94127-2a9412a call 2a90ab8 1100->1103 1106 2a94149-2a9414d 1101->1106 1107 2a94157-2a9415b 1101->1107 1102->1101 1105 2a9413b-2a9413e call 2a90ab8 1102->1105 1103->1099 1105->1101 1106->1107 1109 2a9414f-2a94152 call 2a90ab8 1106->1109 1110 2a9416b-2a9416f 1107->1110 1111 2a9415d-2a94161 1107->1111 1109->1107 1114 2a9417f 1110->1114 1115 2a94171-2a94175 1110->1115 1111->1110 1113 2a94163 1111->1113 1113->1110 1117 2a94180 1114->1117 1115->1114 1116 2a94177 1115->1116 1116->1114 1117->1117
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: \Vm
                              • API String ID: 0-21153899
                              • Opcode ID: 8b54c661d646435be7bb87e2641b76b69b33b4ada735d56ccaa03feb1ebc10a6
                              • Instruction ID: 70cda2dbde0bba70d0b05027b19ead39d3f8f99f2d7fb147a9eba95dcee66ee7
                              • Opcode Fuzzy Hash: 8b54c661d646435be7bb87e2641b76b69b33b4ada735d56ccaa03feb1ebc10a6
                              • Instruction Fuzzy Hash: D7913D70E00209DFDF14CFAAC9857DEBBF2AF88714F248129E415AB254EB749846CF91
                              Function 02A94A98 Relevance: .3, Instructions: 266COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3420 2a94a98-2a94afe 3422 2a94b48-2a94b4a 3420->3422 3423 2a94b00-2a94b0b 3420->3423 3424 2a94b4c-2a94b65 3422->3424 3423->3422 3425 2a94b0d-2a94b19 3423->3425 3432 2a94bb1-2a94bb3 3424->3432 3433 2a94b67-2a94b73 3424->3433 3426 2a94b1b-2a94b25 3425->3426 3427 2a94b3c-2a94b46 3425->3427 3428 2a94b29-2a94b38 3426->3428 3429 2a94b27 3426->3429 3427->3424 3428->3428 3431 2a94b3a 3428->3431 3429->3428 3431->3427 3434 2a94bb5-2a94bcd 3432->3434 3433->3432 3435 2a94b75-2a94b81 3433->3435 3442 2a94bcf-2a94bda 3434->3442 3443 2a94c17-2a94c19 3434->3443 3436 2a94b83-2a94b8d 3435->3436 3437 2a94ba4-2a94baf 3435->3437 3438 2a94b8f 3436->3438 3439 2a94b91-2a94ba0 3436->3439 3437->3434 3438->3439 3439->3439 3441 2a94ba2 3439->3441 3441->3437 3442->3443 3445 2a94bdc-2a94be8 3442->3445 3444 2a94c1b-2a94c33 3443->3444 3451 2a94c7d-2a94c7f 3444->3451 3452 2a94c35-2a94c40 3444->3452 3446 2a94c0b-2a94c15 3445->3446 3447 2a94bea-2a94bf4 3445->3447 3446->3444 3449 2a94bf8-2a94c07 3447->3449 3450 2a94bf6 3447->3450 3449->3449 3453 2a94c09 3449->3453 3450->3449 3455 2a94c81-2a94cf4 3451->3455 3452->3451 3454 2a94c42-2a94c4e 3452->3454 3453->3446 3456 2a94c71-2a94c7b 3454->3456 3457 2a94c50-2a94c5a 3454->3457 3464 2a94cfa-2a94d08 3455->3464 3456->3455 3458 2a94c5c 3457->3458 3459 2a94c5e-2a94c6d 3457->3459 3458->3459 3459->3459 3461 2a94c6f 3459->3461 3461->3456 3465 2a94d0a-2a94d10 3464->3465 3466 2a94d11-2a94d71 3464->3466 3465->3466 3473 2a94d81-2a94d85 3466->3473 3474 2a94d73-2a94d77 3466->3474 3475 2a94d95-2a94d99 3473->3475 3476 2a94d87-2a94d8b 3473->3476 3474->3473 3477 2a94d79 3474->3477 3479 2a94da9-2a94dad 3475->3479 3480 2a94d9b-2a94d9f 3475->3480 3476->3475 3478 2a94d8d 3476->3478 3477->3473 3478->3475 3482 2a94dbd-2a94dc1 3479->3482 3483 2a94daf-2a94db3 3479->3483 3480->3479 3481 2a94da1 3480->3481 3481->3479 3485 2a94dd1-2a94dd5 3482->3485 3486 2a94dc3-2a94dc7 3482->3486 3483->3482 3484 2a94db5 3483->3484 3484->3482 3487 2a94de5 3485->3487 3488 2a94dd7-2a94ddb 3485->3488 3486->3485 3489 2a94dc9-2a94dcc call 2a90ab8 3486->3489 3493 2a94de6 3487->3493 3488->3487 3491 2a94ddd-2a94de0 call 2a90ab8 3488->3491 3489->3485 3491->3487 3493->3493
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e0e6d5fa0fc6163fdda6059adc69def89280a22ca7d1944ade13550c3ff1788b
                              • Instruction ID: e2e54f7a0f1b2801cbcfc609e582634688646f02b71e7ebafd24fcf81117db96
                              • Opcode Fuzzy Hash: e0e6d5fa0fc6163fdda6059adc69def89280a22ca7d1944ade13550c3ff1788b
                              • Instruction Fuzzy Hash: 30B14D74E003098FDF14CFAAC8817ADBBF2AF8C754F148129D819EB254EB749846CB91
                              Function 0576E298 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1040 576e298-576e2de 1041 576e2e6-576e314 GlobalMemoryStatusEx 1040->1041 1042 576e316-576e31c 1041->1042 1043 576e31d-576e345 1041->1043 1042->1043
                              APIs
                              • GlobalMemoryStatusEx.KERNELBASE(8B55051A), ref: 0576E307
                              Memory Dump Source
                              • Source File: 00000003.00000002.3388496793.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5760000_MSBuild.jbxd
                              Similarity
                              • API ID: GlobalMemoryStatus
                              • String ID:
                              • API String ID: 1890195054-0
                              • Opcode ID: d36573e80309370cde40cc94f2da7b3d5ed49a640605afeaa430323637dd2d49
                              • Instruction ID: eb4cf8d349f0579cf602ee8ea7b02d30e8d0e0c1dd6b481ca6bb7515e784eddb
                              • Opcode Fuzzy Hash: d36573e80309370cde40cc94f2da7b3d5ed49a640605afeaa430323637dd2d49
                              • Instruction Fuzzy Hash: 571100B1C0065A9FDB10CF9AD444BEEFBF5AB48320F24816AD818A7240D378A954CFA5
                              Function 0576E2A0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1046 576e2a0-576e314 GlobalMemoryStatusEx 1048 576e316-576e31c 1046->1048 1049 576e31d-576e345 1046->1049 1048->1049
                              APIs
                              • GlobalMemoryStatusEx.KERNELBASE(8B55051A), ref: 0576E307
                              Memory Dump Source
                              • Source File: 00000003.00000002.3388496793.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5760000_MSBuild.jbxd
                              Similarity
                              • API ID: GlobalMemoryStatus
                              • String ID:
                              • API String ID: 1890195054-0
                              • Opcode ID: e8f416fe5175012373adf0f27ada91eeb13dfb785195f8d3b28747e27737334f
                              • Instruction ID: 235eeb4ea2ef875965b7cd8e8c3342858e14507e1e7a8d19d3fff3ccd5f2ee7e
                              • Opcode Fuzzy Hash: e8f416fe5175012373adf0f27ada91eeb13dfb785195f8d3b28747e27737334f
                              • Instruction Fuzzy Hash: 611112B1C0065A9FDB10DF9AC844BDEFBF4EF48720F14812AD818A7240D378A954CFA5
                              Function 02A93E74 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1118 2a93e74-2a93ee6 1120 2a93ee8-2a93ef3 1118->1120 1121 2a93f30-2a93f32 1118->1121 1120->1121 1122 2a93ef5-2a93f01 1120->1122 1123 2a93f34-2a93f8c 1121->1123 1124 2a93f03-2a93f0d 1122->1124 1125 2a93f24-2a93f2e 1122->1125 1132 2a93f8e-2a93f99 1123->1132 1133 2a93fd6-2a93fd8 1123->1133 1126 2a93f0f 1124->1126 1127 2a93f11-2a93f20 1124->1127 1125->1123 1126->1127 1127->1127 1129 2a93f22 1127->1129 1129->1125 1132->1133 1134 2a93f9b-2a93fa7 1132->1134 1135 2a93fda-2a93ff2 1133->1135 1136 2a93fa9-2a93fb3 1134->1136 1137 2a93fca-2a93fd4 1134->1137 1142 2a9403c-2a9403e 1135->1142 1143 2a93ff4-2a93fff 1135->1143 1138 2a93fb5 1136->1138 1139 2a93fb7-2a93fc6 1136->1139 1137->1135 1138->1139 1139->1139 1141 2a93fc8 1139->1141 1141->1137 1144 2a94040-2a94052 1142->1144 1143->1142 1145 2a94001-2a9400d 1143->1145 1152 2a94059-2a9408e 1144->1152 1146 2a9400f-2a94019 1145->1146 1147 2a94030-2a9403a 1145->1147 1148 2a9401b 1146->1148 1149 2a9401d-2a9402c 1146->1149 1147->1144 1148->1149 1149->1149 1151 2a9402e 1149->1151 1151->1147 1153 2a94094-2a940a2 1152->1153 1154 2a940ab-2a9410b 1153->1154 1155 2a940a4-2a940aa 1153->1155 1162 2a9411b-2a9411f 1154->1162 1163 2a9410d-2a94111 1154->1163 1155->1154 1165 2a9412f-2a94133 1162->1165 1166 2a94121-2a94125 1162->1166 1163->1162 1164 2a94113 1163->1164 1164->1162 1167 2a94143-2a94147 1165->1167 1168 2a94135-2a94139 1165->1168 1166->1165 1169 2a94127-2a9412a call 2a90ab8 1166->1169 1172 2a94149-2a9414d 1167->1172 1173 2a94157-2a9415b 1167->1173 1168->1167 1171 2a9413b-2a9413e call 2a90ab8 1168->1171 1169->1165 1171->1167 1172->1173 1175 2a9414f-2a94152 call 2a90ab8 1172->1175 1176 2a9416b-2a9416f 1173->1176 1177 2a9415d-2a94161 1173->1177 1175->1173 1180 2a9417f 1176->1180 1181 2a94171-2a94175 1176->1181 1177->1176 1179 2a94163 1177->1179 1179->1176 1183 2a94180 1180->1183 1181->1180 1182 2a94177 1181->1182 1182->1180 1183->1183
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: \Vm
                              • API String ID: 0-21153899
                              • Opcode ID: 90decd1b1586e9a9be6a84508074c84af9580a16045ce7e319161fac9bc65388
                              • Instruction ID: 192d8d47580ff1d07ba0e9a1bfdc605e291c95baca25afc25d5f66742a38357e
                              • Opcode Fuzzy Hash: 90decd1b1586e9a9be6a84508074c84af9580a16045ce7e319161fac9bc65388
                              • Instruction Fuzzy Hash: CD913A70E00209DFDF10CFAAD9857DEBBF2AF48714F248129E415AB254EB749986CF91
                              Function 02A97908 Relevance: .6, Instructions: 551COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2192 2a97908-2a9791f 2193 2a97921-2a97924 2192->2193 2194 2a97951-2a97954 2193->2194 2195 2a97926-2a9794c 2193->2195 2196 2a97981-2a97984 2194->2196 2197 2a97956-2a9797c 2194->2197 2195->2194 2199 2a979b1-2a979b4 2196->2199 2200 2a97986-2a979ac 2196->2200 2197->2196 2201 2a979e1-2a979e4 2199->2201 2202 2a979b6-2a979dc 2199->2202 2200->2199 2206 2a97a11-2a97a14 2201->2206 2207 2a979e6-2a97a0c 2201->2207 2202->2201 2208 2a97a41-2a97a44 2206->2208 2209 2a97a16-2a97a3c 2206->2209 2207->2206 2215 2a97a71-2a97a74 2208->2215 2216 2a97a46-2a97a6c 2208->2216 2209->2208 2217 2a97aa1-2a97aa4 2215->2217 2218 2a97a76-2a97a9c 2215->2218 2216->2215 2225 2a97ad1-2a97ad4 2217->2225 2226 2a97aa6-2a97acc 2217->2226 2218->2217 2227 2a97ae5-2a97ae8 2225->2227 2228 2a97ad6-2a97ad8 2225->2228 2226->2225 2235 2a97aea-2a97b10 2227->2235 2236 2a97b15-2a97b18 2227->2236 2406 2a97ada call 2a99160 2228->2406 2407 2a97ada call 2a99150 2228->2407 2408 2a97ada call 2a99203 2228->2408 2235->2236 2237 2a97b1a-2a97b40 2236->2237 2238 2a97b45-2a97b48 2236->2238 2237->2238 2244 2a97b4a-2a97b70 2238->2244 2245 2a97b75-2a97b78 2238->2245 2239 2a97ae0 2239->2227 2244->2245 2247 2a97b7a-2a97b8e 2245->2247 2248 2a97b93-2a97b96 2245->2248 2247->2248 2252 2a97b98-2a97bbe 2248->2252 2253 2a97bc3-2a97bc6 2248->2253 2252->2253 2256 2a97bc8-2a97bee 2253->2256 2257 2a97bf3-2a97bf6 2253->2257 2256->2257 2261 2a97bf8-2a97c1e 2257->2261 2262 2a97c23-2a97c26 2257->2262 2261->2262 2265 2a97c28-2a97c4e 2262->2265 2266 2a97c53-2a97c56 2262->2266 2265->2266 2271 2a97c58-2a97c7e 2266->2271 2272 2a97c83-2a97c86 2266->2272 2271->2272 2275 2a97c88-2a97cae 2272->2275 2276 2a97cb3-2a97cb6 2272->2276 2275->2276 2279 2a97cb8-2a97cde 2276->2279 2280 2a97ce3-2a97ce6 2276->2280 2279->2280 2284 2a97ce8-2a97d0e 2280->2284 2285 2a97d13-2a97d16 2280->2285 2284->2285 2289 2a97d18-2a97d3e 2285->2289 2290 2a97d43-2a97d46 2285->2290 2289->2290 2294 2a97d48-2a97d6e 2290->2294 2295 2a97d73-2a97d76 2290->2295 2294->2295 2299 2a97d78-2a97d9e 2295->2299 2300 2a97da3-2a97da6 2295->2300 2299->2300 2304 2a97da8-2a97dce 2300->2304 2305 2a97dd3-2a97dd6 2300->2305 2304->2305 2309 2a97dd8-2a97dfe 2305->2309 2310 2a97e03-2a97e06 2305->2310 2309->2310 2314 2a97e08-2a97e2e 2310->2314 2315 2a97e33-2a97e36 2310->2315 2314->2315 2319 2a97e38-2a97e4e 2315->2319 2320 2a97e53-2a97e56 2315->2320 2319->2320 2327 2a97e58 2320->2327 2328 2a97e63-2a97e66 2320->2328 2334 2a97e5e 2327->2334 2329 2a97e68-2a97e8e 2328->2329 2330 2a97e93-2a97e96 2328->2330 2329->2330 2337 2a97e98-2a97ebe 2330->2337 2338 2a97ec3-2a97ec6 2330->2338 2334->2328 2337->2338 2339 2a97ec8-2a97eee 2338->2339 2340 2a97ef3-2a97ef6 2338->2340 2339->2340 2345 2a97ef8-2a97f1e 2340->2345 2346 2a97f23-2a97f26 2340->2346 2345->2346 2348 2a97f28-2a97f4e 2346->2348 2349 2a97f53-2a97f56 2346->2349 2348->2349 2352 2a97f58-2a97f7e 2349->2352 2353 2a97f83-2a97f86 2349->2353 2352->2353 2356 2a97f88-2a97fae 2353->2356 2357 2a97fb3-2a97fb6 2353->2357 2356->2357 2362 2a97fb8-2a97fde 2357->2362 2363 2a97fe3-2a97fe6 2357->2363 2362->2363 2366 2a97fe8-2a9800e 2363->2366 2367 2a98013-2a98016 2363->2367 2366->2367 2372 2a98018-2a9803e 2367->2372 2373 2a98043-2a98046 2367->2373 2372->2373 2376 2a98048-2a9806e 2373->2376 2377 2a98073-2a98076 2373->2377 2376->2377 2382 2a98078-2a9809e 2377->2382 2383 2a980a3-2a980a6 2377->2383 2382->2383 2386 2a980a8-2a980ce 2383->2386 2387 2a980d3-2a980d5 2383->2387 2386->2387 2392 2a980dc-2a980df 2387->2392 2393 2a980d7 2387->2393 2392->2193 2399 2a980e5-2a980eb 2392->2399 2393->2392 2406->2239 2407->2239 2408->2239
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f7a7c0b5a5aeddb2e1bbe4cee1dd878315733138ee9d0e45fb9a0a66cec2306a
                              • Instruction ID: 4e0af34b8078c14f93ab93c5ed72405c84790990a1ff741b8400809ee119959c
                              • Opcode Fuzzy Hash: f7a7c0b5a5aeddb2e1bbe4cee1dd878315733138ee9d0e45fb9a0a66cec2306a
                              • Instruction Fuzzy Hash: B31283317102068FDB25AB3CD98672876A2EFC9358B504929E105CF395CFB9DD87DB90
                              Function 02A996E0 Relevance: .4, Instructions: 357COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2715 2a996e0-2a996fa 2716 2a996fc-2a996ff 2715->2716 2717 2a9987a-2a99884 2716->2717 2718 2a99705-2a99708 2716->2718 2719 2a9970a-2a99713 2718->2719 2720 2a9971e-2a99721 2718->2720 2721 2a99719 2719->2721 2722 2a997dc-2a997e5 2719->2722 2723 2a9972b-2a9972e 2720->2723 2724 2a99723-2a99726 2720->2724 2721->2720 2727 2a997eb-2a997ef 2722->2727 2728 2a99885-2a99903 2722->2728 2725 2a9974d-2a99750 2723->2725 2726 2a99730-2a9974c 2723->2726 2724->2723 2730 2a9976f-2a99772 2725->2730 2731 2a99752-2a9976a 2725->2731 2729 2a997f4-2a997f7 2727->2729 2772 2a99909-2a9990b 2728->2772 2773 2a99a1a-2a99a21 2728->2773 2736 2a99809-2a9980c 2729->2736 2737 2a997f9 2729->2737 2733 2a99792-2a99795 2730->2733 2734 2a99774-2a9978d 2730->2734 2731->2730 2733->2719 2739 2a9979b-2a9979e 2733->2739 2734->2733 2740 2a9980e-2a99821 2736->2740 2741 2a99826-2a99829 2736->2741 2749 2a99801-2a99804 2737->2749 2747 2a997a0-2a997a2 2739->2747 2748 2a997b5-2a997b8 2739->2748 2740->2741 2743 2a9982b-2a99843 2741->2743 2744 2a9984e-2a99851 2741->2744 2743->2724 2764 2a99849 2743->2764 2754 2a9985b-2a9985e 2744->2754 2755 2a99853-2a99858 2744->2755 2761 2a997ac-2a997ae 2747->2761 2751 2a997ba-2a997d2 2748->2751 2752 2a997d7-2a997da 2748->2752 2749->2736 2751->2752 2752->2722 2752->2729 2759 2a99868-2a9986a 2754->2759 2760 2a99860-2a99863 2754->2760 2755->2754 2765 2a9986c 2759->2765 2766 2a99871-2a99874 2759->2766 2760->2759 2761->2726 2767 2a997b0 2761->2767 2764->2744 2765->2766 2766->2716 2766->2717 2767->2748 2815 2a9990e call 2a9968e 2772->2815 2816 2a9990e call 2a996e0 2772->2816 2817 2a9990e call 2a99490 2772->2817 2818 2a9990e call 2a99890 2772->2818 2819 2a9990e call 2a99364 2772->2819 2774 2a99914-2a99920 2776 2a9992b-2a99932 2774->2776 2777 2a99922-2a99929 2774->2777 2777->2776 2778 2a99933-2a9995a 2777->2778 2782 2a9995c-2a99963 2778->2782 2783 2a99964-2a9996b 2778->2783 2784 2a99971-2a99975 2783->2784 2785 2a99a22-2a99a53 2783->2785 2786 2a9997f-2a999fe 2784->2786 2787 2a99977-2a9997e 2784->2787 2790 2a99a55-2a99a57 2785->2790 2798 2a99a0e-2a99a14 call 2a99b40 2786->2798 2799 2a99a00-2a99a07 2786->2799 2791 2a99a59 2790->2791 2792 2a99a5e-2a99a61 2790->2792 2791->2792 2792->2790 2793 2a99a63-2a99a9f call 2a90368 2792->2793 2802 2a99aa1-2a99aa3 2793->2802 2803 2a99aa7-2a99aaa 2793->2803 2798->2773 2799->2798 2804 2a99af1 2802->2804 2805 2a99aa5 2802->2805 2803->2804 2806 2a99aac-2a99ad6 2803->2806 2807 2a99af6-2a99afa 2804->2807 2805->2806 2813 2a99adc-2a99aef 2806->2813 2809 2a99afc 2807->2809 2810 2a99b05 2807->2810 2809->2810 2813->2807 2815->2774 2816->2774 2817->2774 2818->2774 2819->2774
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1a29006f4e5e64b06e1576e9625bcf848fb4320b2febbeb37dc741be2d305ec0
                              • Instruction ID: 3ae72dfef6cd6e359a1c38b7e9da28d313a645b94b8870ac3f1def39c86a777f
                              • Opcode Fuzzy Hash: 1a29006f4e5e64b06e1576e9625bcf848fb4320b2febbeb37dc741be2d305ec0
                              • Instruction Fuzzy Hash: CFC18A74B002069FDF14CF69D8807AEB7F6EF89310F24856AE909DB395DB35D8418B91
                              Function 02A99364 Relevance: .3, Instructions: 304COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a94b22eb9b2d0d34216b8e04bf0044e87b6c1b746aeec5a4c52130b17211ae0d
                              • Instruction ID: fbcebe6667c5122a3b7d138e7fbd7db5e50cab5e1431ad278bec2db7fdb437e7
                              • Opcode Fuzzy Hash: a94b22eb9b2d0d34216b8e04bf0044e87b6c1b746aeec5a4c52130b17211ae0d
                              • Instruction Fuzzy Hash: 61B15939B001059FDB15DBA9D984AAEBBF2EF88310F148469E906E7395DF35DC42CB50
                              Function 02A94A8C Relevance: .3, Instructions: 261COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3494 2a94a8c-2a94afe 3497 2a94b48-2a94b4a 3494->3497 3498 2a94b00-2a94b0b 3494->3498 3499 2a94b4c-2a94b65 3497->3499 3498->3497 3500 2a94b0d-2a94b19 3498->3500 3507 2a94bb1-2a94bb3 3499->3507 3508 2a94b67-2a94b73 3499->3508 3501 2a94b1b-2a94b25 3500->3501 3502 2a94b3c-2a94b46 3500->3502 3503 2a94b29-2a94b38 3501->3503 3504 2a94b27 3501->3504 3502->3499 3503->3503 3506 2a94b3a 3503->3506 3504->3503 3506->3502 3509 2a94bb5-2a94bcd 3507->3509 3508->3507 3510 2a94b75-2a94b81 3508->3510 3517 2a94bcf-2a94bda 3509->3517 3518 2a94c17-2a94c19 3509->3518 3511 2a94b83-2a94b8d 3510->3511 3512 2a94ba4-2a94baf 3510->3512 3513 2a94b8f 3511->3513 3514 2a94b91-2a94ba0 3511->3514 3512->3509 3513->3514 3514->3514 3516 2a94ba2 3514->3516 3516->3512 3517->3518 3520 2a94bdc-2a94be8 3517->3520 3519 2a94c1b-2a94c33 3518->3519 3526 2a94c7d-2a94c7f 3519->3526 3527 2a94c35-2a94c40 3519->3527 3521 2a94c0b-2a94c15 3520->3521 3522 2a94bea-2a94bf4 3520->3522 3521->3519 3524 2a94bf8-2a94c07 3522->3524 3525 2a94bf6 3522->3525 3524->3524 3528 2a94c09 3524->3528 3525->3524 3530 2a94c81-2a94cb7 3526->3530 3527->3526 3529 2a94c42-2a94c4e 3527->3529 3528->3521 3531 2a94c71-2a94c7b 3529->3531 3532 2a94c50-2a94c5a 3529->3532 3538 2a94cbf-2a94cf4 3530->3538 3531->3530 3533 2a94c5c 3532->3533 3534 2a94c5e-2a94c6d 3532->3534 3533->3534 3534->3534 3536 2a94c6f 3534->3536 3536->3531 3539 2a94cfa-2a94d08 3538->3539 3540 2a94d0a-2a94d10 3539->3540 3541 2a94d11-2a94d71 3539->3541 3540->3541 3548 2a94d81-2a94d85 3541->3548 3549 2a94d73-2a94d77 3541->3549 3550 2a94d95-2a94d99 3548->3550 3551 2a94d87-2a94d8b 3548->3551 3549->3548 3552 2a94d79 3549->3552 3554 2a94da9-2a94dad 3550->3554 3555 2a94d9b-2a94d9f 3550->3555 3551->3550 3553 2a94d8d 3551->3553 3552->3548 3553->3550 3557 2a94dbd-2a94dc1 3554->3557 3558 2a94daf-2a94db3 3554->3558 3555->3554 3556 2a94da1 3555->3556 3556->3554 3560 2a94dd1-2a94dd5 3557->3560 3561 2a94dc3-2a94dc7 3557->3561 3558->3557 3559 2a94db5 3558->3559 3559->3557 3562 2a94de5 3560->3562 3563 2a94dd7-2a94ddb 3560->3563 3561->3560 3564 2a94dc9-2a94dcc call 2a90ab8 3561->3564 3568 2a94de6 3562->3568 3563->3562 3566 2a94ddd-2a94de0 call 2a90ab8 3563->3566 3564->3560 3566->3562 3568->3568
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b97f9c82f6aea146bcaf64e90ef8a6bb5acec276d5eee66037b954dc66c23141
                              • Instruction ID: 6594f3b17164aea9abff76f333fee454bfbe02cb09b6f95bce34bc420db2d433
                              • Opcode Fuzzy Hash: b97f9c82f6aea146bcaf64e90ef8a6bb5acec276d5eee66037b954dc66c23141
                              • Instruction Fuzzy Hash: 77A14A74E003198FDF10CFAAD88579DBBF1AF8C754F148129D819EB294EB749886CB91
                              Function 02A9068B Relevance: .2, Instructions: 203COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 976cdf669223778c1c0e2bfee51dd749381f461ed609de8847affac0f2d10509
                              • Instruction ID: d7c42ae15e9d14b106d53a746332243f8dfab6a138560020dab2c9511dff7b23
                              • Opcode Fuzzy Hash: 976cdf669223778c1c0e2bfee51dd749381f461ed609de8847affac0f2d10509
                              • Instruction Fuzzy Hash: A751AD72D0C3569FDF11277B8C563A63BE0EB922E4F1640AAD181CB187EE55C886C7E1
                              Function 02A91108 Relevance: .1, Instructions: 138COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 16c8337dd15e72d1da8cc429122f9b3b8d200ebb33cf842a93ddfd1c564b7dcc
                              • Instruction ID: 48386d73a1228245cb5824e9d17f27012c082f506591e514c9bbca16d7687781
                              • Opcode Fuzzy Hash: 16c8337dd15e72d1da8cc429122f9b3b8d200ebb33cf842a93ddfd1c564b7dcc
                              • Instruction Fuzzy Hash: 39516131645282CFDB0AFF2CFA909647FF6FB9630C71459A9D1144FB2ADA606A46CF40
                              Function 02A96EE3 Relevance: .1, Instructions: 138COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 85fe5adae5a7899ee9db0fbe5f364ff445d9a70f39fe984bb370ec6778adedba
                              • Instruction ID: 504a8d72332ce856f0206120fd1aa9be98dae584f2ea0ea44efbb6caec38d08d
                              • Opcode Fuzzy Hash: 85fe5adae5a7899ee9db0fbe5f364ff445d9a70f39fe984bb370ec6778adedba
                              • Instruction Fuzzy Hash: DD41AF30A102099FDF14DF6AC8917AEB7F6EF85700F10846AE406EB290EF759C42CB51
                              Function 02A96CE8 Relevance: .1, Instructions: 132COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7b02b821bb0f0c2ecd959aed41165b41ce50bb3b2daad7ef1f69f32aa94b5c6d
                              • Instruction ID: 315450e07a950376272e7c42e03aed1e4fd2da1fecc574ef0c8306ada6cd3f51
                              • Opcode Fuzzy Hash: 7b02b821bb0f0c2ecd959aed41165b41ce50bb3b2daad7ef1f69f32aa94b5c6d
                              • Instruction Fuzzy Hash: 9551E271D006188FDF14CFAAC884BADBBF5BF48714F14852AE815AB351DB74A844CF95
                              Function 02A96CDF Relevance: .1, Instructions: 131COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0b042fb91d428d2c284dcf8a6de60deb397e82f87b12c27cca7d131816da814a
                              • Instruction ID: 2a465b2ed4d74571a5fcef9dba62147a21319eec0a71ee1f15b01c468fb3c416
                              • Opcode Fuzzy Hash: 0b042fb91d428d2c284dcf8a6de60deb397e82f87b12c27cca7d131816da814a
                              • Instruction Fuzzy Hash: D351F075E006188FDF18CFAAD884BADBBF5BF48714F14812AE815AB351DB74A844CF94
                              Function 02A926DC Relevance: .1, Instructions: 126COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 052bb6f7d6462f0483bb602d32490771059d972b60e59e75900cfe5e171c2b09
                              • Instruction ID: bb3c3a9db1ec284fc6050a98a9b33b1f269b62dd6ce1ee556c904f67ab2fb3b9
                              • Opcode Fuzzy Hash: 052bb6f7d6462f0483bb602d32490771059d972b60e59e75900cfe5e171c2b09
                              • Instruction Fuzzy Hash: 7751F0719003499FEB14DFAAC884BDEBBF1EF48314F24842AE809AB250DB759945CF90
                              Function 02A9F2FD Relevance: .1, Instructions: 113COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6676976fa5832026cd805fda4592b230d0da086f35bdd56f3b0fd0680242b69f
                              • Instruction ID: 980af5fda80db2bb6fffdeaa9bd186069747c552a7698a3043d11fd8d7981743
                              • Opcode Fuzzy Hash: 6676976fa5832026cd805fda4592b230d0da086f35bdd56f3b0fd0680242b69f
                              • Instruction Fuzzy Hash: 2231AC30B002059FDF15AB75D99466F7BE2AF89644F2444A8D416DB389DF39CC42CB91
                              Function 02A91138 Relevance: .1, Instructions: 112COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1bcd0e38324b0f7945ea3082e10ad0f21f432147141fac5611e64eda74b8f473
                              • Instruction ID: 76fac83189e2ac382008577d2f9fb21795be9138cf726d4fde0542832fc0f149
                              • Opcode Fuzzy Hash: 1bcd0e38324b0f7945ea3082e10ad0f21f432147141fac5611e64eda74b8f473
                              • Instruction Fuzzy Hash: 9A51FC30645242CFCB0AFF2CFA909657BF6F7953093149969D2144FB2ADA706A46CF80
                              Function 02A9F1C0 Relevance: .1, Instructions: 95COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 79d16d7a8b6b565fa501a1fbfa30c2db7504909d63d4e18a8fa3233ebbd3b422
                              • Instruction ID: 6b36c4e9306ab31ea904a973de0b4456f5b7bd12b6550031ebb0cc32c91d38ec
                              • Opcode Fuzzy Hash: 79d16d7a8b6b565fa501a1fbfa30c2db7504909d63d4e18a8fa3233ebbd3b422
                              • Instruction Fuzzy Hash: DD314A38E102059FDB15CFA9D99569EB7F2BF88300F108529E816E7784DF70AC82CB80
                              Function 02A96F78 Relevance: .1, Instructions: 95COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c8de1005b6b378cdf8962eb1bc632b36dcef11d49d4f009741399c9b6700f770
                              • Instruction ID: dce518bb97c19a2876b35c63357c8f117117175adef1c85a70e6450fc0c8434e
                              • Opcode Fuzzy Hash: c8de1005b6b378cdf8962eb1bc632b36dcef11d49d4f009741399c9b6700f770
                              • Instruction Fuzzy Hash: 29315C71E102199BEF14CF66D89179EB7F6FF85700F108526E406EB280EF71A946CB50
                              Function 02A9F1D0 Relevance: .1, Instructions: 91COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: be0f079b365743fe414777526a1f8fb9164720e839fa0876df60ca8fa7e052c5
                              • Instruction ID: 2e7814c49b08405de878b1bcf4e14aa0debaaaf673bdfc2942b0c91c2b2d7819
                              • Opcode Fuzzy Hash: be0f079b365743fe414777526a1f8fb9164720e839fa0876df60ca8fa7e052c5
                              • Instruction Fuzzy Hash: B7313A38A106099FDB15CFA9D99469EF7F2AF89300F108919E816E7744DF70A842CB90
                              Function 02A926E8 Relevance: .1, Instructions: 90COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9f3fe519951b47ee7ff029613fc281956799e816fc94709284dc650e0597d14b
                              • Instruction ID: 5ddc9bd8d54e033418810071c494f4c14e831e12ab51ae01f7ea19dba89f8fac
                              • Opcode Fuzzy Hash: 9f3fe519951b47ee7ff029613fc281956799e816fc94709284dc650e0597d14b
                              • Instruction Fuzzy Hash: F241C0B0D00349EFEB14DFAAC884ADEBBF5FF48714F148429E809AB250DB759945CB90
                              Function 02A9081E Relevance: .1, Instructions: 88COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9a087b4898508e6d23133c1aa1fcb03f6d71bf1cf4c2dfeaa9a4603d6efb2d70
                              • Instruction ID: fb8facbe7c46c283ee4d342d289f2eb7b8ef39fa68b418ac95ff540d58f806f9
                              • Opcode Fuzzy Hash: 9a087b4898508e6d23133c1aa1fcb03f6d71bf1cf4c2dfeaa9a4603d6efb2d70
                              • Instruction Fuzzy Hash: C021F831B10209DBEF54677B999177A32D4EB453A4F20CA2EE166CF685EF61C8818FC1
                              Function 02A99251 Relevance: .1, Instructions: 79COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b9b083cc0db1f298ef3cd94c7edf03728ce4334b437aec73c9a9d1c3a8ee8794
                              • Instruction ID: 50bec80e2a522143204a827a041651b4d8206df9b6fff538713f3a73455b116e
                              • Opcode Fuzzy Hash: b9b083cc0db1f298ef3cd94c7edf03728ce4334b437aec73c9a9d1c3a8ee8794
                              • Instruction Fuzzy Hash: B4315C35E0024AABDF05CFA9D99079EF7B2BF89304F54865AE805AB340DB71D846CB80
                              Function 02A99260 Relevance: .1, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: aba8774aaddcc6dea136151d1205cf572028b5c80fe0411490d00bc10606ad97
                              • Instruction ID: d09dbed47b3611eb96b8f8f7acfa7ecb5ee4b869e92e443d9cf3a88b9d3fd8b0
                              • Opcode Fuzzy Hash: aba8774aaddcc6dea136151d1205cf572028b5c80fe0411490d00bc10606ad97
                              • Instruction Fuzzy Hash: 37214D35E0020AABDF15CFA5D99069FF7B2BF89304F10861AE805AB340DB71D846CB90
                              Function 02A99150 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a3e8e6905fbdb5237ad878f6f9610eb603edec11ad5573e2127b3f757bc5f0a0
                              • Instruction ID: 10ade47050324b0be64e674127b68b63d434706fb2b2380651d26bd52e21f5e7
                              • Opcode Fuzzy Hash: a3e8e6905fbdb5237ad878f6f9610eb603edec11ad5573e2127b3f757bc5f0a0
                              • Instruction Fuzzy Hash: 58216235E00206ABDF19CF65D98469EF7F2BF89310F10862AE816F7341EB709946CB50
                              Function 02A916A3 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a9e36d538f4f1875a81bc3f4b59441ef50b559c31f154a72e2304634a05c0fc1
                              • Instruction ID: ef362bc12f373be0a614c76cfc2b0350a4f79bf7f9a86574161df6f7f7e59717
                              • Opcode Fuzzy Hash: a9e36d538f4f1875a81bc3f4b59441ef50b559c31f154a72e2304634a05c0fc1
                              • Instruction Fuzzy Hash: 202180386001039FEF11EB29E9C472A77E6E745318F104A29E11ECFB95EF29D8818F91
                              Function 029CD030 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3383717591.00000000029CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029CD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_29cd000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 71518b0b96e8c8619f4079cf720d154603a5e3dd9121648d182105e6a0773bc1
                              • Instruction ID: dd011d5fcaa34671ba306776ca97c438d38bcd5d64f23d0cd4083c77aa7e1d3d
                              • Opcode Fuzzy Hash: 71518b0b96e8c8619f4079cf720d154603a5e3dd9121648d182105e6a0773bc1
                              • Instruction Fuzzy Hash: 4621C271504244EFDB14DF18D9C0B26BBA5EB84324F34C97DD94A4B296C37AD447CA72
                              Function 02A94F89 Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 972f4ff1c17ec700e48655a3baa200f40dddfdd88541886b6330ca17551f7b52
                              • Instruction ID: 03869c1aa8872165c41bbf7dce9779b811133b06747e9c141d59cc4728061556
                              • Opcode Fuzzy Hash: 972f4ff1c17ec700e48655a3baa200f40dddfdd88541886b6330ca17551f7b52
                              • Instruction Fuzzy Hash: 5B213534B002058FCB14EB79C699BAD7BF1AF89304F5008A8E406EB3A0DB769D01CB91
                              Function 02A99160 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9e4fc9ca197e9496106f6bfe4089f3e43ea584dfd2fda129356c538fe8f3578d
                              • Instruction ID: 95988c3e3cf2c47dc68414d22264cc089d26bd0fb1a667dc100c6324b5d06b93
                              • Opcode Fuzzy Hash: 9e4fc9ca197e9496106f6bfe4089f3e43ea584dfd2fda129356c538fe8f3578d
                              • Instruction Fuzzy Hash: 40212F35E0020AABDF19CFA5D99469EF7F2BF89710F20851AE816BB340EB719945CB50
                              Function 02A91888 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c4f70c7391efc5a17dbdb0e0d05b8fe13c8654c28e523272b0465db39186569d
                              • Instruction ID: a77d9bc28b7eaf949fb7200fff1ccb5708f454ae9c3bd4c1b1d7994558043874
                              • Opcode Fuzzy Hash: c4f70c7391efc5a17dbdb0e0d05b8fe13c8654c28e523272b0465db39186569d
                              • Instruction Fuzzy Hash: 47213934B0021ACFEF14EB79C6547AE77F6AB89244F240468C50AEB394DF769D40CBA1
                              Function 02A91383 Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2b29452082f76494e5d9b4c1806c862d98df20e20b496b63269d1c1863848cb4
                              • Instruction ID: bad770337ec18cb30a7664143733e6cd766f218d22deb14976e296717d9293c0
                              • Opcode Fuzzy Hash: 2b29452082f76494e5d9b4c1806c862d98df20e20b496b63269d1c1863848cb4
                              • Instruction Fuzzy Hash: 6021E1B46042029BEF716729E5D93293AE1EB86319F001879E40ECB7C1DF68C8C1C742
                              Function 02A916B0 Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: df47eb3c70217c52be8f42890610bcf4d2bbc58d0b3e41f362c1f3e0b71202cb
                              • Instruction ID: d25039d333d6d0651578e56427a5ee7ed9f2ae324f9a3a0c646040d58e09b2e3
                              • Opcode Fuzzy Hash: df47eb3c70217c52be8f42890610bcf4d2bbc58d0b3e41f362c1f3e0b71202cb
                              • Instruction Fuzzy Hash: 15216D386001039FEF12EB29E9C476A77E6E745318F104A25E11ECFB59DF29D8818F91
                              Function 02A9187B Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: afc33642d055bf20d7e5ba0157ad4d877d537f24edd2e09fc36afbb25d9acc1f
                              • Instruction ID: fbd390f956cde39341e66ad345d03f7d8c0a373aa4e1cb4b3326a9dc8e0459e8
                              • Opcode Fuzzy Hash: afc33642d055bf20d7e5ba0157ad4d877d537f24edd2e09fc36afbb25d9acc1f
                              • Instruction Fuzzy Hash: 14214A30B04256CFDF14EB79C6947AD37F2AB49208F240468C10AEB295DF368D40CB91
                              Function 02A94F98 Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: af761a3490390cba96b15c251c0032baa298340b05e8057452a52443539c7088
                              • Instruction ID: 49df9deb125518914bf224d257dc749426441f38d5413d3152ca165028eb7e8c
                              • Opcode Fuzzy Hash: af761a3490390cba96b15c251c0032baa298340b05e8057452a52443539c7088
                              • Instruction Fuzzy Hash: A621F234A402058FDB14EB79C699BAD77F2AB89304F500868E40AEB3A4DF769D41CB91
                              Function 029CD006 Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3383717591.00000000029CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029CD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_29cd000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8afa476867eef5cc5c30109d30591bcf8e096a85ffd9a80d366dd86752ee423e
                              • Instruction ID: 306ffd1fd31f87963e6bb28f8fbd95cf1ca9cf93777348b67868d7a54df5b6c8
                              • Opcode Fuzzy Hash: 8afa476867eef5cc5c30109d30591bcf8e096a85ffd9a80d366dd86752ee423e
                              • Instruction Fuzzy Hash: 7D217A7550D3C08FDB07CB24C990715BF71AB46214F28C5EBD8898F6A3C33A984ACB62
                              Function 02A90848 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d7590cce0b32e1947d0856e204cb81e18614f2b9e27cec7344761f15707c85ab
                              • Instruction ID: bf3ac91b5eff7ca040b80b91f2b641e6b4eaeca80ea57cb18d84487298c6043e
                              • Opcode Fuzzy Hash: d7590cce0b32e1947d0856e204cb81e18614f2b9e27cec7344761f15707c85ab
                              • Instruction Fuzzy Hash: 33115130B002098FEF54AB7BD99472936E5EB85394F208A3AE116CF785DF61CC818BC1
                              Function 02A917C3 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 308cbf12078a2533c705a2a51acf094fc5506abdb52dfd1990918dee7e55c9a4
                              • Instruction ID: acc75cf2f3bf66f39748cfc1ea8d82b83bdeae92ace2ea9d8b703149ce3c0e30
                              • Opcode Fuzzy Hash: 308cbf12078a2533c705a2a51acf094fc5506abdb52dfd1990918dee7e55c9a4
                              • Instruction Fuzzy Hash: 5511C231F01212AFDF00AB7A9A046AF7BF9FB48660F104825E909D7380EF34C9418B80
                              Function 02A91488 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d112348ed5e030fe40f2cd62eafa59b1aa028e327acb51c79ddbbe5fc11da9d1
                              • Instruction ID: 6313c86e17df96cdfd81ebe719d6296b6179a9e4ecc4cc0f0c641a5abacecb94
                              • Opcode Fuzzy Hash: d112348ed5e030fe40f2cd62eafa59b1aa028e327acb51c79ddbbe5fc11da9d1
                              • Instruction Fuzzy Hash: C7117075A012128FCF12EFB985903AD77F5AF49250B15447AD409EB301EF35D941CF91
                              Function 02A91498 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ac510b2cc480e0a9ed000571d4312cd09890adf3bfc08fd3c7d486724abe7d94
                              • Instruction ID: 11d8054bcc5c3e41a158484a66c936aa7fa0182dc4f599a3365d74c74c2e597c
                              • Opcode Fuzzy Hash: ac510b2cc480e0a9ed000571d4312cd09890adf3bfc08fd3c7d486724abe7d94
                              • Instruction Fuzzy Hash: DE012D71A012169FCF25EFBA85902AE7BF6EF89250B15047AD40AE7300EF35D941CF95
                              Function 02A99890 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f3bf8a2730eaf57158752bdad89f88e91e9ced30b508301eca7f3d9a989e631b
                              • Instruction ID: 0e3bf23a3f8e6a15b2505e47654f5f77f08f9dc867fac66f3e4d4e2dc07953c3
                              • Opcode Fuzzy Hash: f3bf8a2730eaf57158752bdad89f88e91e9ced30b508301eca7f3d9a989e631b
                              • Instruction Fuzzy Hash: 1011C431A002058FDB10DF65E88579ABBB6FF81310F54C229D9085B3AAEB749D46CBA0
                              Function 02A980F0 Relevance: .0, Instructions: 35COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f3a6f4068934eda0616aa4f4d4296d0d37659515d0f3b86be8cc24630894cfd3
                              • Instruction ID: ec88a347360e90beb0fe9613eb317aa32ffde558a11b15d06e90036e08b3921a
                              • Opcode Fuzzy Hash: f3a6f4068934eda0616aa4f4d4296d0d37659515d0f3b86be8cc24630894cfd3
                              • Instruction Fuzzy Hash: 6D018F7450028A9EDB02EBA8EA5099D7BB1EF42308B4046E8C1555F696DF36AA46CB81
                              Function 02A97090 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e5a3b7203121baf5e940d14f524c74e6c7b6cb5c97588ffec05a1a15c6d9eacf
                              • Instruction ID: c68ed5eb6aae0a9022bc6ea6bbeade18307126ab64293cac4631f2781f8d96f5
                              • Opcode Fuzzy Hash: e5a3b7203121baf5e940d14f524c74e6c7b6cb5c97588ffec05a1a15c6d9eacf
                              • Instruction Fuzzy Hash: E2F0E735B10248CFD714EB64D5A9B6D77B2EF88715F5040A8E5069B3A0DF75AD42CF40
                              Function 02A98100 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7a65746917dc760a9271f7d48347b0d37aa2cbe4ebcdf3741983862e618050dd
                              • Instruction ID: 5df2566a5648d13224b758a5a85328783555c54ff5de0d9b0664bcb5fd66af0f
                              • Opcode Fuzzy Hash: 7a65746917dc760a9271f7d48347b0d37aa2cbe4ebcdf3741983862e618050dd
                              • Instruction Fuzzy Hash: F1F03C3490010AEFDB01FBA8EA8199DBBF5EF81304F5046A9C1099B755EF31AE468B81
                              Function 02A96C0C Relevance: .0, Instructions: 12COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3384167243.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1a5c84a876baccbe6d06550c11bddef624980fe578e409af2b2b55962569720c
                              • Instruction ID: 9c61be26bc1ec7bb4c50cada12dbb1c99c0f5bd92ebe790c525c3b9f02f84b9e
                              • Opcode Fuzzy Hash: 1a5c84a876baccbe6d06550c11bddef624980fe578e409af2b2b55962569720c
                              • Instruction Fuzzy Hash: 86C0123A3480508F89019728E05447837B5DFC962931400D6D148CB321CE125802CB00