Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe

Overview

General Information

Sample name:SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
Analysis ID:1466586
MD5:0c4d10bb9e089cd3126533df5f72a958
SHA1:8905b784ed0bb4de061700f3bd64c4a1a6674074
SHA256:825f69fe9f15110c8199a4f1e9ab2f316385585a6b436b9a7c33ab2dc31fe76b
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe (PID: 7508 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe" MD5: 0C4D10BB9E089CD3126533DF5F72A958)
    • powershell.exe (PID: 7668 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XjmosAst.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7968 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7708 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp40BB.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 7840 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • XjmosAst.exe (PID: 7912 cmdline: C:\Users\user\AppData\Roaming\XjmosAst.exe MD5: 0C4D10BB9E089CD3126533DF5F72A958)
    • schtasks.exe (PID: 8124 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp4EE4.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 8176 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
    • MSBuild.exe (PID: 7196 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "naz@itc-ib.net", "Password": "*SGCViVH2@@@@11$#4%%   "}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.1693905753.0000000003250000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000C.00000002.2880157925.000000000317A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000C.00000002.2880157925.000000000314E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000006.00000002.1690865441.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000006.00000002.1690865441.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.MSBuild.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              6.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                6.2.MSBuild.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x334a3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33515:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x3359f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33631:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x3369b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3370d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x337a3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33833:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    Networking

                    barindex
                    Sigma detected: MSBuild connects to smtp port
                    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 208.91.199.223, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7840, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49733

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XjmosAst.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XjmosAst.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, ParentProcessId: 7508, ParentProcessName: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XjmosAst.exe", ProcessId: 7668, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XjmosAst.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XjmosAst.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, ParentProcessId: 7508, ParentProcessName: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XjmosAst.exe", ProcessId: 7668, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp4EE4.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp4EE4.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\XjmosAst.exe, ParentImage: C:\Users\user\AppData\Roaming\XjmosAst.exe, ParentProcessId: 7912, ParentProcessName: XjmosAst.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp4EE4.tmp", ProcessId: 8124, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp40BB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp40BB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, ParentProcessId: 7508, ParentProcessName: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp40BB.tmp", ProcessId: 7708, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XjmosAst.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XjmosAst.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, ParentProcessId: 7508, ParentProcessName: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XjmosAst.exe", ProcessId: 7668, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp40BB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp40BB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, ParentProcessId: 7508, ParentProcessName: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp40BB.tmp", ProcessId: 7708, ProcessName: schtasks.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 6.2.MSBuild.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "naz@itc-ib.net", "Password": "*SGCViVH2@@@@11$#4%% "}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeReversingLabs: Detection: 23%
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeVirustotal: Detection: 33%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeReversingLabs: Detection: 18%
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeVirustotal: Detection: 33%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeJoe Sandbox ML: detected
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: global trafficTCP traffic: 192.168.2.4:49733 -> 208.91.199.223:587
                    Source: Joe Sandbox ViewIP Address: 208.91.199.223 208.91.199.223
                    Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                    Source: global trafficTCP traffic: 192.168.2.4:49733 -> 208.91.199.223:587
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
                    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
                    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
                    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: us2.smtp.mailhostbox.com
                    Source: MSBuild.exe, 00000006.00000002.1693905753.0000000003258000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.1698743369.0000000006510000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2880157925.000000000314E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: MSBuild.exe, 00000006.00000002.1698743369.0000000006510000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: MSBuild.exe, 00000006.00000002.1698743369.0000000006510000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                    Source: MSBuild.exe, 00000006.00000002.1698743369.0000000006510000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.Nh
                    Source: MSBuild.exe, 00000006.00000002.1693905753.0000000003258000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.1698743369.0000000006510000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2880157925.000000000314E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                    Source: MSBuild.exe, 00000006.00000002.1693905753.0000000003258000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.1698743369.0000000006510000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2880157925.000000000314E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: MSBuild.exe, 00000006.00000002.1693905753.0000000003258000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.1698743369.0000000006510000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2880157925.000000000314E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1658382497.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, XjmosAst.exe, 00000007.00000002.1694735664.0000000002765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: MSBuild.exe, 00000006.00000002.1693905753.0000000003258000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2880157925.000000000314E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1658860263.0000000003819000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.1690865441.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: MSBuild.exe, 00000006.00000002.1693905753.0000000003258000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.1698743369.0000000006510000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2880157925.000000000314E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, 3DlgK9re6m.cs.Net Code: j72D
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.raw.unpack, 3DlgK9re6m.cs.Net Code: j72D

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.6da0000.6.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.283bccc.1.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
                    Source: 7.2.XjmosAst.exe.26cbb60.0.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_00ACE3A40_2_00ACE3A4
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_026F03F00_2_026F03F0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_026F33580_2_026F3358
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_026F03DF0_2_026F03DF
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_026F4E380_2_026F4E38
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_026F4E370_2_026F4E37
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_026FAEC00_2_026FAEC0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_026F2F200_2_026F2F20
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_026F57E80_2_026F57E8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_026F37900_2_026F3790
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_04D3BB980_2_04D3BB98
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_04D3BB970_2_04D3BB97
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D9C6D00_2_06D9C6D0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D945B80_2_06D945B8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D97C890_2_06D97C89
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D92DB00_2_06D92DB0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D9C6C00_2_06D9C6C0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D926440_2_06D92644
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D9267D0_2_06D9267D
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D927B60_2_06D927B6
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D9270D0_2_06D9270D
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D9BE700_2_06D9BE70
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D9BE600_2_06D9BE60
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D97E2B0_2_06D97E2B
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D94F100_2_06D94F10
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D94F010_2_06D94F01
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D92CB00_2_06D92CB0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D92C510_2_06D92C51
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D92C7B0_2_06D92C7B
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D92C100_2_06D92C10
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D93D6D0_2_06D93D6D
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D95A580_2_06D95A58
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D92A580_2_06D92A58
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D95A490_2_06D95A49
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D92A280_2_06D92A28
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D92BAC0_2_06D92BAC
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D92B750_2_06D92B75
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D92B1C0_2_06D92B1C
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D9B8C00_2_06D9B8C0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D928EC0_2_06D928EC
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D9B8BA0_2_06D9B8BA
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D9285C0_2_06D9285C
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D9287E0_2_06D9287E
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D929930_2_06D92993
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D9295A0_2_06D9295A
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D929230_2_06D92923
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06E26E200_2_06E26E20
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06E267200_2_06E26720
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06E267100_2_06E26710
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06E27A780_2_06E27A78
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06E2BEC90_2_06E2BEC9
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06E2863A0_2_06E2863A
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06E2AE070_2_06E2AE07
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06E26E100_2_06E26E10
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06E2A5100_2_06E2A510
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06E20B000_2_06E20B00
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06E200400_2_06E20040
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06E200070_2_06E20007
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06E2001F0_2_06E2001F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_014993786_2_01499378
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_01499B386_2_01499B38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_01494A986_2_01494A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_0149CDA86_2_0149CDA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_01493E806_2_01493E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_014941C86_2_014941C8
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_00CAE3A47_2_00CAE3A4
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_047303F07_2_047303F0
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_04734E387_2_04734E38
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_04734E297_2_04734E29
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_04732F207_2_04732F20
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_047357E87_2_047357E8
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_047337907_2_04733790
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_0473A2A07_2_0473A2A0
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_047333587_2_04733358
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_047303DF7_2_047303DF
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_06906E207_2_06906E20
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_069067107_2_06906710
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_069067207_2_06906720
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_06907A787_2_06907A78
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_0690BED87_2_0690BED8
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_06906E107_2_06906E10
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_0690AE077_2_0690AE07
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_0690863B7_2_0690863B
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_069086487_2_06908648
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_0690A5107_2_0690A510
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_06900B007_2_06900B00
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_069000077_2_06900007
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_069000407_2_06900040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_01289B3812_2_01289B38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_01284A9812_2_01284A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0128CDA812_2_0128CDA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_01283E8012_2_01283E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_012841C812_2_012841C8
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1669604311.0000000006DA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1658233780.0000000002660000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1658860263.00000000041EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1658860263.0000000003819000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecd9b6a9b-2173-42d1-b391-e58738cecc5f.exe4 vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1658382497.0000000002811000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1658382497.0000000002811000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecd9b6a9b-2173-42d1-b391-e58738cecc5f.exe4 vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1670426591.00000000086B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1670426591.00000000086B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUGRU.exe\ vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1657840404.0000000000C0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeBinary or memory string: OriginalFilenameUGRU.exe\ vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: XjmosAst.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, slKb.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, mAKJ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, xQRSe0Fg.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, n3rhMa.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, MQzE4FWn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, nSmgRyX5a1.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, 6IMLmJtk.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, 6IMLmJtk.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, 3HroK7qN.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, 3HroK7qN.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, wIr9PbPLQwkUi56FIp.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, wIr9PbPLQwkUi56FIp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, wIr9PbPLQwkUi56FIp.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, yL9ll5nRfy6Bwk0l7C.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, wIr9PbPLQwkUi56FIp.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, wIr9PbPLQwkUi56FIp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, wIr9PbPLQwkUi56FIp.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, yL9ll5nRfy6Bwk0l7C.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@18/11@1/1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeFile created: C:\Users\user\AppData\Roaming\XjmosAst.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeFile created: C:\Users\user\AppData\Local\Temp\tmp40BB.tmpJump to behavior
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeReversingLabs: Detection: 18%
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeVirustotal: Detection: 33%
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XjmosAst.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp40BB.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\XjmosAst.exe C:\Users\user\AppData\Roaming\XjmosAst.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp4EE4.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XjmosAst.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp40BB.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp4EE4.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, DemoForm.cs.Net Code: InitializeComponent
                    Source: XjmosAst.exe.0.dr, DemoForm.cs.Net Code: InitializeComponent
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.6da0000.6.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.6da0000.6.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, wIr9PbPLQwkUi56FIp.cs.Net Code: QwfOs5Vs1p System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.283bccc.1.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.283bccc.1.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, wIr9PbPLQwkUi56FIp.cs.Net Code: QwfOs5Vs1p System.Reflection.Assembly.Load(byte[])
                    Source: 7.2.XjmosAst.exe.26cbb60.0.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
                    Source: 7.2.XjmosAst.exe.26cbb60.0.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_00ACB051 push edi; retf 0004h0_2_00ACB052
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_04D3A250 push eax; mov dword ptr [esp], ecx0_2_04D3A264
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_04D3AD11 push edi; iretd 0_2_04D3AD3E
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D972B0 push edi; iretd 0_2_06D972BE
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D97200 push edi; iretd 0_2_06D97286
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D973D3 push edi; iretd 0_2_06D973DB
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D973F2 push edi; iretd 0_2_06D973DB
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D973EF push edi; iretd 0_2_06D973F1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeCode function: 0_2_06D95C61 push 8BBCEB50h; ret 0_2_06D95C67
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeCode function: 7_2_00CA01B5 push esp; iretd 7_2_00CA01B3
                    Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeStatic PE information: section name: .text entropy: 7.883094544477586
                    Source: XjmosAst.exe.0.drStatic PE information: section name: .text entropy: 7.883094544477586
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, HQxTIiO4Ch65hAEaVN.csHigh entropy of concatenated method names: 'Slt2EfBAfU', 'gmy2Xan4cx', 'Q3vocCnEMr', 'JJxoj0qiWs', 'zmq2KxIXH1', 'D762f1X9JK', 'tGd2Rk8DFU', 'Os72aMZFQY', 'qIT2JJ8fsA', 'KKX2lCB7MG'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, fibamdTanQLo0aQ5I1.csHigh entropy of concatenated method names: 'xMrij8RvyP', 'gJ8iWWek0p', 'VBqiOQUkd6', 's8rinPgdK4', 'BHSibbKD3h', 'bJxiuNbXun', 'jyeipaEfi8', 'aQ4oAulmyq', 'gvUoEoaYrG', 'naWoNLNOua'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, U9YvHd8K0GHCpqmSX5.csHigh entropy of concatenated method names: 'P6ujTvFYi2', 'iuAj3aH2ka', 'zZ9jxPmy5i', 'ST2jVG9Y1f', 'aMIj50HIN7', 'UNVjP27nF7', 'oOykBPvx4F2Ao7TxPP', 'XkvSHQ8ol3xxvGKecQ', 'lwnjjD6AoF', 'tDsjWI6K5G'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, WjZn7XWQJfCFBtFm8T.csHigh entropy of concatenated method names: 'BemonotReg', 'bW2obw4CA8', 'OO8oh8AWsm', 'DwaouD8q8d', 'jMNopr8nBm', 'LBLoTvvkKb', 'm7Zo3b9jGv', 'owroZ6uigk', 'RKvoxMSuTG', 'KupoVwiVrJ'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, uYeCU5xBaTbGxBEuvp.csHigh entropy of concatenated method names: 'mBVssNMHO', 'tk202Akt2', 'bYSMo8oQ0', 'BLi73n6mv', 'stT8l2dtG', 'OatdMcRJG', 'uuGK2tPZ5IrbyHEXD7', 'dagLCBUJHqhCyOOHxY', 'ebjoSkC1T', 'aQjynWYiC'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, rY1YUJ5HmfwoGyOrUF.csHigh entropy of concatenated method names: 'sOq2xo8rRt', 'VUn2VYiXcq', 'ToString', 'ouv2n0GsJY', 'fBk2bqiOqJ', 'tmf2hu3m63', 'Gj92u6li1U', 'xZj2pxqZ4W', 'Npe2T9K2Ie', 'l8Q234u26r'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, q86xiILGrL3WN9TJy0.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'mi9vNUZODa', 'QF6vXP2Kyr', 'ScyvzTpJuy', 'ynsWch2suE', 'cbjWj2bbhN', 'oVZWvQSED1', 'rD6WWqQkC6', 'RIOm3jqqAylDNkBZO7g'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, dvJyEA2G1otQTTrExZ.csHigh entropy of concatenated method names: 'pSwkDyD7S7', 'xWtk8F4IHF', 'BrdkruOJMQ', 'BQ2kmWUcWl', 'dsMkeiVlnn', 'YQUkFRurxV', 'VHbk1Fy3fQ', 'yI6kUyYkkA', 'k7WkIPpOgS', 'K5lkK5O0Mx'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, ENSI8ceZi3otmkSZWOM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wFEyas8bVX', 'iinyJq94vw', 'PujylVRiRT', 'KwEyteII3A', 'Y5cyqxPXAt', 'pTCy9y8HcU', 'f38yAZ8a1f'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, yL9ll5nRfy6Bwk0l7C.csHigh entropy of concatenated method names: 'mE8baLec77', 'zQMbJcZslK', 'ec3blqUDrV', 'QUjbtemFM7', 'QxXbq0VNgB', 'oCKb9gNpxS', 'OopbAGlO5U', 'IQgbEGoC12', 'CEmbN4X0hx', 'iSQbX8cr8f'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, RsHofFMnxfsjJ8BAiT.csHigh entropy of concatenated method names: 'MFRh0WO8Vv', 'e1fhM1qROV', 'rsFhDg0NMr', 'wC8h8wTEiV', 'mb2h5dOg8L', 'iwuhP2CNNt', 'Wnih21WCqu', 'W3QhowfmAA', 'RXqhidlRtJ', 'qFJhy26Sm8'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, hd1o06zClXUmcEjHAt.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mjnikXX8Q7', 'N2pi5TbL2S', 'jb2iP2Y3FP', 'kPMi2x7KT7', 'gsYiotGcb9', 'YrUiir2Nvi', 'QNoiy6Uu4b'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, lq249OJRn0JaqL6LCm.csHigh entropy of concatenated method names: 'GHnorsfABH', 'skQomoOtRw', 'RY2oHQr8t2', 'YFqoeKuJ3q', 'CBCoan1YMA', 'DnloFFKbaw', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, s1hSPSeh2ulqnbK4w8k.csHigh entropy of concatenated method names: 'ByOiYakclG', 'Slci4kcWhW', 'f30is4WL4o', 'uc7i0PW3u9', 'oXAiGbBqGA', 'bUkiMyHfE9', 'IUGi7wSNgg', 'vF4iD3VYh0', 'oeWi88M2WQ', 'HWwidiI6Hi'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, WPASOHdd8TrOET2oUC.csHigh entropy of concatenated method names: 'r0apB9kQPx', 'mtLpbOHDEw', 'tFPpu4xCqA', 'hxwpTxuGRu', 'acHp3b3Kbq', 'mniuqdEh5x', 'MVWu9gEsAW', 'N1xuApmOBd', 'JphuEHI4yf', 'kMvuN2IklE'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, RGLfaXltfYcfWcg2yC.csHigh entropy of concatenated method names: 'ToString', 'vC3PKFJ0oX', 'O6nPmYPCkm', 'iMaPHZDt7Q', 'kuOPeradGe', 't9wPFhMTEQ', 'FYiPgOXvrg', 'U7fP1lMkjN', 'LonPUdbHDl', 'Pl4P6vR26r'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, oQSDBuVBcRoi9PYASP.csHigh entropy of concatenated method names: 'hlsTnISwb6', 'cAbThJr6wg', 'LCcTpdQuAE', 'XPwpX4Iu9p', 'ytSpzQE9Lm', 'PuSTc1i3yD', 'uuRTjMfDtp', 'd42Tv4KYQ9', 'WGbTWS2udx', 'R2bTOV3SoU'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, iCOWRswtGmG7aYRUHl.csHigh entropy of concatenated method names: 'y1CTYOIApK', 'W4RT41ruel', 'lAOTsrSDqh', 'ULQT0mjJJy', 'VjATGLenK5', 'uYlTMR2G4e', 'egaT7S91Lx', 'NM4TDWgt6P', 'surT8aScvm', 'i05Tdy0dM4'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, uJQ5j86U5sqEhDLqPF.csHigh entropy of concatenated method names: 'J9MuGPHWWU', 'aWGu78Dmre', 'V4qhHfiydg', 'CDgheN5qBF', 'Y5OhF6aYiS', 'JJyhgd2kPS', 'ROEh1qSEOs', 'YSahUSvueM', 'TKHh64KwvR', 'nBnhIXBECD'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, wIr9PbPLQwkUi56FIp.csHigh entropy of concatenated method names: 'GDAWBGZ5Y8', 'lfcWnuUmJ3', 'G3pWbgv24v', 'mVgWh29GOE', 'uuMWuXAfky', 'LPXWpv8R9e', 'j6EWTTfTuI', 'N5bW308vtb', 'Sj4WZ6agei', 'sjbWxNMYUx'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, V7Oekn7db9gxREMqXb.csHigh entropy of concatenated method names: 'YqV5IqVo4d', 'rAe5fyC3Fu', 'BZ05ahQmvP', 'voX5JqYwd1', 'l2X5mW3XXB', 'KmH5HKx8Sq', 'IVx5eeHVhC', 'r5y5FHdQKg', 'Jxr5g87Nkx', 'PU851eSApb'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, crDeI8gLQHOh5Wfg5B.csHigh entropy of concatenated method names: 'Dispose', 'IkPjNQtEuX', 'jHWvmfQWpk', 'TKLSSB2t7p', 'pRCjXWDZfG', 'idrjzppa9A', 'ProcessDialogKey', 'g4GvcLICCl', 'xdZvjk12Vl', 'aT7vvIpiER'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, HQxTIiO4Ch65hAEaVN.csHigh entropy of concatenated method names: 'Slt2EfBAfU', 'gmy2Xan4cx', 'Q3vocCnEMr', 'JJxoj0qiWs', 'zmq2KxIXH1', 'D762f1X9JK', 'tGd2Rk8DFU', 'Os72aMZFQY', 'qIT2JJ8fsA', 'KKX2lCB7MG'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, fibamdTanQLo0aQ5I1.csHigh entropy of concatenated method names: 'xMrij8RvyP', 'gJ8iWWek0p', 'VBqiOQUkd6', 's8rinPgdK4', 'BHSibbKD3h', 'bJxiuNbXun', 'jyeipaEfi8', 'aQ4oAulmyq', 'gvUoEoaYrG', 'naWoNLNOua'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, U9YvHd8K0GHCpqmSX5.csHigh entropy of concatenated method names: 'P6ujTvFYi2', 'iuAj3aH2ka', 'zZ9jxPmy5i', 'ST2jVG9Y1f', 'aMIj50HIN7', 'UNVjP27nF7', 'oOykBPvx4F2Ao7TxPP', 'XkvSHQ8ol3xxvGKecQ', 'lwnjjD6AoF', 'tDsjWI6K5G'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, WjZn7XWQJfCFBtFm8T.csHigh entropy of concatenated method names: 'BemonotReg', 'bW2obw4CA8', 'OO8oh8AWsm', 'DwaouD8q8d', 'jMNopr8nBm', 'LBLoTvvkKb', 'm7Zo3b9jGv', 'owroZ6uigk', 'RKvoxMSuTG', 'KupoVwiVrJ'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, uYeCU5xBaTbGxBEuvp.csHigh entropy of concatenated method names: 'mBVssNMHO', 'tk202Akt2', 'bYSMo8oQ0', 'BLi73n6mv', 'stT8l2dtG', 'OatdMcRJG', 'uuGK2tPZ5IrbyHEXD7', 'dagLCBUJHqhCyOOHxY', 'ebjoSkC1T', 'aQjynWYiC'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, rY1YUJ5HmfwoGyOrUF.csHigh entropy of concatenated method names: 'sOq2xo8rRt', 'VUn2VYiXcq', 'ToString', 'ouv2n0GsJY', 'fBk2bqiOqJ', 'tmf2hu3m63', 'Gj92u6li1U', 'xZj2pxqZ4W', 'Npe2T9K2Ie', 'l8Q234u26r'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, q86xiILGrL3WN9TJy0.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'mi9vNUZODa', 'QF6vXP2Kyr', 'ScyvzTpJuy', 'ynsWch2suE', 'cbjWj2bbhN', 'oVZWvQSED1', 'rD6WWqQkC6', 'RIOm3jqqAylDNkBZO7g'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, dvJyEA2G1otQTTrExZ.csHigh entropy of concatenated method names: 'pSwkDyD7S7', 'xWtk8F4IHF', 'BrdkruOJMQ', 'BQ2kmWUcWl', 'dsMkeiVlnn', 'YQUkFRurxV', 'VHbk1Fy3fQ', 'yI6kUyYkkA', 'k7WkIPpOgS', 'K5lkK5O0Mx'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, ENSI8ceZi3otmkSZWOM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wFEyas8bVX', 'iinyJq94vw', 'PujylVRiRT', 'KwEyteII3A', 'Y5cyqxPXAt', 'pTCy9y8HcU', 'f38yAZ8a1f'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, yL9ll5nRfy6Bwk0l7C.csHigh entropy of concatenated method names: 'mE8baLec77', 'zQMbJcZslK', 'ec3blqUDrV', 'QUjbtemFM7', 'QxXbq0VNgB', 'oCKb9gNpxS', 'OopbAGlO5U', 'IQgbEGoC12', 'CEmbN4X0hx', 'iSQbX8cr8f'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, RsHofFMnxfsjJ8BAiT.csHigh entropy of concatenated method names: 'MFRh0WO8Vv', 'e1fhM1qROV', 'rsFhDg0NMr', 'wC8h8wTEiV', 'mb2h5dOg8L', 'iwuhP2CNNt', 'Wnih21WCqu', 'W3QhowfmAA', 'RXqhidlRtJ', 'qFJhy26Sm8'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, hd1o06zClXUmcEjHAt.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mjnikXX8Q7', 'N2pi5TbL2S', 'jb2iP2Y3FP', 'kPMi2x7KT7', 'gsYiotGcb9', 'YrUiir2Nvi', 'QNoiy6Uu4b'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, lq249OJRn0JaqL6LCm.csHigh entropy of concatenated method names: 'GHnorsfABH', 'skQomoOtRw', 'RY2oHQr8t2', 'YFqoeKuJ3q', 'CBCoan1YMA', 'DnloFFKbaw', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, s1hSPSeh2ulqnbK4w8k.csHigh entropy of concatenated method names: 'ByOiYakclG', 'Slci4kcWhW', 'f30is4WL4o', 'uc7i0PW3u9', 'oXAiGbBqGA', 'bUkiMyHfE9', 'IUGi7wSNgg', 'vF4iD3VYh0', 'oeWi88M2WQ', 'HWwidiI6Hi'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, WPASOHdd8TrOET2oUC.csHigh entropy of concatenated method names: 'r0apB9kQPx', 'mtLpbOHDEw', 'tFPpu4xCqA', 'hxwpTxuGRu', 'acHp3b3Kbq', 'mniuqdEh5x', 'MVWu9gEsAW', 'N1xuApmOBd', 'JphuEHI4yf', 'kMvuN2IklE'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, RGLfaXltfYcfWcg2yC.csHigh entropy of concatenated method names: 'ToString', 'vC3PKFJ0oX', 'O6nPmYPCkm', 'iMaPHZDt7Q', 'kuOPeradGe', 't9wPFhMTEQ', 'FYiPgOXvrg', 'U7fP1lMkjN', 'LonPUdbHDl', 'Pl4P6vR26r'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, oQSDBuVBcRoi9PYASP.csHigh entropy of concatenated method names: 'hlsTnISwb6', 'cAbThJr6wg', 'LCcTpdQuAE', 'XPwpX4Iu9p', 'ytSpzQE9Lm', 'PuSTc1i3yD', 'uuRTjMfDtp', 'd42Tv4KYQ9', 'WGbTWS2udx', 'R2bTOV3SoU'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, iCOWRswtGmG7aYRUHl.csHigh entropy of concatenated method names: 'y1CTYOIApK', 'W4RT41ruel', 'lAOTsrSDqh', 'ULQT0mjJJy', 'VjATGLenK5', 'uYlTMR2G4e', 'egaT7S91Lx', 'NM4TDWgt6P', 'surT8aScvm', 'i05Tdy0dM4'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, uJQ5j86U5sqEhDLqPF.csHigh entropy of concatenated method names: 'J9MuGPHWWU', 'aWGu78Dmre', 'V4qhHfiydg', 'CDgheN5qBF', 'Y5OhF6aYiS', 'JJyhgd2kPS', 'ROEh1qSEOs', 'YSahUSvueM', 'TKHh64KwvR', 'nBnhIXBECD'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, wIr9PbPLQwkUi56FIp.csHigh entropy of concatenated method names: 'GDAWBGZ5Y8', 'lfcWnuUmJ3', 'G3pWbgv24v', 'mVgWh29GOE', 'uuMWuXAfky', 'LPXWpv8R9e', 'j6EWTTfTuI', 'N5bW308vtb', 'Sj4WZ6agei', 'sjbWxNMYUx'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, V7Oekn7db9gxREMqXb.csHigh entropy of concatenated method names: 'YqV5IqVo4d', 'rAe5fyC3Fu', 'BZ05ahQmvP', 'voX5JqYwd1', 'l2X5mW3XXB', 'KmH5HKx8Sq', 'IVx5eeHVhC', 'r5y5FHdQKg', 'Jxr5g87Nkx', 'PU851eSApb'
                    Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, crDeI8gLQHOh5Wfg5B.csHigh entropy of concatenated method names: 'Dispose', 'IkPjNQtEuX', 'jHWvmfQWpk', 'TKLSSB2t7p', 'pRCjXWDZfG', 'idrjzppa9A', 'ProcessDialogKey', 'g4GvcLICCl', 'xdZvjk12Vl', 'aT7vvIpiER'
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeFile created: C:\Users\user\AppData\Roaming\XjmosAst.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp40BB.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe PID: 7508, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: XjmosAst.exe PID: 7912, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeMemory allocated: AC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeMemory allocated: 2810000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeMemory allocated: 2660000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeMemory allocated: 8A70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeMemory allocated: 9A70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeMemory allocated: 9C80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeMemory allocated: AC80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeMemory allocated: B090000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeMemory allocated: C090000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeMemory allocated: D090000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeMemory allocated: E090000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeMemory allocated: F090000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeMemory allocated: 10090000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeMemory allocated: 11090000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1490000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 3200000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 3070000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeMemory allocated: CA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeMemory allocated: 26A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeMemory allocated: 46A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeMemory allocated: 83B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeMemory allocated: 93B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeMemory allocated: 95A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeMemory allocated: A5A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeMemory allocated: A980000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeMemory allocated: B980000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeMemory allocated: C980000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeMemory allocated: D980000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeMemory allocated: E980000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeMemory allocated: F980000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeMemory allocated: 10980000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1280000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 3100000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1620000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5741Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 948Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 1959Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 1656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 1207Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 3670Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe TID: 7528Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7908Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7832Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7956Thread sleep count: 1959 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932Thread sleep time: -99875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932Thread sleep time: -99760s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7956Thread sleep count: 1656 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932Thread sleep time: -99547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932Thread sleep time: -99431s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932Thread sleep time: -99323s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932Thread sleep time: -99190s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932Thread sleep time: -99063s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932Thread sleep time: -98938s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932Thread sleep time: -98813s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932Thread sleep time: -98703s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932Thread sleep time: -98581s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932Thread sleep time: -98453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932Thread sleep time: -98344s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932Thread sleep time: -98232s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932Thread sleep time: -98125s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932Thread sleep time: -98016s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932Thread sleep time: -97906s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932Thread sleep time: -97797s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exe TID: 7952Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3384Thread sleep count: 1207 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -99875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3384Thread sleep count: 3670 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -99762s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -99641s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -99531s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -99391s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -99266s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -99156s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -99047s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -98937s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -98828s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -98719s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -98608s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -98469s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -98344s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -98234s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -98122s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -98007s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -97900s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -97782s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -97657s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -97532s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -97422s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -97313s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99760Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99431Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99323Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99190Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98581Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98232Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98016Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97797Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99762Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99391Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99266Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99047Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98937Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98719Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98608Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98122Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98007Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97900Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97782Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97657Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97532Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: MSBuild.exe, 00000006.00000002.1698743369.0000000006510000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XjmosAst.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XjmosAst.exe"Jump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1009008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: EFC008Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XjmosAst.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp40BB.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp4EE4.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeQueries volume information: C:\Users\user\AppData\Roaming\XjmosAst.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XjmosAst.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.1693905753.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2880157925.000000000317A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2880157925.000000000314E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1690865441.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2880157925.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1658860263.0000000003819000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1693905753.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe PID: 7508, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7840, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7196, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.1690865441.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2880157925.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1658860263.0000000003819000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1693905753.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe PID: 7508, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7840, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7196, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.1693905753.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2880157925.000000000317A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2880157925.000000000314E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1690865441.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2880157925.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1658860263.0000000003819000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1693905753.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe PID: 7508, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7840, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7196, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		12
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		12
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466586 Sample: SecuriteInfo.com.TrojanLoad... Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 44 us2.smtp.mailhostbox.com 2->44 46 fp2e7a.wpc.phicdn.net 2->46 48 fp2e7a.wpc.2be4.phicdn.net 2->48 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Sigma detected: Scheduled temp file as task from temp location 2->56 58 10 other signatures 2->58 8 SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe 7 2->8         started        12 XjmosAst.exe 5 2->12         started        signatures3 process4 file5 36 C:\Users\user\AppData\Roaming\XjmosAst.exe, PE32 8->36 dropped 38 C:\Users\...\XjmosAst.exe:Zone.Identifier, ASCII 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmp40BB.tmp, XML 8->40 dropped 42 SecuriteInfo.com.T....12946.7200.exe.log, ASCII 8->42 dropped 60 Uses schtasks.exe or at.exe to add and modify task schedules 8->60 62 Writes to foreign memory regions 8->62 64 Allocates memory in foreign processes 8->64 66 Adds a directory exclusion to Windows Defender 8->66 14 MSBuild.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 schtasks.exe 1 8->20         started        68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 72 Injects a PE file into a foreign processes 12->72 22 MSBuild.exe 2 12->22         started        24 schtasks.exe 1 12->24         started        26 MSBuild.exe 12->26         started        signatures6 process7 dnsIp8 50 us2.smtp.mailhostbox.com 208.91.199.223, 49733, 49736, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->50 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->74 76 Loading BitLocker PowerShell Module 18->76 28 WmiPrvSE.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->78 80 Tries to steal Mail credentials (via file / registry access) 22->80 82 Tries to harvest and steal ftp login credentials 22->82 84 Tries to harvest and steal browser information (history, passwords, etc) 22->84 34 conhost.exe 24->34         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe18%ReversingLabs
                    SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe34%VirustotalBrowse
                    SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\XjmosAst.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\XjmosAst.exe24%ReversingLabsByteCode-MSIL.Trojan.Generic
                    C:\Users\user\AppData\Roaming\XjmosAst.exe34%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    us2.smtp.mailhostbox.com1%VirustotalBrowse
                    fp2e7a.wpc.phicdn.net0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
                    http://www.fontbureau.com0%URL Reputationsafe
                    http://www.fontbureau.com/designersG0%URL Reputationsafe
                    https://sectigo.com/CPS00%URL Reputationsafe
                    http://www.fontbureau.com/designers/?0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://www.fontbureau.com/designers?0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.fontbureau.com/designers0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.fontbureau.com/designers80%URL Reputationsafe
                    http://www.fonts.com0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://crt.Nh0%Avira URL Cloudsafe
                    http://us2.smtp.mailhostbox.com0%Avira URL Cloudsafe
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%Avira URL Cloudsafe
                    http://ocsp.sectigo.com0A0%Avira URL Cloudsafe
                    http://crl.micros0%Avira URL Cloudsafe
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%VirustotalBrowse
                    http://us2.smtp.mailhostbox.com1%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    us2.smtp.mailhostbox.com
                    		208.91.199.223
                    		truetrueunknown
                    fp2e7a.wpc.phicdn.net
                    		192.229.221.95
                    		truefalseunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#MSBuild.exe, 00000006.00000002.1693905753.0000000003258000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.1698743369.0000000006510000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2880157925.000000000314E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062CD000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.comSecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersGSecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://sectigo.com/CPS0MSBuild.exe, 00000006.00000002.1693905753.0000000003258000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.1698743369.0000000006510000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2880157925.000000000314E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062CD000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/?SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/bTheSecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://account.dyn.com/SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1658860263.0000000003819000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.1690865441.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://us2.smtp.mailhostbox.comMSBuild.exe, 00000006.00000002.1693905753.0000000003258000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2880157925.000000000314E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.com/designers?SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://crt.NhMSBuild.exe, 00000006.00000002.1698743369.0000000006510000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.tiro.comSecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersSecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.goodfont.co.krSecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comlSecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comSecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDSecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cTheSecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnSecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/frere-user.htmlSecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers8SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://ocsp.sectigo.com0AMSBuild.exe, 00000006.00000002.1693905753.0000000003258000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.1698743369.0000000006510000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2880157925.000000000314E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062CD000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fonts.comSecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sandoll.co.krSecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.urwpp.deDPleaseSecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.zhongyicts.com.cnSecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1658382497.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, XjmosAst.exe, 00000007.00000002.1694735664.0000000002765000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sakkal.comSecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://crl.microsMSBuild.exe, 00000006.00000002.1698743369.0000000006510000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    208.91.199.223
                    		us2.smtp.mailhostbox.comUnited States
                    		394695PUBLIC-DOMAIN-REGISTRYUStrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1466586
                    Start date and time:2024-07-03 07:18:05 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 10s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:17
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
                    Detection:MAL
                    Classification:mal100.spre.troj.spyw.evad.winEXE@18/11@1/1
                    EGA Information:
                    • Successful, ratio: 50%
                    HCA Information:
                    • Successful, ratio: 98%
                    • Number of executed functions: 336
                    • Number of non-executed functions: 27
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 184.28.90.27, 20.114.59.183, 93.184.221.240, 192.229.221.95, 52.165.164.15, 20.3.187.198
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                    • Execution Graph export aborted for target MSBuild.exe, PID 7196 because it is empty
                    • Execution Graph export aborted for target MSBuild.exe, PID 7840 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    01:18:53API Interceptor1x Sleep call for process: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe modified
                    01:18:55API Interceptor15x Sleep call for process: powershell.exe modified
                    01:18:56API Interceptor44x Sleep call for process: MSBuild.exe modified
                    01:18:57API Interceptor1x Sleep call for process: XjmosAst.exe modified
                    06:18:55Task SchedulerRun new task: XjmosAst path: C:\Users\user\AppData\Roaming\XjmosAst.exe

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    208.91.199.223QUOTATION.exeGet hashmaliciousAgentTeslaBrowse
                      Attached Quotation.exeGet hashmaliciousAgentTeslaBrowse
                        Swift Copy_98754.bat.exeGet hashmaliciousAgentTeslaBrowse
                          Swift Copy TT USD14037800.PDF.exeGet hashmaliciousAgentTeslaBrowse
                            PO#0094321.exeGet hashmaliciousAgentTeslaBrowse
                              P.O (PA) 452.exeGet hashmaliciousAgentTeslaBrowse
                                DHL Shipping Documents.exeGet hashmaliciousAgentTeslaBrowse
                                  Product Sample 76438.exeGet hashmaliciousAgentTeslaBrowse
                                    HSBC-payment-Advice.batGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      15iXddUX2F.exeGet hashmaliciousAgentTeslaBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        us2.smtp.mailhostbox.com001 Tech. Spec pdf.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.91.199.224
                                        payment order.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 208.91.198.143
                                        Quotation No.06262024.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.91.199.224
                                        I0Hw9G8QDJ.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.91.199.225
                                        Urgent PO.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 208.91.199.224
                                        z1PURCHASEORDER736353.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 208.91.199.224
                                        PO#0094321.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.91.199.224
                                        Mt103.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.91.198.143
                                        SecuriteInfo.com.Win32.CrypterX-gen.21521.6176.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.91.199.224
                                        purchase order.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.91.199.225
                                        fp2e7a.wpc.phicdn.nethttps://corroboree-my.sharepoint.com/:o:/g/personal/jim_corroboreegroup_com_au/EhkrUZo0A7NAnvRNEtKnYx0Bi8APjQb6lXmXpqhr_dptBQ?e=5%3ajUyr76&at=9Get hashmaliciousHTMLPhisherBrowse
                                        • 192.229.221.95
                                        https://zondahome.ncg.bioGet hashmaliciousHTMLPhisherBrowse
                                        • 192.229.221.95
                                        https://www.virustotal.com/gui/file/c7fb4f898b5b74b356be0a67a0b13d805c676782eef75f394815256b6ff800b9Get hashmaliciousUnknownBrowse
                                        • 192.229.221.95
                                        https://www.virustotal.com/gui/file/45130cabd82397a6b0aca9ada16f52e9d927d57966c90201fdc6b9595bb6b6d1Get hashmaliciousUnknownBrowse
                                        • 192.229.221.95
                                        https://quijotefoods-my.sharepoint.com/:o:/g/personal/nuria_vega_palacios_us/EvjUhubtVKJCgLuhY5Chp6MBgkkDAMsjXwhocdtqWkK-Bg?e=5%3aKcxBR3&at=9Get hashmaliciousHTMLPhisherBrowse
                                        • 192.229.221.95
                                        https://townsvilleucc.com.auGet hashmaliciousUnknownBrowse
                                        • 192.229.221.95
                                        https://emea.dcv.ms/xAUEwUn0yq&c=E,1,toHboUmwDMlhwr-wc7dBvpYkcIiHsLy6ICiYedy6zqFMHJPZP4VPyK8zV2e78vqw1ZiSYyf8djJ0Qg64xCBVUCvFvYwJhqpWb_urHJ65A88aoiyybtSIFaPo&typo=1Get hashmaliciousUnknownBrowse
                                        • 192.229.221.95
                                        https://cottonaust-my.sharepoint.com/:o:/g/personal/alik_cotton_org_au/EuLPuwXgoYRMiEqYXs3_rLwB-wXPnDQH36qdcfGJf36wfQ?e=5%3a5iMFOj&at=9&xsdata=MDV8MDJ8anJvc2luZ0Bzbi5jb20uYXV8ZTM1ZDk4Mjc1MTRkNDBhYTMzNTEwOGRjOWFlNzVjZmJ8YzliYTVmZjE1MGZiNDQzYWFhNTFmOGE5NzllNmU2ZDF8MHwwfDYzODU1NTU2NTcxOTU0MzY0NHxVbmtub3dufFRXRnBiR1pzYjNkOGV5SldJam9pTUM0d0xqQXdNREFpTENKUUlqb2lWMmx1TXpJaUxDSkJUaUk2SWsxaGFXd2lMQ0pYVkNJNk1uMD18MHx8fA%3d%3d&sdata=MFc3WHlZbDlQVVZ4dEtjOENETThRcWo2M2JHdzVDVElrYjVkVDdERHZGYz0%3dGet hashmaliciousHTMLPhisherBrowse
                                        • 192.229.221.95
                                        https://cottonaust-my.sharepoint.com/:o:/g/personal/alik_cotton_org_au/EuLPuwXgoYRMiEqYXs3_rLwB-wXPnDQH36qdcfGJf36wfQ?e=5%3a5iMFOj&at=9&xsdata=MDV8MDJ8anJvc2luZ0Bzbi5jb20uYXV8ZTM1ZDk4Mjc1MTRkNDBhYTMzNTEwOGRjOWFlNzVjZmJ8YzliYTVmZjE1MGZiNDQzYWFhNTFmOGE5NzllNmU2ZDF8MHwwfDYzODU1NTU2NTcxOTU0OTU0MnxVbmtub3dufFRXRnBiR1pzYjNkOGV5SldJam9pTUM0d0xqQXdNREFpTENKUUlqb2lWMmx1TXpJaUxDSkJUaUk2SWsxaGFXd2lMQ0pYVkNJNk1uMD18MHx8fA%3d%3d&sdata=VE9DZzJSVTNuaG5vZE9ZcEhOQlFJanR5NTYvK1h0NU1kSDlQMTlVb2ZTVT0%3dGet hashmaliciousHTMLPhisherBrowse
                                        • 192.229.221.95
                                        https://rules-pear-kft5d2.mystrikingly.com/Get hashmaliciousUnknownBrowse
                                        • 192.229.221.95

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        PUBLIC-DOMAIN-REGISTRYUShttps://wazzootech.co/cgi-ssl/Get hashmaliciousUnknownBrowse
                                        • 162.251.85.203
                                        cp3pOZHLxp.exeGet hashmaliciousAgentTeslaBrowse
                                        • 216.10.246.185
                                        NsqPGxz4Gj.exeGet hashmaliciousAgentTeslaBrowse
                                        • 216.10.246.185
                                        001 Tech. Spec pdf.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.91.199.224
                                        payment order.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 208.91.198.143
                                        Quotation No.06262024.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.91.199.224
                                        I0Hw9G8QDJ.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.91.199.225
                                        DRKi1Olgjp.elfGet hashmaliciousMirai, MoobotBrowse
                                        • 103.50.160.26
                                        Urgent PO.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 208.91.199.224
                                        z1PURCHASEORDER736353.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 208.91.199.224

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.34331486778365
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XjmosAst.exe.log

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\XjmosAst.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.34331486778365
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                        Malicious:false
                                        Reputation:high, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):2232
                                        Entropy (8bit):5.379401388151058
                                        Encrypted:false
                                        SSDEEP:48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//MPUyus:fLHxvIIwLgZ2KRHWLOugss
                                        MD5:25321E5EF46D4B6586B432EDE14CDFB7
                                        SHA1:7B04466E0869735444E88F5F99045A021E104D5B
                                        SHA-256:D01CD798290DF4649DC4747E1130281BCB90400C1BABA2727D819D2626CCE70B
                                        SHA-512:4C5A5AEBCCF0426B10C11CAC0E2B935030FE539EF3582BC6AE4CCF052A9A7C6C35F3B8409123F59BDC7F0C35ABB9B433A4FAFFA50F856197A0B4712C8283BD40
                                        Malicious:false
                                        Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14v0dpj0.hsh.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a5pm1ml2.5vf.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qyqeqfs2.2f2.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xjfnhxhl.vda.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\tmp40BB.tmp

                                        Download File
                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
                                        File Type:XML 1.0 document, ASCII text
                                        Category:dropped
                                        Size (bytes):1574
                                        Entropy (8bit):5.106421531308612
                                        Encrypted:false
                                        SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaoxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT9v
                                        MD5:A7D47298ACF28821788BEEB0BD74B824
                                        SHA1:9382CD56F45B206A6B12877353AAC16CE3C38B88
                                        SHA-256:D10B6C220D04031BB0F4B8ADD8C57939A1535B85235C97C9BD20E5547FD88FA2
                                        SHA-512:C7F93DC675BFED90A66462096F60DAD17D39F3740558946F83405C9390FCD317BBBFC33550DEF603F45AD1CDC9BDADA347256AFE80815A8FFF2706AC8D368880
                                        Malicious:true
                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                        C:\Users\user\AppData\Local\Temp\tmp4EE4.tmp

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\XjmosAst.exe
                                        File Type:XML 1.0 document, ASCII text
                                        Category:dropped
                                        Size (bytes):1574
                                        Entropy (8bit):5.106421531308612
                                        Encrypted:false
                                        SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaoxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT9v
                                        MD5:A7D47298ACF28821788BEEB0BD74B824
                                        SHA1:9382CD56F45B206A6B12877353AAC16CE3C38B88
                                        SHA-256:D10B6C220D04031BB0F4B8ADD8C57939A1535B85235C97C9BD20E5547FD88FA2
                                        SHA-512:C7F93DC675BFED90A66462096F60DAD17D39F3740558946F83405C9390FCD317BBBFC33550DEF603F45AD1CDC9BDADA347256AFE80815A8FFF2706AC8D368880
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                        C:\Users\user\AppData\Roaming\XjmosAst.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):767488
                                        Entropy (8bit):7.878048508934381
                                        Encrypted:false
                                        SSDEEP:12288:vub6JNf+wqyAEufxgTPSQdp9fLzsj41kgWUO9bq8FtzDAcA6:7JwyAEymTPrNnE4enUO9bq0zDAcn
                                        MD5:0C4D10BB9E089CD3126533DF5F72A958
                                        SHA1:8905B784ED0BB4DE061700F3BD64C4A1A6674074
                                        SHA-256:825F69FE9F15110C8199A4F1E9AB2F316385585A6B436B9A7C33AB2DC31FE76B
                                        SHA-512:3FB23F35C8BA33183708F6B462E07E495BBD20DB522EE0AEB497B37CD01447CD931D6F61BDD34721F2E20B53AEB4E7B409FBF68275B744E9C25A126F68C9512F
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 24%
                                        • Antivirus: Virustotal, Detection: 34%, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p..f..............0..~...6........... ........@.. ....................................@.................................@...O........3........................................................................... ............... ..H............text....}... ...~.................. ..`.rsrc....3.......4..................@..@.reloc..............................@..B................t.......H...................,....................................................0...........s....}......}......}.....(.......((.....{....r...p"...A...s....o .....{.....{....r...p(....%.or.....ol.....{....r#..p(....o`.....{....r3..p(....of.....{.....{....o!...ob............s"...(#....*..*....0...........($...rC..p(%...s&....+..*...0............(....o'.....9.....s(.....o)...s*.....(....o+.......o,...u.........,..o-.......o......8......(/.......{......{&.....{'.....{(...sH.......{*...-

                                        C:\Users\user\AppData\Roaming\XjmosAst.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.878048508934381
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        File name:SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
                                        File size:767'488 bytes
                                        MD5:0c4d10bb9e089cd3126533df5f72a958
                                        SHA1:8905b784ed0bb4de061700f3bd64c4a1a6674074
                                        SHA256:825f69fe9f15110c8199a4f1e9ab2f316385585a6b436b9a7c33ab2dc31fe76b
                                        SHA512:3fb23f35c8ba33183708f6b462e07e495bbd20db522ee0aeb497b37cd01447cd931d6f61bdd34721f2e20b53aeb4e7b409fbf68275b744e9c25a126f68c9512f
                                        SSDEEP:12288:vub6JNf+wqyAEufxgTPSQdp9fLzsj41kgWUO9bq8FtzDAcA6:7JwyAEymTPrNnE4enUO9bq0zDAcn
                                        TLSH:D6F4127425948D2AE19E4BBFE1E0022057F4F61A3083FB0E2FD464D90DA77E1CA76A57
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p..f..............0..~...6........... ........@.. ....................................@................................

                                        File Icon

                                        Icon Hash:2749a4a6b8e4570b

                                        Static PE Info

                                        General

                                        Entrypoint:0x4b9d92
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x6684A870 [Wed Jul 3 01:25:04 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add dword ptr [eax], eax
                                        add byte ptr [eax], al
                                        add al, byte ptr [eax]
                                        add byte ptr [eax], al
                                        add eax, dword ptr [eax]
                                        add byte ptr [eax], al
                                        add al, 00h
                                        add byte ptr [eax], al
                                        add eax, 06000000h
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb9d400x4f.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xba0000x3390.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xbe0000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000xb7db80xb7e00aa56b42b05a067f17cf65d601d4c9c24False0.9077477056424201data7.883094544477586IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0xba0000x33900x34000c921be5a9b8e6b6f6dc1536f147dcbcFalse0.9211237980769231data7.75587955342242IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0xbe0000xc0x200c142b5cbf72a9d5444019380b0784f77False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0xba0c80x2f27PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9724132217711872
                                        RT_GROUP_ICON0xbd0000x14data1.05
                                        RT_VERSION0xbd0240x368data0.4334862385321101

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jul 3, 2024 07:18:49.838195086 CEST49675443192.168.2.4173.222.162.32
                                        Jul 3, 2024 07:18:56.733810902 CEST49733587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:18:56.738965034 CEST58749733208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:18:56.739027977 CEST49733587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:18:57.471573114 CEST58749733208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:18:57.475598097 CEST49733587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:18:57.480676889 CEST58749733208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:18:57.635070086 CEST58749733208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:18:57.641000986 CEST49733587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:18:57.645862103 CEST58749733208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:18:57.799710989 CEST58749733208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:18:57.806183100 CEST49733587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:18:57.811095953 CEST58749733208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:18:57.965770006 CEST58749733208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:18:57.965799093 CEST58749733208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:18:57.965812922 CEST58749733208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:18:57.965826035 CEST58749733208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:18:57.965893030 CEST49733587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:18:58.056297064 CEST58749733208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:18:58.097898960 CEST49733587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:18:58.102807045 CEST58749733208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:18:58.256297112 CEST58749733208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:18:58.277782917 CEST49733587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:18:58.283493042 CEST58749733208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:18:58.435776949 CEST58749733208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:18:58.445271015 CEST49733587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:18:58.450170994 CEST58749733208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:18:58.605530977 CEST58749733208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:18:58.606048107 CEST49733587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:18:58.610934973 CEST58749733208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:18:58.769928932 CEST58749733208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:18:58.775048018 CEST49733587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:18:58.780143023 CEST58749733208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:18:58.970910072 CEST58749733208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:18:59.103790998 CEST49733587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:18:59.463155985 CEST49675443192.168.2.4173.222.162.32
                                        Jul 3, 2024 07:18:59.861732960 CEST49733587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:18:59.985819101 CEST49736587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:18:59.992892027 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:18:59.992980003 CEST49736587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:19:00.549427986 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:00.549670935 CEST49736587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:19:00.555663109 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:00.707576036 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:00.707760096 CEST49736587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:19:00.714538097 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:00.875597954 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:00.879214048 CEST49736587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:19:00.884044886 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:01.037034035 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:01.037060022 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:01.037071943 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:01.037082911 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:01.037218094 CEST49736587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:19:01.037218094 CEST49736587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:19:01.128153086 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:01.129952908 CEST49736587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:19:01.138623953 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:01.286932945 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:01.308186054 CEST49736587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:19:01.313061953 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:01.464677095 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:01.465200901 CEST49736587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:19:01.471424103 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:01.625453949 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:01.625762939 CEST49736587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:19:01.630687952 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:01.787890911 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:01.788151026 CEST49736587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:19:01.794529915 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:01.950190067 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:01.950504065 CEST49736587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:19:01.955423117 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:02.152635098 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:02.152841091 CEST49736587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:19:02.157684088 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:02.310633898 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:02.311219931 CEST49736587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:19:02.311258078 CEST49736587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:19:02.311276913 CEST49736587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:19:02.311314106 CEST49736587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:19:02.316179037 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:02.316222906 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:02.316231966 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:02.316266060 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:02.722707033 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:19:02.775629044 CEST49736587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:20:06.932607889 CEST4972380192.168.2.4199.232.214.172
                                        Jul 3, 2024 07:20:06.932750940 CEST4972480192.168.2.4199.232.214.172
                                        Jul 3, 2024 07:20:06.939254045 CEST8049723199.232.214.172192.168.2.4
                                        Jul 3, 2024 07:20:06.939308882 CEST4972380192.168.2.4199.232.214.172
                                        Jul 3, 2024 07:20:06.939843893 CEST8049724199.232.214.172192.168.2.4
                                        Jul 3, 2024 07:20:06.939908028 CEST4972480192.168.2.4199.232.214.172
                                        Jul 3, 2024 07:20:39.995235920 CEST49736587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:20:40.001118898 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:20:40.153448105 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:20:40.154125929 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:20:40.154206991 CEST58749736208.91.199.223192.168.2.4
                                        Jul 3, 2024 07:20:40.154258966 CEST49736587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:20:40.154258966 CEST49736587192.168.2.4208.91.199.223
                                        Jul 3, 2024 07:20:40.156835079 CEST49736587192.168.2.4208.91.199.223

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jul 3, 2024 07:18:56.697031975 CEST6136053192.168.2.41.1.1.1
                                        Jul 3, 2024 07:18:56.710264921 CEST53613601.1.1.1192.168.2.4

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Jul 3, 2024 07:18:56.697031975 CEST192.168.2.41.1.1.10x1112Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Jul 3, 2024 07:18:56.710264921 CEST1.1.1.1192.168.2.40x1112No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                        Jul 3, 2024 07:18:56.710264921 CEST1.1.1.1192.168.2.40x1112No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                        Jul 3, 2024 07:18:56.710264921 CEST1.1.1.1192.168.2.40x1112No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false
                                        Jul 3, 2024 07:18:56.710264921 CEST1.1.1.1192.168.2.40x1112No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                        Jul 3, 2024 07:19:13.257091045 CEST1.1.1.1192.168.2.40x1629No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                        Jul 3, 2024 07:19:13.257091045 CEST1.1.1.1192.168.2.40x1629No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                        Jul 3, 2024 07:19:26.316450119 CEST1.1.1.1192.168.2.40xcbcbNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                        Jul 3, 2024 07:19:26.316450119 CEST1.1.1.1192.168.2.40xcbcbNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                                        SMTP Packets

                                        TimestampSource PortDest PortSource IPDest IPCommands
                                        Jul 3, 2024 07:18:57.471573114 CEST58749733208.91.199.223192.168.2.4220 us2.outbound.mailhostbox.com ESMTP Postfix
                                        Jul 3, 2024 07:18:57.475598097 CEST49733587192.168.2.4208.91.199.223EHLO 936905
                                        Jul 3, 2024 07:18:57.635070086 CEST58749733208.91.199.223192.168.2.4250-us2.outbound.mailhostbox.com
                                        250-PIPELINING
                                        250-SIZE 41648128
                                        250-VRFY
                                        250-ETRN
                                        250-STARTTLS
                                        250-AUTH PLAIN LOGIN
                                        250-AUTH=PLAIN LOGIN
                                        250-ENHANCEDSTATUSCODES
                                        250-8BITMIME
                                        250-DSN
                                        250 CHUNKING
                                        Jul 3, 2024 07:18:57.641000986 CEST49733587192.168.2.4208.91.199.223STARTTLS
                                        Jul 3, 2024 07:18:57.799710989 CEST58749733208.91.199.223192.168.2.4220 2.0.0 Ready to start TLS
                                        Jul 3, 2024 07:19:00.549427986 CEST58749736208.91.199.223192.168.2.4220 us2.outbound.mailhostbox.com ESMTP Postfix
                                        Jul 3, 2024 07:19:00.549670935 CEST49736587192.168.2.4208.91.199.223EHLO 936905
                                        Jul 3, 2024 07:19:00.707576036 CEST58749736208.91.199.223192.168.2.4250-us2.outbound.mailhostbox.com
                                        250-PIPELINING
                                        250-SIZE 41648128
                                        250-VRFY
                                        250-ETRN
                                        250-STARTTLS
                                        250-AUTH PLAIN LOGIN
                                        250-AUTH=PLAIN LOGIN
                                        250-ENHANCEDSTATUSCODES
                                        250-8BITMIME
                                        250-DSN
                                        250 CHUNKING
                                        Jul 3, 2024 07:19:00.707760096 CEST49736587192.168.2.4208.91.199.223STARTTLS
                                        Jul 3, 2024 07:19:00.875597954 CEST58749736208.91.199.223192.168.2.4220 2.0.0 Ready to start TLS

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:01:18:52
                                        Start date:03/07/2024
                                        Path:C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe"
                                        Imagebase:0x3f0000
                                        File size:767'488 bytes
                                        MD5 hash:0C4D10BB9E089CD3126533DF5F72A958
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1658860263.0000000003819000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1658860263.0000000003819000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:01:18:54
                                        Start date:03/07/2024
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XjmosAst.exe"
                                        Imagebase:0x770000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:01:18:54
                                        Start date:03/07/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:01:18:54
                                        Start date:03/07/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp40BB.tmp"
                                        Imagebase:0xb20000
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:01:18:54
                                        Start date:03/07/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:01:18:55
                                        Start date:03/07/2024
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                        Imagebase:0xe70000
                                        File size:262'432 bytes
                                        MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.1693905753.0000000003250000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1690865441.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.1690865441.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1693905753.0000000003201000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.1693905753.0000000003201000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:01:18:55
                                        Start date:03/07/2024
                                        Path:C:\Users\user\AppData\Roaming\XjmosAst.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Roaming\XjmosAst.exe
                                        Imagebase:0x2d0000
                                        File size:767'488 bytes
                                        MD5 hash:0C4D10BB9E089CD3126533DF5F72A958
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 24%, ReversingLabs
                                        • Detection: 34%, Virustotal, Browse
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:01:18:56
                                        Start date:03/07/2024
                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                        Imagebase:0x7ff693ab0000
                                        File size:496'640 bytes
                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                        Has elevated privileges:true
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:9
                                        Start time:01:18:58
                                        Start date:03/07/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp4EE4.tmp"
                                        Imagebase:0xb20000
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:10
                                        Start time:01:18:58
                                        Start date:03/07/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:11
                                        Start time:01:18:58
                                        Start date:03/07/2024
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                        Imagebase:0x270000
                                        File size:262'432 bytes
                                        MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:12
                                        Start time:01:18:58
                                        Start date:03/07/2024
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                        Imagebase:0xc30000
                                        File size:262'432 bytes
                                        MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2880157925.000000000317A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2880157925.000000000314E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2880157925.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2880157925.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:12.7%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:154
                                          Total number of Limit Nodes:9
                                          execution_graph 49096 acb868 49097 acb87c 49096->49097 49098 acb8a1 49097->49098 49100 acb030 49097->49100 49101 acba48 LoadLibraryExW 49100->49101 49103 acbac1 49101->49103 49103->49098 49104 ac4668 49105 ac467a 49104->49105 49106 ac4686 49105->49106 49108 ac4779 49105->49108 49109 ac479d 49108->49109 49113 ac4888 49109->49113 49117 ac4877 49109->49117 49115 ac48af 49113->49115 49114 ac498c 49115->49114 49121 ac4524 49115->49121 49119 ac48af 49117->49119 49118 ac498c 49118->49118 49119->49118 49120 ac4524 CreateActCtxA 49119->49120 49120->49118 49122 ac5d18 CreateActCtxA 49121->49122 49124 ac5ddb 49122->49124 49152 acd858 49153 acd89e GetCurrentProcess 49152->49153 49155 acd8e9 49153->49155 49156 acd8f0 GetCurrentThread 49153->49156 49155->49156 49157 acd92d GetCurrentProcess 49156->49157 49158 acd926 49156->49158 49159 acd963 GetCurrentThreadId 49157->49159 49158->49157 49161 acd9bc 49159->49161 49125 26f63aa 49126 26f6384 49125->49126 49127 26f6393 49126->49127 49128 26f8d08 12 API calls 49126->49128 49129 26f8d18 12 API calls 49126->49129 49130 26f8d11 12 API calls 49126->49130 49128->49126 49129->49126 49130->49126 48954 26f64c9 48956 26f6384 48954->48956 48955 26f6393 48956->48955 48960 26f8d08 48956->48960 48973 26f8d11 48956->48973 48986 26f8d18 48956->48986 48961 26f8d15 48960->48961 48966 26f8d56 48961->48966 48999 26f92fe 48961->48999 49004 26f91f0 48961->49004 49008 26f9402 48961->49008 49013 26f9903 48961->49013 49018 26f99a4 48961->49018 49022 26f93b7 48961->49022 49026 26f9269 48961->49026 49031 26f98ac 48961->49031 49036 26f955c 48961->49036 49044 26f967d 48961->49044 48966->48956 48974 26f8d32 48973->48974 48975 26f8d56 48974->48975 48976 26f92fe 2 API calls 48974->48976 48977 26f967d 2 API calls 48974->48977 48978 26f955c 4 API calls 48974->48978 48979 26f98ac 2 API calls 48974->48979 48980 26f9269 2 API calls 48974->48980 48981 26f93b7 2 API calls 48974->48981 48982 26f99a4 2 API calls 48974->48982 48983 26f9903 2 API calls 48974->48983 48984 26f9402 2 API calls 48974->48984 48985 26f91f0 2 API calls 48974->48985 48975->48956 48976->48975 48977->48975 48978->48975 48979->48975 48980->48975 48981->48975 48982->48975 48983->48975 48984->48975 48985->48975 48987 26f8d32 48986->48987 48988 26f8d56 48987->48988 48989 26f92fe 2 API calls 48987->48989 48990 26f967d 2 API calls 48987->48990 48991 26f955c 4 API calls 48987->48991 48992 26f98ac 2 API calls 48987->48992 48993 26f9269 2 API calls 48987->48993 48994 26f93b7 2 API calls 48987->48994 48995 26f99a4 2 API calls 48987->48995 48996 26f9903 2 API calls 48987->48996 48997 26f9402 2 API calls 48987->48997 48998 26f91f0 2 API calls 48987->48998 48988->48956 48989->48988 48990->48988 48991->48988 48992->48988 48993->48988 48994->48988 48995->48988 48996->48988 48997->48988 48998->48988 49000 26f9753 48999->49000 49048 26f570f 49000->49048 49052 26f5710 49000->49052 49001 26f976e 49056 26f5f5d 49004->49056 49060 26f5f68 49004->49060 49009 26f940f 49008->49009 49064 26f565f 49009->49064 49068 26f5660 49009->49068 49010 26f9250 49015 26f9387 49013->49015 49014 26f9b9a 49015->49014 49072 26f5cd9 49015->49072 49076 26f5ce0 49015->49076 49019 26f9250 49018->49019 49020 26f570f Wow64SetThreadContext 49018->49020 49021 26f5710 Wow64SetThreadContext 49018->49021 49020->49019 49021->49019 49024 26f5cd9 WriteProcessMemory 49022->49024 49025 26f5ce0 WriteProcessMemory 49022->49025 49023 26f93e3 49023->48966 49024->49023 49025->49023 49027 26f9279 49026->49027 49029 26f5cd9 WriteProcessMemory 49027->49029 49030 26f5ce0 WriteProcessMemory 49027->49030 49028 26f9734 49029->49028 49030->49028 49032 26f9387 49031->49032 49032->48966 49033 26f9b9a 49032->49033 49034 26f5cd9 WriteProcessMemory 49032->49034 49035 26f5ce0 WriteProcessMemory 49032->49035 49034->49032 49035->49032 49037 26f9619 49036->49037 49080 26f5c19 49037->49080 49084 26f5c20 49037->49084 49038 26f9387 49039 26f9b9a 49038->49039 49040 26f5cd9 WriteProcessMemory 49038->49040 49041 26f5ce0 WriteProcessMemory 49038->49041 49040->49038 49041->49038 49088 26f5dcf 49044->49088 49092 26f5dd0 49044->49092 49045 26f969f 49049 26f5710 Wow64SetThreadContext 49048->49049 49051 26f579d 49049->49051 49051->49001 49053 26f5755 Wow64SetThreadContext 49052->49053 49055 26f579d 49053->49055 49055->49001 49057 26f5f68 CreateProcessA 49056->49057 49059 26f61b3 49057->49059 49061 26f5ff1 CreateProcessA 49060->49061 49063 26f61b3 49061->49063 49065 26f5660 ResumeThread 49064->49065 49067 26f56d1 49065->49067 49067->49010 49069 26f56a0 ResumeThread 49068->49069 49071 26f56d1 49069->49071 49071->49010 49073 26f5ce3 WriteProcessMemory 49072->49073 49075 26f5d7f 49073->49075 49075->49015 49077 26f5d28 WriteProcessMemory 49076->49077 49079 26f5d7f 49077->49079 49079->49015 49081 26f5c23 VirtualAllocEx 49080->49081 49083 26f5c9d 49081->49083 49083->49038 49085 26f5c60 VirtualAllocEx 49084->49085 49087 26f5c9d 49085->49087 49087->49038 49089 26f5dd0 ReadProcessMemory 49088->49089 49091 26f5e5f 49089->49091 49091->49045 49093 26f5e1b ReadProcessMemory 49092->49093 49095 26f5e5f 49093->49095 49095->49045 49141 26f9f08 49142 26fa093 49141->49142 49143 26f9f2e 49141->49143 49143->49142 49145 26f815c 49143->49145 49146 26fa188 PostMessageW 49145->49146 49147 26fa1f4 49146->49147 49147->49143 49137 6e26c28 49139 6e26c76 DrawTextExW 49137->49139 49140 6e26cce 49139->49140 48952 acdaa0 DuplicateHandle 48953 acdb36 48952->48953 49148 acb7c0 49149 acb808 GetModuleHandleW 49148->49149 49150 acb802 49148->49150 49151 acb835 49149->49151 49150->49149

                                          Executed Functions

                                          Function 06D97C89 Relevance: 9.0, Strings: 7, Instructions: 287COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 294 6d97c89-6d97cc1 375 6d97cc1 call 6d980d8 294->375 376 6d97cc1 call 6d980c8 294->376 296 6d97cc7-6d97d22 call 6d967ec 305 6d97d25-6d97d3a 296->305 307 6d97d3c 305->307 308 6d97d41-6d97d56 307->308 309 6d97d58 308->309 310 6d97da1-6d97ded 308->310 309->307 309->310 311 6d98078-6d9807f 309->311 312 6d97d5f-6d97d61 309->312 313 6d97e70-6d97e84 309->313 314 6d97e12-6d97e26 309->314 315 6d97e94 309->315 316 6d97e28 309->316 317 6d97d6a-6d97d85 309->317 318 6d97faa-6d97fad 309->318 319 6d97e4d 309->319 320 6d97def 309->320 321 6d97fe3-6d98059 309->321 322 6d97ec4-6d97f0d 309->322 323 6d97d87-6d97d89 309->323 324 6d97e86 309->324 310->316 310->320 312->305 326 6d97d63-6d97d68 312->326 329 6d97e52-6d97e67 313->329 325 6d97df4-6d97e09 314->325 330 6d97e99-6d97eae 315->330 316->319 317->308 386 6d97fb0 call 6d9a390 318->386 387 6d97fb0 call 6d9a380 318->387 319->329 320->325 384 6d9805b call 6d9ccd9 321->384 385 6d9805b call 6d9ccf0 321->385 355 6d97f13-6d97f15 322->355 327 6d97d8b-6d97d90 323->327 328 6d97d92 323->328 324->315 325->316 334 6d97e0b 325->334 326->308 337 6d97d97-6d97d9f 327->337 328->337 329->324 338 6d97e69 329->338 330->311 341 6d97eb4 330->341 334->311 334->313 334->314 334->315 334->316 334->318 334->319 334->320 334->321 334->322 334->324 337->308 338->311 338->313 338->315 338->318 338->319 338->321 338->322 338->324 339 6d97fb6-6d97fbd 377 6d97fc2 call 6d9aadc 339->377 378 6d97fc2 call 6d9aafc 339->378 379 6d97fc2 call 6d9ab1c 339->379 380 6d97fc2 call 6d9c0b0 339->380 381 6d97fc2 call 6d9c022 339->381 341->311 341->315 341->318 341->321 341->322 342 6d97ec3 341->342 342->322 346 6d97fc8 382 6d97fca call 6d9c6d0 346->382 383 6d97fca call 6d9c6c0 346->383 350 6d97fd0-6d97fde 350->330 357 6d97f2d-6d97f7f 355->357 358 6d97f17-6d97f1d 355->358 371 6d97f81-6d97f87 357->371 372 6d97f97-6d97fa5 357->372 359 6d97f1f 358->359 360 6d97f21-6d97f23 358->360 359->357 360->357 367 6d98061 369 6d98068-6d98073 367->369 369->330 373 6d97f89 371->373 374 6d97f8b-6d97f8d 371->374 372->330 373->372 374->372 375->296 376->296 377->346 378->346 379->346 380->346 381->346 382->350 383->350 384->367 385->367 386->339 387->339
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: !Y3E$Te^q$Te^q$$^q$$^q$$^q$$^q
                                          • API String ID: 0-3702787824
                                          • Opcode ID: 15c73739c11f5e8a0d558d3f640a07e8baa58a6c46579de97ecb032cc4dcef95
                                          • Instruction ID: 1fe75329ff994b4c786b493dde4c7d1cccb2ab8b9745be9f26979f6e80cfe1a5
                                          • Opcode Fuzzy Hash: 15c73739c11f5e8a0d558d3f640a07e8baa58a6c46579de97ecb032cc4dcef95
                                          • Instruction Fuzzy Hash: C4A16D34B102098FDB889F79C898B6E77E3BBC8711F258429E506EB394DE75DC018B90
                                          Function 06D9285C Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 409 6d9285c-6d9285d 410 6d928bc 409->410 411 6d9285f 409->411 414 6d928c2-6d928cc 410->414 415 6d92cf4-6d92d04 410->415 412 6d9281b-6d9282e 411->412 413 6d92861-6d92874 411->413 412->409 413->410 414->415 417 6d928d2-6d928e7 414->417 420 6d92d31-6d92d4c 415->420 421 6d92d06-6d92d30 415->421 417->415 422 6d92d4e-6d92d75 420->422 423 6d92d76-6d92d78 420->423 421->420 422->423 424 6d92d7a-6d92d8c 423->424 425 6d92da6-6d92db3 423->425 426 6d92d8e-6d92da5 424->426 427 6d92db4-6d92ddb 424->427 425->427 426->425 431 6d92de2 427->431 432 6d92de7-6d92dfc 431->432 433 6d92f1b-6d92f47 432->433 434 6d92e02 432->434 457 6d92f4d-6d92f64 433->457 434->431 434->433 435 6d92e09-6d92e0d 434->435 436 6d92e88-6d92ea1 434->436 437 6d92ecb-6d92ee8 434->437 438 6d92ebb-6d92ec6 434->438 439 6d92eed-6d92ef8 434->439 440 6d92e1d-6d92e4b 434->440 441 6d92e4d 434->441 442 6d92e71-6d92e83 434->442 443 6d92ea6-6d92eb6 434->443 445 6d92e0f-6d92e14 435->445 446 6d92e16 435->446 436->432 437->432 438->432 451 6d92efe-6d92f03 439->451 440->432 452 6d92e57-6d92e59 441->452 442->432 443->432 448 6d92e1b 445->448 446->448 448->432 455 6d92f0b-6d92f16 451->455 454 6d92e61-6d92e6c 452->454 454->432 455->432 459 6d92f66 call 6d94349 457->459 460 6d92f66 call 6d93d08 457->460 461 6d92f66 call 6d93e28 457->461 462 6d92f66 call 6d93d6d 457->462 463 6d92f66 call 6d93dcf 457->463 464 6d92f66 call 6d93dbf 457->464 465 6d92f66 call 6d93da1 457->465 466 6d92f66 call 6d93e10 457->466 467 6d92f66 call 6d93de5 457->467 468 6d92f66 call 6d94464 457->468 458 6d92f6c-6d92f75 459->458 460->458 461->458 462->458 463->458 464->458 465->458 466->458 467->458 468->458
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 6;}q$Te^q$Te^q
                                          • API String ID: 0-2563330411
                                          • Opcode ID: cd0730672feb1138478239dbba68543ab5cc8991a023a0a0291f767021b56644
                                          • Instruction ID: 85c7c293de0d59cb96bee1343774c4bf53954b58ae4e8bce4e9f6680abf5926a
                                          • Opcode Fuzzy Hash: cd0730672feb1138478239dbba68543ab5cc8991a023a0a0291f767021b56644
                                          • Instruction Fuzzy Hash: AD811471A21105AFDF948F78C8989AABFF6FF89310F21445AE4C1DB351C6308A05CBE1
                                          Function 06D9270D Relevance: 2.8, Strings: 2, Instructions: 272COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 526 6d9270d-6d92714 527 6d9271a-6d92724 526->527 528 6d92cf4-6d92d04 526->528 527->528 529 6d9272a-6d9273a 527->529 532 6d92d31-6d92d4c 528->532 533 6d92d06-6d92d30 528->533 529->528 531 6d92740-6d9274a 529->531 531->528 534 6d92750-6d92760 531->534 535 6d92d4e-6d92d75 532->535 536 6d92d76-6d92d78 532->536 533->532 534->528 537 6d92766-6d92770 534->537 535->536 538 6d92d7a-6d92d8c 536->538 539 6d92da6-6d92db3 536->539 537->528 540 6d92776-6d92786 537->540 541 6d92d8e-6d92da5 538->541 542 6d92db4-6d92ddb 538->542 539->542 540->528 543 6d9278c-6d92796 540->543 541->539 548 6d92de2 542->548 543->528 545 6d9279c-6d927ac 543->545 545->528 549 6d92de7-6d92dfc 548->549 550 6d92f1b-6d92f64 549->550 551 6d92e02 549->551 576 6d92f66 call 6d94349 550->576 577 6d92f66 call 6d93d08 550->577 578 6d92f66 call 6d93e28 550->578 579 6d92f66 call 6d93d6d 550->579 580 6d92f66 call 6d93dcf 550->580 581 6d92f66 call 6d93dbf 550->581 582 6d92f66 call 6d93da1 550->582 583 6d92f66 call 6d93e10 550->583 584 6d92f66 call 6d93de5 550->584 585 6d92f66 call 6d94464 550->585 551->548 551->550 552 6d92e09-6d92e0d 551->552 553 6d92e88-6d92ea1 551->553 554 6d92ecb-6d92ee8 551->554 555 6d92ebb-6d92ec6 551->555 556 6d92eed-6d92f03 551->556 557 6d92e1d-6d92e4b 551->557 558 6d92e4d-6d92e59 551->558 559 6d92e71-6d92e83 551->559 560 6d92ea6-6d92eb6 551->560 562 6d92e0f-6d92e14 552->562 563 6d92e16 552->563 553->549 554->549 555->549 572 6d92f0b-6d92f16 556->572 557->549 571 6d92e61-6d92e6c 558->571 559->549 560->549 565 6d92e1b 562->565 563->565 565->549 571->549 572->549 575 6d92f6c-6d92f75 576->575 577->575 578->575 579->575 580->575 581->575 582->575 583->575 584->575 585->575
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te^q$Te^q
                                          • API String ID: 0-3743469327
                                          • Opcode ID: 7ad7da1f3d27809b8c867d99b4f79a10ce1bcd50f801c9c3589276eb29fdb930
                                          • Instruction ID: 0c018559f47c13a4806ab9e4a47ef1788a7574f7b27b2cfe2082fa51aa2040d2
                                          • Opcode Fuzzy Hash: 7ad7da1f3d27809b8c867d99b4f79a10ce1bcd50f801c9c3589276eb29fdb930
                                          • Instruction Fuzzy Hash: 3CA1D274A21105EFDF54CF68C8989AABFF6FF89300F26855AE4819B351C730DA05CBA1
                                          Function 06D92644 Relevance: 2.8, Strings: 2, Instructions: 259COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 586 6d92644-6d9264b 587 6d92651-6d9265b 586->587 588 6d92cf4-6d92d04 586->588 587->588 589 6d92661-6d9267b 587->589 594 6d92d31-6d92d4c 588->594 595 6d92d06-6d92d30 588->595 590 6d92623-6d92637 589->590 592 6d92ced-6d92cf3 590->592 593 6d9263d-6d926df 590->593 593->590 596 6d92d4e-6d92d75 594->596 597 6d92d76-6d92d78 594->597 595->594 596->597 599 6d92d7a-6d92d8c 597->599 600 6d92da6-6d92db3 597->600 601 6d92d8e-6d92da5 599->601 602 6d92db4-6d92ddb 599->602 600->602 601->600 607 6d92de2 602->607 608 6d92de7-6d92dfc 607->608 609 6d92f1b-6d92f64 608->609 610 6d92e02 608->610 635 6d92f66 call 6d94349 609->635 636 6d92f66 call 6d93d08 609->636 637 6d92f66 call 6d93e28 609->637 638 6d92f66 call 6d93d6d 609->638 639 6d92f66 call 6d93dcf 609->639 640 6d92f66 call 6d93dbf 609->640 641 6d92f66 call 6d93da1 609->641 642 6d92f66 call 6d93e10 609->642 643 6d92f66 call 6d93de5 609->643 644 6d92f66 call 6d94464 609->644 610->607 610->609 611 6d92e09-6d92e0d 610->611 612 6d92e88-6d92ea1 610->612 613 6d92ecb-6d92ee8 610->613 614 6d92ebb-6d92ec6 610->614 615 6d92eed-6d92f03 610->615 616 6d92e1d-6d92e4b 610->616 617 6d92e4d-6d92e59 610->617 618 6d92e71-6d92e83 610->618 619 6d92ea6-6d92eb6 610->619 621 6d92e0f-6d92e14 611->621 622 6d92e16 611->622 612->608 613->608 614->608 631 6d92f0b-6d92f16 615->631 616->608 630 6d92e61-6d92e6c 617->630 618->608 619->608 624 6d92e1b 621->624 622->624 624->608 630->608 631->608 634 6d92f6c-6d92f75 635->634 636->634 637->634 638->634 639->634 640->634 641->634 642->634 643->634 644->634
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te^q$Te^q
                                          • API String ID: 0-3743469327
                                          • Opcode ID: add927de719e8c5ccb7b562702c94043155c669f989b22cc615dfe9a0317c0ed
                                          • Instruction ID: 0930a67fce4ec142aa777117d5a8b5d0f3b9fecd138ca3881ddac1ba05aa4fa2
                                          • Opcode Fuzzy Hash: add927de719e8c5ccb7b562702c94043155c669f989b22cc615dfe9a0317c0ed
                                          • Instruction Fuzzy Hash: 1891F071A21105AFDF548F78C8989AABFF6FF89300B25456AE5C1AB351C6308A05CBE1
                                          Function 06D92A58 Relevance: 2.8, Strings: 2, Instructions: 256COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 645 6d92a58-6d92a6a 646 6d92a70-6d92a86 645->646 647 6d92cf4-6d92d04 645->647 646->647 648 6d92a8c-6d92a99 646->648 651 6d92d31-6d92d4c 647->651 652 6d92d06-6d92d30 647->652 648->647 649 6d92a9f-6d92ab2 648->649 649->647 653 6d92d4e-6d92d75 651->653 654 6d92d76-6d92d78 651->654 652->651 653->654 655 6d92d7a-6d92d8c 654->655 656 6d92da6-6d92db3 654->656 657 6d92d8e-6d92da5 655->657 658 6d92db4-6d92ddb 655->658 656->658 657->656 662 6d92de2 658->662 663 6d92de7-6d92dfc 662->663 664 6d92f1b-6d92f64 663->664 665 6d92e02 663->665 690 6d92f66 call 6d94349 664->690 691 6d92f66 call 6d93d08 664->691 692 6d92f66 call 6d93e28 664->692 693 6d92f66 call 6d93d6d 664->693 694 6d92f66 call 6d93dcf 664->694 695 6d92f66 call 6d93dbf 664->695 696 6d92f66 call 6d93da1 664->696 697 6d92f66 call 6d93e10 664->697 698 6d92f66 call 6d93de5 664->698 699 6d92f66 call 6d94464 664->699 665->662 665->664 666 6d92e09-6d92e0d 665->666 667 6d92e88-6d92ea1 665->667 668 6d92ecb-6d92ee8 665->668 669 6d92ebb-6d92ec6 665->669 670 6d92eed-6d92f03 665->670 671 6d92e1d-6d92e4b 665->671 672 6d92e4d-6d92e59 665->672 673 6d92e71-6d92e83 665->673 674 6d92ea6-6d92eb6 665->674 676 6d92e0f-6d92e14 666->676 677 6d92e16 666->677 667->663 668->663 669->663 686 6d92f0b-6d92f16 670->686 671->663 685 6d92e61-6d92e6c 672->685 673->663 674->663 679 6d92e1b 676->679 677->679 679->663 685->663 686->663 689 6d92f6c-6d92f75 690->689 691->689 692->689 693->689 694->689 695->689 696->689 697->689 698->689 699->689
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te^q$Te^q
                                          • API String ID: 0-3743469327
                                          • Opcode ID: d81ce72af7c843b865013d2e45cf88be884f683a3d91b51865c4533908219aee
                                          • Instruction ID: 535b08c5dd94fed99ccb30ddb8f35d9de680463fe19046083d00b4488d218916
                                          • Opcode Fuzzy Hash: d81ce72af7c843b865013d2e45cf88be884f683a3d91b51865c4533908219aee
                                          • Instruction Fuzzy Hash: AD91F271A111069FDF548F78C8989AAFFF6FF89300B21455AE4C2AB351C6309E45CBE1
                                          Function 06D92A28 Relevance: 2.8, Strings: 2, Instructions: 254COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 700 6d92a28-6d92a29 701 6d92a88-6d92a99 700->701 702 6d92a2b 700->702 703 6d92a9f-6d92ab2 701->703 704 6d92cf4-6d92d04 701->704 705 6d92a2d-6d92a30 702->705 706 6d929e7-6d929ef 702->706 703->704 708 6d92d31-6d92d4c 704->708 709 6d92d06-6d92d30 704->709 705->701 706->700 710 6d92d4e-6d92d75 708->710 711 6d92d76-6d92d78 708->711 709->708 710->711 712 6d92d7a-6d92d8c 711->712 713 6d92da6-6d92db3 711->713 714 6d92d8e-6d92da5 712->714 715 6d92db4-6d92ddb 712->715 713->715 714->713 719 6d92de2 715->719 720 6d92de7-6d92dfc 719->720 721 6d92f1b-6d92f47 720->721 722 6d92e02 720->722 745 6d92f4d-6d92f64 721->745 722->719 722->721 723 6d92e09-6d92e0d 722->723 724 6d92e88-6d92ea1 722->724 725 6d92ecb-6d92ee8 722->725 726 6d92ebb-6d92ec6 722->726 727 6d92eed-6d92ef8 722->727 728 6d92e1d-6d92e4b 722->728 729 6d92e4d 722->729 730 6d92e71-6d92e83 722->730 731 6d92ea6-6d92eb6 722->731 733 6d92e0f-6d92e14 723->733 734 6d92e16 723->734 724->720 725->720 726->720 739 6d92efe-6d92f03 727->739 728->720 740 6d92e57-6d92e59 729->740 730->720 731->720 736 6d92e1b 733->736 734->736 736->720 743 6d92f0b-6d92f16 739->743 742 6d92e61-6d92e6c 740->742 742->720 743->720 747 6d92f66 call 6d94349 745->747 748 6d92f66 call 6d93d08 745->748 749 6d92f66 call 6d93e28 745->749 750 6d92f66 call 6d93d6d 745->750 751 6d92f66 call 6d93dcf 745->751 752 6d92f66 call 6d93dbf 745->752 753 6d92f66 call 6d93da1 745->753 754 6d92f66 call 6d93e10 745->754 755 6d92f66 call 6d93de5 745->755 756 6d92f66 call 6d94464 745->756 746 6d92f6c-6d92f75 747->746 748->746 749->746 750->746 751->746 752->746 753->746 754->746 755->746 756->746
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te^q$Te^q
                                          • API String ID: 0-3743469327
                                          • Opcode ID: aa4a56192761a44410bad9610d25078c78a8d48b04e57cfb32035045f9b59df5
                                          • Instruction ID: feb03624acca4d9002177a3ae9d61ebd8ddfb657143363512da236784610a877
                                          • Opcode Fuzzy Hash: aa4a56192761a44410bad9610d25078c78a8d48b04e57cfb32035045f9b59df5
                                          • Instruction Fuzzy Hash: 7E810431A211069FDF548F78C8999AABFF6FF89310F25445AE4C2EB351C6308A05CBE1
                                          Function 06D92993 Relevance: 2.8, Strings: 2, Instructions: 253COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 757 6d92993-6d929a0 758 6d92cf4-6d92d04 757->758 759 6d929a6-6d929b0 757->759 763 6d92d31-6d92d4c 758->763 764 6d92d06-6d92d30 758->764 759->758 760 6d929b6-6d929c6 759->760 760->758 762 6d929cc-6d929d6 760->762 762->758 765 6d929dc-6d929ec 762->765 766 6d92d4e-6d92d75 763->766 767 6d92d76-6d92d78 763->767 764->763 765->758 766->767 768 6d92d7a-6d92d8c 767->768 769 6d92da6-6d92db3 767->769 770 6d92d8e-6d92da5 768->770 771 6d92db4-6d92ddb 768->771 769->771 770->769 775 6d92de2 771->775 776 6d92de7-6d92dfc 775->776 777 6d92f1b-6d92f64 776->777 778 6d92e02 776->778 803 6d92f66 call 6d94349 777->803 804 6d92f66 call 6d93d08 777->804 805 6d92f66 call 6d93e28 777->805 806 6d92f66 call 6d93d6d 777->806 807 6d92f66 call 6d93dcf 777->807 808 6d92f66 call 6d93dbf 777->808 809 6d92f66 call 6d93da1 777->809 810 6d92f66 call 6d93e10 777->810 811 6d92f66 call 6d93de5 777->811 812 6d92f66 call 6d94464 777->812 778->775 778->777 779 6d92e09-6d92e0d 778->779 780 6d92e88-6d92ea1 778->780 781 6d92ecb-6d92ee8 778->781 782 6d92ebb-6d92ec6 778->782 783 6d92eed-6d92f03 778->783 784 6d92e1d-6d92e4b 778->784 785 6d92e4d-6d92e59 778->785 786 6d92e71-6d92e83 778->786 787 6d92ea6-6d92eb6 778->787 789 6d92e0f-6d92e14 779->789 790 6d92e16 779->790 780->776 781->776 782->776 799 6d92f0b-6d92f16 783->799 784->776 798 6d92e61-6d92e6c 785->798 786->776 787->776 792 6d92e1b 789->792 790->792 792->776 798->776 799->776 802 6d92f6c-6d92f75 803->802 804->802 805->802 806->802 807->802 808->802 809->802 810->802 811->802 812->802
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te^q$Te^q
                                          • API String ID: 0-3743469327
                                          • Opcode ID: bf0c80b5d4656ca708bea727d05303b7092d2f19592a28f4f8796397b2e664f8
                                          • Instruction ID: df62ba48a93dcf1899c4ce4cbb59d85140c2a021aad62954beff9a74c53cd3c2
                                          • Opcode Fuzzy Hash: bf0c80b5d4656ca708bea727d05303b7092d2f19592a28f4f8796397b2e664f8
                                          • Instruction Fuzzy Hash: 0191E171A21105AFDF548F78C8989AABFF6FF89300F22456AE5C19B351C7319A05CBE1
                                          Function 06D9267D Relevance: 2.8, Strings: 2, Instructions: 250COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 813 6d9267d-6d92686 814 6d9268c-6d92699 813->814 815 6d92cf4-6d92d04 813->815 814->815 816 6d9269f-6d926ab 814->816 821 6d92d31-6d92d4c 815->821 822 6d92d06-6d92d30 815->822 816->815 817 6d92623-6d92637 816->817 819 6d92ced-6d92cf3 817->819 820 6d9263d-6d926df 817->820 820->817 823 6d92d4e-6d92d75 821->823 824 6d92d76-6d92d78 821->824 822->821 823->824 826 6d92d7a-6d92d8c 824->826 827 6d92da6-6d92db3 824->827 828 6d92d8e-6d92da5 826->828 829 6d92db4-6d92ddb 826->829 827->829 828->827 834 6d92de2 829->834 835 6d92de7-6d92dfc 834->835 836 6d92f1b-6d92f64 835->836 837 6d92e02 835->837 862 6d92f66 call 6d94349 836->862 863 6d92f66 call 6d93d08 836->863 864 6d92f66 call 6d93e28 836->864 865 6d92f66 call 6d93d6d 836->865 866 6d92f66 call 6d93dcf 836->866 867 6d92f66 call 6d93dbf 836->867 868 6d92f66 call 6d93da1 836->868 869 6d92f66 call 6d93e10 836->869 870 6d92f66 call 6d93de5 836->870 871 6d92f66 call 6d94464 836->871 837->834 837->836 838 6d92e09-6d92e0d 837->838 839 6d92e88-6d92ea1 837->839 840 6d92ecb-6d92ee8 837->840 841 6d92ebb-6d92ec6 837->841 842 6d92eed-6d92f03 837->842 843 6d92e1d-6d92e4b 837->843 844 6d92e4d-6d92e59 837->844 845 6d92e71-6d92e83 837->845 846 6d92ea6-6d92eb6 837->846 848 6d92e0f-6d92e14 838->848 849 6d92e16 838->849 839->835 840->835 841->835 858 6d92f0b-6d92f16 842->858 843->835 857 6d92e61-6d92e6c 844->857 845->835 846->835 851 6d92e1b 848->851 849->851 851->835 857->835 858->835 861 6d92f6c-6d92f75 862->861 863->861 864->861 865->861 866->861 867->861 868->861 869->861 870->861 871->861
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te^q$Te^q
                                          • API String ID: 0-3743469327
                                          • Opcode ID: 78aa79e8a886e4d548fa8be08bc01b27a380c261af8c0d6780405caf627d1109
                                          • Instruction ID: 0e77c5aee2c079c1b753e808bee613d34f6ad354f71e874443bae17e375fd703
                                          • Opcode Fuzzy Hash: 78aa79e8a886e4d548fa8be08bc01b27a380c261af8c0d6780405caf627d1109
                                          • Instruction Fuzzy Hash: 4781F371A21106AFDF548F78C8989AABFF6FF89300F21455AE5C2DB351C6309A45CBE1
                                          Function 06D92C7B Relevance: 2.7, Strings: 2, Instructions: 244COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te^q$Te^q
                                          • API String ID: 0-3743469327
                                          • Opcode ID: 7268017a0d64b09d15e0c07354b71893eb43b482bb765b9c281e420f4792471b
                                          • Instruction ID: 400e29bd67034bb5cff4b82c7953e75f35bbcdbe4a07f0c8f78bb452710eecc4
                                          • Opcode Fuzzy Hash: 7268017a0d64b09d15e0c07354b71893eb43b482bb765b9c281e420f4792471b
                                          • Instruction Fuzzy Hash: CB81F271A21105AFDF548F78C8989AABFF6FF89300F21456AE4C2DB351C6319A05CBE1
                                          Function 06D92C10 Relevance: 2.7, Strings: 2, Instructions: 244COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 927 6d92c10-6d92c17 928 6d92c1d-6d92c27 927->928 929 6d92cf4-6d92d04 927->929 928->929 930 6d92c2d-6d92c37 928->930 933 6d92d31-6d92d4c 929->933 934 6d92d06-6d92d30 929->934 930->929 932 6d92c3d-6d92c47 930->932 932->929 935 6d92d4e-6d92d75 933->935 936 6d92d76-6d92d78 933->936 934->933 935->936 937 6d92d7a-6d92d8c 936->937 938 6d92da6-6d92db3 936->938 939 6d92d8e-6d92da5 937->939 940 6d92db4-6d92ddb 937->940 938->940 939->938 944 6d92de2 940->944 945 6d92de7-6d92dfc 944->945 946 6d92f1b-6d92f64 945->946 947 6d92e02 945->947 972 6d92f66 call 6d94349 946->972 973 6d92f66 call 6d93d08 946->973 974 6d92f66 call 6d93e28 946->974 975 6d92f66 call 6d93d6d 946->975 976 6d92f66 call 6d93dcf 946->976 977 6d92f66 call 6d93dbf 946->977 978 6d92f66 call 6d93da1 946->978 979 6d92f66 call 6d93e10 946->979 980 6d92f66 call 6d93de5 946->980 981 6d92f66 call 6d94464 946->981 947->944 947->946 948 6d92e09-6d92e0d 947->948 949 6d92e88-6d92ea1 947->949 950 6d92ecb-6d92ee8 947->950 951 6d92ebb-6d92ec6 947->951 952 6d92eed-6d92f03 947->952 953 6d92e1d-6d92e4b 947->953 954 6d92e4d-6d92e59 947->954 955 6d92e71-6d92e83 947->955 956 6d92ea6-6d92eb6 947->956 958 6d92e0f-6d92e14 948->958 959 6d92e16 948->959 949->945 950->945 951->945 968 6d92f0b-6d92f16 952->968 953->945 967 6d92e61-6d92e6c 954->967 955->945 956->945 961 6d92e1b 958->961 959->961 961->945 967->945 968->945 971 6d92f6c-6d92f75 972->971 973->971 974->971 975->971 976->971 977->971 978->971 979->971 980->971 981->971
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te^q$Te^q
                                          • API String ID: 0-3743469327
                                          • Opcode ID: 5019211a212d984b7e58d2de86b037370b86a2055e92fee3d439b3c177000bfe
                                          • Instruction ID: f206ede0ca951ec4de65d02e4fcb1c3b0392aa92a681a29812c737cd98cbb048
                                          • Opcode Fuzzy Hash: 5019211a212d984b7e58d2de86b037370b86a2055e92fee3d439b3c177000bfe
                                          • Instruction Fuzzy Hash: 9C81E171A21105AFDF548F78C8989AABFF6FF89300B22456AE5C19B351C6318A05CBE1
                                          Function 06D92BAC Relevance: 2.7, Strings: 2, Instructions: 244COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 872 6d92bac-6d92bb3 873 6d92bb9-6d92bc3 872->873 874 6d92cf4-6d92d04 872->874 873->874 875 6d92bc9-6d92bd3 873->875 878 6d92d31-6d92d4c 874->878 879 6d92d06-6d92d30 874->879 875->874 877 6d92bd9-6d92be3 875->877 877->874 880 6d92d4e-6d92d75 878->880 881 6d92d76-6d92d78 878->881 879->878 880->881 882 6d92d7a-6d92d8c 881->882 883 6d92da6-6d92db3 881->883 884 6d92d8e-6d92da5 882->884 885 6d92db4-6d92ddb 882->885 883->885 884->883 889 6d92de2 885->889 890 6d92de7-6d92dfc 889->890 891 6d92f1b-6d92f64 890->891 892 6d92e02 890->892 917 6d92f66 call 6d94349 891->917 918 6d92f66 call 6d93d08 891->918 919 6d92f66 call 6d93e28 891->919 920 6d92f66 call 6d93d6d 891->920 921 6d92f66 call 6d93dcf 891->921 922 6d92f66 call 6d93dbf 891->922 923 6d92f66 call 6d93da1 891->923 924 6d92f66 call 6d93e10 891->924 925 6d92f66 call 6d93de5 891->925 926 6d92f66 call 6d94464 891->926 892->889 892->891 893 6d92e09-6d92e0d 892->893 894 6d92e88-6d92ea1 892->894 895 6d92ecb-6d92ee8 892->895 896 6d92ebb-6d92ec6 892->896 897 6d92eed-6d92f03 892->897 898 6d92e1d-6d92e4b 892->898 899 6d92e4d-6d92e59 892->899 900 6d92e71-6d92e83 892->900 901 6d92ea6-6d92eb6 892->901 903 6d92e0f-6d92e14 893->903 904 6d92e16 893->904 894->890 895->890 896->890 913 6d92f0b-6d92f16 897->913 898->890 912 6d92e61-6d92e6c 899->912 900->890 901->890 906 6d92e1b 903->906 904->906 906->890 912->890 913->890 916 6d92f6c-6d92f75 917->916 918->916 919->916 920->916 921->916 922->916 923->916 924->916 925->916 926->916
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te^q$Te^q
                                          • API String ID: 0-3743469327
                                          • Opcode ID: 42ac988d709b60d5af2ae7d208c1129209717dd6bdc63b0bdff89bb4a65f7cf6
                                          • Instruction ID: 61bb970632f00c90887c3458e8b4ace0039f52d1535487036fd7940abcfa5cba
                                          • Opcode Fuzzy Hash: 42ac988d709b60d5af2ae7d208c1129209717dd6bdc63b0bdff89bb4a65f7cf6
                                          • Instruction Fuzzy Hash: F781F271A21105AFDF548F78C8989AABFF6FF89300F22455AE5C29B351C6308A05CBE1
                                          Function 06D92B75 Relevance: 2.7, Strings: 2, Instructions: 242COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te^q$Te^q
                                          • API String ID: 0-3743469327
                                          • Opcode ID: f86fc90cb45852d4b1dc0611881a92bc417b6b43d81b401d02588a7c000501d3
                                          • Instruction ID: 7dfd2b100c9c465260d64528a829622ce9b739597286a8a0b5155c91f63facca
                                          • Opcode Fuzzy Hash: f86fc90cb45852d4b1dc0611881a92bc417b6b43d81b401d02588a7c000501d3
                                          • Instruction Fuzzy Hash: 4A81E271A21105AFDF549F78C8989AABFF6FF89300F21456AE5C1EB351C6318A05CBE1
                                          Function 06D92B1C Relevance: 2.7, Strings: 2, Instructions: 242COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te^q$Te^q
                                          • API String ID: 0-3743469327
                                          • Opcode ID: b8e7984f073b6aa6f7c69f76da750cd0ce0de36fb0e7c090162a3302150b1e97
                                          • Instruction ID: d85e99a42f8d4eb105aa543125c8f31b48e7f6aaaae3c9c37c7047fbe7b9616f
                                          • Opcode Fuzzy Hash: b8e7984f073b6aa6f7c69f76da750cd0ce0de36fb0e7c090162a3302150b1e97
                                          • Instruction Fuzzy Hash: 7F81E171A21105AFDF549F78C8989AABFF6FF89300F21456AE5C1DB351C6318A05CBE1
                                          Function 06D928EC Relevance: 2.7, Strings: 2, Instructions: 242COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te^q$Te^q
                                          • API String ID: 0-3743469327
                                          • Opcode ID: e9781797f9e133c61124b203511a6dda551b56726619f76db718b7a7d49e36c0
                                          • Instruction ID: 536ca7d9b9206fd4418fbd1f0daaa75c1b886de7093b05ae4371c50ff5695a68
                                          • Opcode Fuzzy Hash: e9781797f9e133c61124b203511a6dda551b56726619f76db718b7a7d49e36c0
                                          • Instruction Fuzzy Hash: 6181F271A21105AFDF548F78C8989AABFF6FF89300F21456AE5C2DB351C6318A05CBE1
                                          Function 06D9287E Relevance: 2.7, Strings: 2, Instructions: 242COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te^q$Te^q
                                          • API String ID: 0-3743469327
                                          • Opcode ID: dc091d424caed2f6f9663e25f03fa2c426a84ab10b96b68793419c4313497ac5
                                          • Instruction ID: 9083348c708e6612b801075ae9fcdd5831a1ba2d17b2b673e8bc9078557d61d9
                                          • Opcode Fuzzy Hash: dc091d424caed2f6f9663e25f03fa2c426a84ab10b96b68793419c4313497ac5
                                          • Instruction Fuzzy Hash: 6C81E171A21105AFDF548F78CC989AABFF6FF89310F21456AE4C29B351C6308A05CBE1
                                          Function 06D92923 Relevance: 2.7, Strings: 2, Instructions: 242COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te^q$Te^q
                                          • API String ID: 0-3743469327
                                          • Opcode ID: 5bc2b8a1904fc84d4256159971c53d3139d4310d4aae6301b75a42644419a20a
                                          • Instruction ID: 88d98569ca1408f0c9906912a6e9e9fe547cc834dd043a940923d3ff4d1b9022
                                          • Opcode Fuzzy Hash: 5bc2b8a1904fc84d4256159971c53d3139d4310d4aae6301b75a42644419a20a
                                          • Instruction Fuzzy Hash: 2181F271A21105AFDF549F78C8989AABFF6FF89310F21456AE4C2DB351C6308A05CBE1
                                          Function 06D92CB0 Relevance: 2.7, Strings: 2, Instructions: 240COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te^q$Te^q
                                          • API String ID: 0-3743469327
                                          • Opcode ID: 7c870abd82f6df4337094e536adc601449dd43cecb1d9f3f79c9ff5f95add123
                                          • Instruction ID: 8636186eaccdbf9efa932cd4ab5f16bd7a7f8ba92f11c5949bb002e0f18a3724
                                          • Opcode Fuzzy Hash: 7c870abd82f6df4337094e536adc601449dd43cecb1d9f3f79c9ff5f95add123
                                          • Instruction Fuzzy Hash: F3810371A211069FDF548F78C8989AABFF6FF89300F21455AE4C2EB351C6308A05CBE1
                                          Function 06D92C51 Relevance: 2.7, Strings: 2, Instructions: 239COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te^q$Te^q
                                          • API String ID: 0-3743469327
                                          • Opcode ID: 87c62ff6e11142ec34897f038ef37afed982ece11983876642b0af866767c083
                                          • Instruction ID: 061b493890e0bee1939e6aed269bc3c7e30e364ed7b9e6afa2caaa032ffa2a17
                                          • Opcode Fuzzy Hash: 87c62ff6e11142ec34897f038ef37afed982ece11983876642b0af866767c083
                                          • Instruction Fuzzy Hash: EA81F471A211069FDF549F78C8989AABFF6FF89300F21455AE4C2EB351C6318A05CBE1
                                          Function 06D9295A Relevance: 2.7, Strings: 2, Instructions: 238COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te^q$Te^q
                                          • API String ID: 0-3743469327
                                          • Opcode ID: 77208fe2edcf1b2bd1298a95b13e39a32d0caca0414d6ac8d6eb363cc590e9d6
                                          • Instruction ID: c1e657f73e6153c64e0930f502663f788598568de0293aecf58ecec977eb73c2
                                          • Opcode Fuzzy Hash: 77208fe2edcf1b2bd1298a95b13e39a32d0caca0414d6ac8d6eb363cc590e9d6
                                          • Instruction Fuzzy Hash: EF81F271A21106AFDF549F78C8999AABFF6FF89300F21455AE5C2DB351C6308A05CBE1
                                          Function 06D927B6 Relevance: 2.7, Strings: 2, Instructions: 237COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te^q$Te^q
                                          • API String ID: 0-3743469327
                                          • Opcode ID: ab5dfb56104187b609ee6e8b4a01f1adaecea6d2d0b5b403c663ccc4bba1cf07
                                          • Instruction ID: 8bb166ade7622ed44779b44b98199fd9ee1a8796309eefe807c4b1c26d1bef0c
                                          • Opcode Fuzzy Hash: ab5dfb56104187b609ee6e8b4a01f1adaecea6d2d0b5b403c663ccc4bba1cf07
                                          • Instruction Fuzzy Hash: 2081E271A211069FDF549F78CC589AABFF6FF89300B21455AE5C2EB351C6318A05CBE1
                                          Function 06E27A78 Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1670034577.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6e20000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: <$<
                                          • API String ID: 0-213342407
                                          • Opcode ID: 2f4dbacb4f2e6fe3a262ca056ddfb9edacbf438319f0b1778fb1617730632546
                                          • Instruction ID: 2df4fab7bab1d6e1592a76dd4572941e1ff297fd5cba65f924fd915a83c00144
                                          • Opcode Fuzzy Hash: 2f4dbacb4f2e6fe3a262ca056ddfb9edacbf438319f0b1778fb1617730632546
                                          • Instruction Fuzzy Hash: 8B61FE70E0122ADFDF48CFAAC844AEEBBB6FF89304F14A069D405A7255DB345A45CF90
                                          Function 06D97E2B Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $^q$$^q
                                          • API String ID: 0-355816377
                                          • Opcode ID: 7373532f5a0d1f67c2247832874be4164a84d9bd6b31b6e995acb136f052e826
                                          • Instruction ID: 9f4ca5f20e35ebfccac7edca459443dfa79e83c3619fccddfa12d4ed77f02461
                                          • Opcode Fuzzy Hash: 7373532f5a0d1f67c2247832874be4164a84d9bd6b31b6e995acb136f052e826
                                          • Instruction Fuzzy Hash: 1A519E34B102099FDF589F75C894BAE7AF3BBC8711F208429E506EB390CA75CD418B90
                                          Function 06D92DB0 Relevance: 2.6, Strings: 2, Instructions: 133COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te^q$Te^q
                                          • API String ID: 0-3743469327
                                          • Opcode ID: 87a21f8c85024d7fe37cfb053af28b2b7f9c1e2336a0047dfa600d5ea0dbbc91
                                          • Instruction ID: be54ac1836d1e2cb931de656a1442eccf6187efda643a1df7a9b4fa2634e719d
                                          • Opcode Fuzzy Hash: 87a21f8c85024d7fe37cfb053af28b2b7f9c1e2336a0047dfa600d5ea0dbbc91
                                          • Instruction Fuzzy Hash: 7341C631B201158FEB889F69C955A6EBAB6FFC8310F11402AE542EB350D635DE05CBE1
                                          Function 06D9C6C0 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: T(z
                                          • API String ID: 0-3184255237
                                          • Opcode ID: 42a420c621e4720038c59479b3ddce3bdeb742807dd0868595ffec36443ce236
                                          • Instruction ID: 509491caf291d1816e12035735a5ff2a547221cb1ca1027b64e3fc14d5904dc0
                                          • Opcode Fuzzy Hash: 42a420c621e4720038c59479b3ddce3bdeb742807dd0868595ffec36443ce236
                                          • Instruction Fuzzy Hash: 8141E732F142058FEF988AB989515BFB6B7EBC8610F10D426D557BB294DA70CE0187F1
                                          Function 06D9C6D0 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: T(z
                                          • API String ID: 0-3184255237
                                          • Opcode ID: 407d38b90dd74311e2e34a2ff7d7b1f40d4fdb1551675cedda9f6c1a07fc08b7
                                          • Instruction ID: 83bc92bef653ec7ffe46e0dc391e270feded6e6935fe26ac7a51b33d9e06710b
                                          • Opcode Fuzzy Hash: 407d38b90dd74311e2e34a2ff7d7b1f40d4fdb1551675cedda9f6c1a07fc08b7
                                          • Instruction Fuzzy Hash: AD41E831F142058BEF988AB989516BFB6B7EBC8610F10D426D557BB294DA70CE018BF1
                                          Function 06E26720 Relevance: .6, Instructions: 637COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1670034577.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6e20000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 09ee7ef815412b9f009ddd151d60aa089a45465d73b114aa524c13995742604f
                                          • Instruction ID: e7eb01833f252461ce2e0583ef340ec1774e1fa43a84e9093b5506dbcb2af5b4
                                          • Opcode Fuzzy Hash: 09ee7ef815412b9f009ddd151d60aa089a45465d73b114aa524c13995742604f
                                          • Instruction Fuzzy Hash: 9072B231D0162A8BCB64EF69DC94ADDF7B2FF59300F1096AAD45977250EB306A85CF80
                                          Function 06E26E20 Relevance: .5, Instructions: 479COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1670034577.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6e20000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ce49db438663113e18c3aff63e30057db241910e495cbad845fe75cddf050f97
                                          • Instruction ID: 04c0bb5ab67b37e4ae5256a38fc402d3ef90a72f180b349a687828fe735471b2
                                          • Opcode Fuzzy Hash: ce49db438663113e18c3aff63e30057db241910e495cbad845fe75cddf050f97
                                          • Instruction Fuzzy Hash: DB32C170D1022ACFDB65DF68C890BEDB7B2BF99300F108699D51977250EB706A89CF90
                                          Function 06D93D6D Relevance: .3, Instructions: 314COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 053b6b78f6e9eb876cc6b91f80e2783e4ebecdf7e36b4a55dd69223f82428f77
                                          • Instruction ID: 17ff4c6774aa894a2f4aac9080b5246bfdf48f0efc4b3ee32940f79cd07a88a9
                                          • Opcode Fuzzy Hash: 053b6b78f6e9eb876cc6b91f80e2783e4ebecdf7e36b4a55dd69223f82428f77
                                          • Instruction Fuzzy Hash: 0AB1C071205186CFDB948F68D588569BFF2FF89304726899AD5C2CB253D734D842CBE2
                                          Function 06E26710 Relevance: .3, Instructions: 311COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1670034577.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6e20000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c42f443efcf551335110ca8a795d8f72c937df2eb2ecb4b97447e634df89de3b
                                          • Instruction ID: adbd9719d25c7a5645b2ab7ef578a03ba42eec3b96155db2a6021a59f6895db2
                                          • Opcode Fuzzy Hash: c42f443efcf551335110ca8a795d8f72c937df2eb2ecb4b97447e634df89de3b
                                          • Instruction Fuzzy Hash: 0BF1A175D012298FDB64DF69C980BDDF7B2BF48300F1086AAD459B7250EB706A85CF90
                                          Function 04D3BB97 Relevance: .3, Instructions: 297COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fefb66e95000135f809af80f46e41c70be689f10c5678bac7abd9c4809b870da
                                          • Instruction ID: 5b73f0f554e74c315f06032efbbaaf02555377f0f643b9332ee3d7fe4c4af3e1
                                          • Opcode Fuzzy Hash: fefb66e95000135f809af80f46e41c70be689f10c5678bac7abd9c4809b870da
                                          • Instruction Fuzzy Hash: B2D12834E102198FDB14EBB4C850BDDB771FF8A304F608669E5497B285EB706989CF92
                                          Function 04D3BB98 Relevance: .3, Instructions: 297COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c725d5440c89638946c68e7987d43edf8d5712a812d20b87bb10f0c10bd5a0b2
                                          • Instruction ID: 5df4291556d877208b2c9ce7a16351941742dfe125ca52bf164ef499dfbfb127
                                          • Opcode Fuzzy Hash: c725d5440c89638946c68e7987d43edf8d5712a812d20b87bb10f0c10bd5a0b2
                                          • Instruction Fuzzy Hash: 7CD12834E102198FDB14EBB4C850BDDB771FF8A304F608669E5497B285EB706989CF92
                                          Function 06D945B8 Relevance: .2, Instructions: 174COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fda92fbcf13d906f24a25a2d7280a63a99e71befc414fb1a36da7664c4ef9745
                                          • Instruction ID: b7f25728314be3b2ad06d94cc25a3dcdf767cc7190e5c25efd9c25375f5dd5a8
                                          • Opcode Fuzzy Hash: fda92fbcf13d906f24a25a2d7280a63a99e71befc414fb1a36da7664c4ef9745
                                          • Instruction Fuzzy Hash: 0061BD71604145CFDB88CF68D580A2A7BF2BF84314B4684A6D946DF263E734ED42CBE2
                                          Function 026F03DF Relevance: .1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1658334495.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_26f0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7aae45c479360ed31c33828bf1b811793a501fc5295acd74c7105a62aa0a70c6
                                          • Instruction ID: 7e069b79cf8aa35b5f73bbb9569c77a53ed019b5c52119f4fe5edcc816a46ccf
                                          • Opcode Fuzzy Hash: 7aae45c479360ed31c33828bf1b811793a501fc5295acd74c7105a62aa0a70c6
                                          • Instruction Fuzzy Hash: CE21F6B0D086588BEB18CFA7C9547EEBBF7AFC9300F14C06AD509A6269DB741946CF50
                                          Function 026F03F0 Relevance: .1, Instructions: 64COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1658334495.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_26f0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 40c60f1d3c417fa5a025529930f701a733dbd737fd7999e9476d415032c822c1
                                          • Instruction ID: 1962a10da6fb311d0648cdedf8fc3d43518f45b7387d800beebb5a9f4d7f35d6
                                          • Opcode Fuzzy Hash: 40c60f1d3c417fa5a025529930f701a733dbd737fd7999e9476d415032c822c1
                                          • Instruction Fuzzy Hash: E121D5B1D046198BEB18CF97C9547EEFAF7AFC9310F14C02AD509A6269DB740946CE90
                                          Function 00ACD858 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 388 acd858-acd8e7 GetCurrentProcess 392 acd8e9-acd8ef 388->392 393 acd8f0-acd924 GetCurrentThread 388->393 392->393 394 acd92d-acd961 GetCurrentProcess 393->394 395 acd926-acd92c 393->395 397 acd96a-acd982 394->397 398 acd963-acd969 394->398 395->394 401 acd98b-acd9ba GetCurrentThreadId 397->401 398->397 402 acd9bc-acd9c2 401->402 403 acd9c3-acda25 401->403 402->403
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 00ACD8D6
                                          • GetCurrentThread.KERNEL32 ref: 00ACD913
                                          • GetCurrentProcess.KERNEL32 ref: 00ACD950
                                          • GetCurrentThreadId.KERNEL32 ref: 00ACD9A9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1657762033.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ac0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 179c198630d20220b147e5af301f3b2d613f0bd941e6c27103c4bcb5a54461d1
                                          • Instruction ID: 9c3c48ccd56f742175a5ad75007da948a99a4fd3ef8d0aeb9ec258b1d0b66325
                                          • Opcode Fuzzy Hash: 179c198630d20220b147e5af301f3b2d613f0bd941e6c27103c4bcb5a54461d1
                                          • Instruction Fuzzy Hash: 075144B49003098FDB04DFAAD548BDEBBF1EF88314F20846DE459A7290DB749984CB65
                                          Function 04D34AE0 Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Hbq$Hbq
                                          • API String ID: 0-4258043069
                                          • Opcode ID: 0500778a947414338439c3f250553da3c99cd67141561a35f1e8c040889ce1db
                                          • Instruction ID: 4c29119cf0bf22db3ce766242cea4178800fed5615b1a106a8bfff16f979fdab
                                          • Opcode Fuzzy Hash: 0500778a947414338439c3f250553da3c99cd67141561a35f1e8c040889ce1db
                                          • Instruction Fuzzy Hash: 58817F74E003589FDB05DFA9C8946EEBBF2FF89300F14856AD409AB351DB385946CB91
                                          Function 04D30638 Relevance: 2.7, Strings: 2, Instructions: 165COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $
                                          • API String ID: 0-227171996
                                          • Opcode ID: a38aa0f431dfdf718d1269b1b1bbcd32887928f02e1e33095458765b10c23cc3
                                          • Instruction ID: fdef08f1c3ac6ae80eb83fe73fbb02b7408e4f4de5cca6cdefe5d55a05d018dc
                                          • Opcode Fuzzy Hash: a38aa0f431dfdf718d1269b1b1bbcd32887928f02e1e33095458765b10c23cc3
                                          • Instruction Fuzzy Hash: CD718E31910701CFDB01EF39D8C5A65B7B1FF85304B558AA9D949AB326EF71E988CB80
                                          Function 06D9F4B8 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te^q$Te^q
                                          • API String ID: 0-3743469327
                                          • Opcode ID: e21eeba3055bd223446a39311cd1ae6cd92b192183388fd1492cc3e76f50d771
                                          • Instruction ID: dd5d842476707bb1453d70c90cea7c3646cffdb56c9bdf9de59dfde8e2d1bfcb
                                          • Opcode Fuzzy Hash: e21eeba3055bd223446a39311cd1ae6cd92b192183388fd1492cc3e76f50d771
                                          • Instruction Fuzzy Hash: 3051C374E042088FDF44CFA9D984AEDBBB6BF89300F10912AD919AB364DB705905CF90
                                          Function 04D30648 Relevance: 2.7, Strings: 2, Instructions: 158COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $
                                          • API String ID: 0-227171996
                                          • Opcode ID: 750ec51b9002a73922a11760ead490464b3ed19a316bbd9dc5a7a404d34a8843
                                          • Instruction ID: 476672bf43e7f3d916052c16743ad0c59ca82f8db23c4c0fb96063c01300930e
                                          • Opcode Fuzzy Hash: 750ec51b9002a73922a11760ead490464b3ed19a316bbd9dc5a7a404d34a8843
                                          • Instruction Fuzzy Hash: 9D617B31910701CFDB01EF29D8C5A65B7B1FF85314B5186A9D949AB326EF71E988CB80
                                          Function 06D97E89 Relevance: 2.6, Strings: 2, Instructions: 138COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $^q$$^q
                                          • API String ID: 0-355816377
                                          • Opcode ID: 30777ae9b2b6f2da4a8ef9f660f2c6f911399ffe35b7a950fa1d6a183714c659
                                          • Instruction ID: 02435db0511b853c73d7648f93624bf5981b621c8fce0b14ebc20251685cb0be
                                          • Opcode Fuzzy Hash: 30777ae9b2b6f2da4a8ef9f660f2c6f911399ffe35b7a950fa1d6a183714c659
                                          • Instruction Fuzzy Hash: BF516D34B002099FDB589F75D8A4BAE7AE3BBC8711F248429E506EB7A4DE35DD018B50
                                          Function 06D97EC3 Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $^q$$^q
                                          • API String ID: 0-355816377
                                          • Opcode ID: 256204f612419bc703a4c1d5b3b6491d8a7db0632100cf4548af2cc6a6010b76
                                          • Instruction ID: fa823e591eb3707224ebf3ed5f58782033301839edef983de3cd34e9226e14c0
                                          • Opcode Fuzzy Hash: 256204f612419bc703a4c1d5b3b6491d8a7db0632100cf4548af2cc6a6010b76
                                          • Instruction Fuzzy Hash: 8C417F34B002089FDB589F75D8A4B6E7AE3FBC8711F208429E906EB7A4DE35DD018B50
                                          Function 04D39E40 Relevance: 2.6, Strings: 2, Instructions: 102COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'^q$4'^q
                                          • API String ID: 0-2697143702
                                          • Opcode ID: 97edc1f2027650ef0c03c546df520fbfd8237a5d1fe9d5c865439b8b39566f3c
                                          • Instruction ID: 1f6398f5064a0c8188e41a64192d126662683112eac7039523b82a749235023b
                                          • Opcode Fuzzy Hash: 97edc1f2027650ef0c03c546df520fbfd8237a5d1fe9d5c865439b8b39566f3c
                                          • Instruction Fuzzy Hash: AA414C71D1171AABDB04EFA9D8406DDF3B2FF95700F618A29E5087B251EB707585CB80
                                          Function 04D39E3F Relevance: 2.6, Strings: 2, Instructions: 102COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'^q$4'^q
                                          • API String ID: 0-2697143702
                                          • Opcode ID: 0a9b3ebc9583b8f0efa35df9cb09e972ab145843080b079ff4b33529beaa9a78
                                          • Instruction ID: e738340cf078d8d3560fbe8f5dbbf0c709e04d2045a169a4742764de50b1c28f
                                          • Opcode Fuzzy Hash: 0a9b3ebc9583b8f0efa35df9cb09e972ab145843080b079ff4b33529beaa9a78
                                          • Instruction Fuzzy Hash: 96414C71D1171AABDB04EFA9D8406DDF3B2FF95700F618A29E5087B251EB707685CB80
                                          Function 04D3D121 Relevance: 1.8, Strings: 1, Instructions: 539COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 2
                                          • API String ID: 0-450215437
                                          • Opcode ID: 092ed94c8b0e0a27a879e789c86b3eba7866681cf11a6deb3160915a3a85e6d2
                                          • Instruction ID: b30992bde1959aa755a7fd0bde2961b8591677fc4c41532d0f596c8ff9d277a1
                                          • Opcode Fuzzy Hash: 092ed94c8b0e0a27a879e789c86b3eba7866681cf11a6deb3160915a3a85e6d2
                                          • Instruction Fuzzy Hash: 5442B53594166B8FCB12CF24D988AE9BBB6AF06304F4544E5E94D7B221CB716F86CF40
                                          Function 026F5F5D Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 026F619E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1658334495.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_26f0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 076e4c95ae474359ceaef6e026a56d2fd4a6989348faa4524ff298dc1d1b2cb3
                                          • Instruction ID: a19f68fda6e87b0756bec42e8ceeb2f0d0401f24b3418a50bc09432e0a21cb04
                                          • Opcode Fuzzy Hash: 076e4c95ae474359ceaef6e026a56d2fd4a6989348faa4524ff298dc1d1b2cb3
                                          • Instruction Fuzzy Hash: A7A19B70D002598FDF64CFA8C981BEEBBB6FF48314F1481A9E919A7240DB749985CF91
                                          Function 026F5F68 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 026F619E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1658334495.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_26f0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 4bfa4cbb9c789a65eb892c8def3c13fb61842d33fa1e6780591488b1cc3786f6
                                          • Instruction ID: 09a64056d6009f31a4b319f8139d7c412e35e1e8c40050af30ad340a42577c7c
                                          • Opcode Fuzzy Hash: 4bfa4cbb9c789a65eb892c8def3c13fb61842d33fa1e6780591488b1cc3786f6
                                          • Instruction Fuzzy Hash: 9B918B70D00259CFDF64CFA8C981BEEBBB6BF48314F1481A9E919A7240DB749985CF91
                                          Function 00AC5D0D Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 00AC5DC9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1657762033.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ac0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 7cd218c3df4ffcec75020a5135b06e7b02d0d860b73ad0fd374df00786d14359
                                          • Instruction ID: 46acd579d0c77ef5e2d5f595871ced4c6ffc1557541b4c23c91e06e5daf283ba
                                          • Opcode Fuzzy Hash: 7cd218c3df4ffcec75020a5135b06e7b02d0d860b73ad0fd374df00786d14359
                                          • Instruction Fuzzy Hash: 4B41E0B0C00759CADB25DFA9C844BDEBBB1BF49704F20806AD409AB251DB75698ACF91
                                          Function 00AC4524 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 00AC5DC9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1657762033.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ac0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 4f13c7def0fd20d9b8d88025e0428cd6a4daffdbb9c7936f863669733417400f
                                          • Instruction ID: b5d71c4a9bcd78412a981ce4c848ecaa453f949d80643ba9bb119d008e02bf29
                                          • Opcode Fuzzy Hash: 4f13c7def0fd20d9b8d88025e0428cd6a4daffdbb9c7936f863669733417400f
                                          • Instruction Fuzzy Hash: 5541C1B0C0071DCBDB24DFA9C844B9EBBF5BF49704F21806AE409AB251DBB56985CF91
                                          Function 06E26C20 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                          Download Yara Rule
                                          APIs
                                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 06E26CBF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1670034577.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6e20000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID: DrawText
                                          • String ID:
                                          • API String ID: 2175133113-0
                                          • Opcode ID: 9acc81feaf007d79942e30fd9220f4c490fb6d7855cb65023aba2a91fef21e0b
                                          • Instruction ID: 17b43a77fc0c387503352c5aa08dd20131b9fd78bf390be3cc697cfcd2027324
                                          • Opcode Fuzzy Hash: 9acc81feaf007d79942e30fd9220f4c490fb6d7855cb65023aba2a91fef21e0b
                                          • Instruction Fuzzy Hash: 8F31F1B1D003199FDB00DF9AD885ADEFBF5EB48320F14842AE819AB210D774A945CFA0
                                          Function 026F5CD9 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 026F5D70
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1658334495.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_26f0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 7414d291a6a9501cc0e472c28dfaa643cbec8206a9f9c100fc4ba17d7a4b189f
                                          • Instruction ID: ec80f917793740f93bf7cccbc379f9ca6733814e59ec110bf8662ce2ee29f315
                                          • Opcode Fuzzy Hash: 7414d291a6a9501cc0e472c28dfaa643cbec8206a9f9c100fc4ba17d7a4b189f
                                          • Instruction Fuzzy Hash: 802157B59003499FCF10CFA9C885BDEBBF1FF48320F108529E929A7280D7789944DBA4
                                          Function 06E26C28 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                          Download Yara Rule
                                          APIs
                                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 06E26CBF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1670034577.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6e20000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID: DrawText
                                          • String ID:
                                          • API String ID: 2175133113-0
                                          • Opcode ID: a9f08f5ad4636af829c32fa387b2c18255574e162b2a776c4efbc757e932b8f9
                                          • Instruction ID: c18857d7b541472e82ca397a906cbd4d20973ddbe563fbcec8e1df1fb95797c3
                                          • Opcode Fuzzy Hash: a9f08f5ad4636af829c32fa387b2c18255574e162b2a776c4efbc757e932b8f9
                                          • Instruction Fuzzy Hash: BB21E0B5D003099FCB10DF9AD884A9EFBF5FB48320F14842AE819A7310D774A944CFA0
                                          Function 026F5CE0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 026F5D70
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1658334495.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_26f0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: d4710033563e74b5d71b95c24dfb37db50fbb62848d35edb141e480be44f1bc5
                                          • Instruction ID: 5b02b38ab86c158d8b4dee9baeb68e85952d7ce0e35355292275f8dc2b88f4ee
                                          • Opcode Fuzzy Hash: d4710033563e74b5d71b95c24dfb37db50fbb62848d35edb141e480be44f1bc5
                                          • Instruction Fuzzy Hash: F82126B19003499FCB10DFA9C885BDEBBF5FF48310F508429E919A7280C7789954CBA4
                                          Function 026F570F Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 026F578E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1658334495.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_26f0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 63eea165d48a0748130777f6c6a6ac9c0f41cf0296f6c25dd226104bdb3d1065
                                          • Instruction ID: cf740820d4b031a268da73e3a9638d1d06abf9afa42ab1824764c05aaa18dddd
                                          • Opcode Fuzzy Hash: 63eea165d48a0748130777f6c6a6ac9c0f41cf0296f6c25dd226104bdb3d1065
                                          • Instruction Fuzzy Hash: 0A2168B19003088FCB10DFAAC485BEEBBF4EF88324F508429D519A7241CB78A944CFA0
                                          Function 026F5DCF Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 026F5E50
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1658334495.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_26f0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 923df03fb3ec55c451f2efd23c8154ce1a9adad3d6ae57001f43aaae9401b0dd
                                          • Instruction ID: f0eb73cb3bda5d4dedc5c4832b432b17ed0df822954808ac3613b04866495068
                                          • Opcode Fuzzy Hash: 923df03fb3ec55c451f2efd23c8154ce1a9adad3d6ae57001f43aaae9401b0dd
                                          • Instruction Fuzzy Hash: 422125B1D003499FCB10DFAAC885AEEFBF5FF48320F50842AE519A7240D7789944DBA5
                                          Function 026F5710 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 026F578E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1658334495.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_26f0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 091f1535b9b929c2464e9bda493d1dde64fef10846d04228807ca1856d161de1
                                          • Instruction ID: 01d89c4c71c12d4a0b3329f822965dc61b696e0577188833768181f17df4c0a3
                                          • Opcode Fuzzy Hash: 091f1535b9b929c2464e9bda493d1dde64fef10846d04228807ca1856d161de1
                                          • Instruction Fuzzy Hash: C12138B19003098FDB10DFAAC4857EEBBF5EF88324F548429D519A7241DB78A945CFA4
                                          Function 026F5DD0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 026F5E50
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1658334495.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_26f0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 17b55e2744cbc60e9014b754200f232a514305a275d976fbc1dff35396540d5c
                                          • Instruction ID: d6998f59f44ed6b111d141031fad49be32c0ac607c8f1c71633055032884ca68
                                          • Opcode Fuzzy Hash: 17b55e2744cbc60e9014b754200f232a514305a275d976fbc1dff35396540d5c
                                          • Instruction Fuzzy Hash: 7D2125B1D003499FCB10DFAAC885AEEFBF5FF48320F50842AE519A7240D7789944DBA4
                                          Function 00ACDAA0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ACDB27
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1657762033.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ac0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 0d075242c27a0773e94433113f854bcf8ba7ba47c71a519712e51a1bc058bde8
                                          • Instruction ID: a30b4f0f202518f414d25b781114e155a8d16181bd8f61e08b499fd0e2900515
                                          • Opcode Fuzzy Hash: 0d075242c27a0773e94433113f854bcf8ba7ba47c71a519712e51a1bc058bde8
                                          • Instruction Fuzzy Hash: 0921E4B59003089FDB10CF9AD884ADEBFF4EB48310F14801AE918A7350D374A944CF60
                                          Function 00ACB030 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00ACB8A1,00000800,00000000,00000000), ref: 00ACBAB2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1657762033.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ac0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 0906efa8c05e18d29b51687a457c57ebc7e0609c4bb9633a8cafda6c1c3697bc
                                          • Instruction ID: aa3af51d117b390ac25607907adfeb8b569644bbf0d5acc0d38b1100f0e5c543
                                          • Opcode Fuzzy Hash: 0906efa8c05e18d29b51687a457c57ebc7e0609c4bb9633a8cafda6c1c3697bc
                                          • Instruction Fuzzy Hash: D61103B6C003499FCB14CF9AC444ADEFBF4EB48310F11842EE559A7200C776A944CFA0
                                          Function 026F5C19 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 026F5C8E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1658334495.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_26f0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: f22757608f67ff1b235ae5d91ec69a0e07c4cd6e285bc194cf525d8b95cf58b7
                                          • Instruction ID: 4b60fd6ba9c2c3ed46eaecab3e227322a59281cc88141f51b353b69ce0acd825
                                          • Opcode Fuzzy Hash: f22757608f67ff1b235ae5d91ec69a0e07c4cd6e285bc194cf525d8b95cf58b7
                                          • Instruction Fuzzy Hash: 1A1129719003499FCB10DFAAC845ADFBFF5EF88324F248819E56AA7290C7759954CFA0
                                          Function 026F5C20 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 026F5C8E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1658334495.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_26f0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 9367fa823831750c4de5a2c473bd61816fbc97ebb92ca95a428f9d640640fc85
                                          • Instruction ID: 85bf77372410b8d1b3c1a9b7847c2f91e48a23deb80d04de555883a95e681f25
                                          • Opcode Fuzzy Hash: 9367fa823831750c4de5a2c473bd61816fbc97ebb92ca95a428f9d640640fc85
                                          • Instruction Fuzzy Hash: AF1137719003499FCB10DFAAC845ADFBFF5EF88324F208419E51AA7250C775A954CFA0
                                          Function 026F565F Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1658334495.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_26f0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: d4a3978ed96638ae2d6c872d66cff24a86f78abcc5d5dd0dd042e3d34c592852
                                          • Instruction ID: a8f670e57122ce9171f62feb5dff3a52ab17926868daba0e52856da54fb24f6f
                                          • Opcode Fuzzy Hash: d4a3978ed96638ae2d6c872d66cff24a86f78abcc5d5dd0dd042e3d34c592852
                                          • Instruction Fuzzy Hash: B71128B19003488FCB14DFAAC4457DFFBF5EB88324F208419D519A7250CB75A944CBA5
                                          Function 026F5660 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1658334495.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_26f0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: a52d20d2b6eda309958cea077bc9660c9273dd2149b8d33145b9d9fb833b8a83
                                          • Instruction ID: a3c4c8a120dffe0b34737630e58c5f907f04ff0185f339a06a0d2b887af6c9a5
                                          • Opcode Fuzzy Hash: a52d20d2b6eda309958cea077bc9660c9273dd2149b8d33145b9d9fb833b8a83
                                          • Instruction Fuzzy Hash: FA1125B19003488FCB14DFAAC4497DEFBF5EB88324F208819D529A7250CB75A944CBA4
                                          Function 00ACB7C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00ACB826
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1657762033.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ac0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 5cd3e909104b6720d7206f02027a07a304eaba77257dc8f42dad13f58246c80a
                                          • Instruction ID: d1d2e497a1fcfc674114c7825e51b21556cbc2861d09c3e97ab11b67e09f779a
                                          • Opcode Fuzzy Hash: 5cd3e909104b6720d7206f02027a07a304eaba77257dc8f42dad13f58246c80a
                                          • Instruction Fuzzy Hash: 9411DFB5C007498FCB14DF9AD445BDEFBF8EB88320F11842AD429A7250D375A545CFA1
                                          Function 026F815C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 026FA1E5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1658334495.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_26f0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: b9cae94d836fe474fc05012d30b24d69e475cf309f56e493c1a57ad6eb86c33e
                                          • Instruction ID: e89db9614b4975f9a8e868ab5b5421ec759485515a76295398ecb5054fa5a167
                                          • Opcode Fuzzy Hash: b9cae94d836fe474fc05012d30b24d69e475cf309f56e493c1a57ad6eb86c33e
                                          • Instruction Fuzzy Hash: 251103B58043499FDB50DF9AC989BDFBBF8EB48320F108459E559A7200C375A944CFA1
                                          Function 026FA187 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 026FA1E5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1658334495.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_26f0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 3fcba3f10366c234e6b56a668e567ae646565dd7087c302a2b39b0074e1b4e84
                                          • Instruction ID: ddc182b7bdf59b9c93f5f9f05e27d11d51ce90da5389702554db840527923efd
                                          • Opcode Fuzzy Hash: 3fcba3f10366c234e6b56a668e567ae646565dd7087c302a2b39b0074e1b4e84
                                          • Instruction Fuzzy Hash: B21103B58003499FDB10DF9AC985BDEBFF8EB48320F108419E518A7200C375A984CFA1
                                          Function 06D90A30 Relevance: 1.5, Strings: 1, Instructions: 274COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @
                                          • API String ID: 0-2766056989
                                          • Opcode ID: cb0bd6289a8becba27153b3589eb30ed3363641dc5e50924571aa14be8148751
                                          • Instruction ID: 05195859fc8f5178121402945e5f133167e4fd27dcdbc8d99f4fa78cc3d2a6fd
                                          • Opcode Fuzzy Hash: cb0bd6289a8becba27153b3589eb30ed3363641dc5e50924571aa14be8148751
                                          • Instruction Fuzzy Hash: 87D10A7590020ACFCF44DFA8D8949EDB7B1FF88314B258659D81667259DB30EA8ACFD0
                                          Function 06D979C8 Relevance: 1.5, Strings: 1, Instructions: 241COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Hbq
                                          • API String ID: 0-1245868
                                          • Opcode ID: b659cf59fcae07d9532da5a4b4431da8b5ffed607b72c734ddc2b791461997ce
                                          • Instruction ID: d645f6d89fe74b5e17f1bcb28f79bc3f275d716dff4043352d3926f118ffb84e
                                          • Opcode Fuzzy Hash: b659cf59fcae07d9532da5a4b4431da8b5ffed607b72c734ddc2b791461997ce
                                          • Instruction Fuzzy Hash: 0D91BE35B102048FCB55DF68C954AAEBBF6EF89304F1584A9E405DB3A1DB31ED05CBA0
                                          Function 04D36500 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (bq
                                          • API String ID: 0-149360118
                                          • Opcode ID: bca0513d24ce71ad4607e46bb45e72a3cbd2f356d881e4a5a15427291a2df76d
                                          • Instruction ID: ccc7bd71821d2583827d37d79fb78c922805f17e3f43cac273fadbc530f192c1
                                          • Opcode Fuzzy Hash: bca0513d24ce71ad4607e46bb45e72a3cbd2f356d881e4a5a15427291a2df76d
                                          • Instruction Fuzzy Hash: F751FF71A042889FDB24DFB9D4086AEBFF5EF85310F14846ED459E7341DA34E805CBA1
                                          Function 06D968F4 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te^q
                                          • API String ID: 0-671973202
                                          • Opcode ID: c1e14ab3524c1e85e9939940e2c02176535d8efaed99606af026611eb5174005
                                          • Instruction ID: d5cccecf64b3874af1058271522b3d8f9c0b53d7c3805d9d1d9d2acc974d2617
                                          • Opcode Fuzzy Hash: c1e14ab3524c1e85e9939940e2c02176535d8efaed99606af026611eb5174005
                                          • Instruction Fuzzy Hash: 7F51CF71B002068FCB01EF79C8589AEBBF6FFC53217158929E869CB351EB309D0587A0
                                          Function 04D3ABB0 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Hbq
                                          • API String ID: 0-1245868
                                          • Opcode ID: 5ba80a17c0c6d48ef0d6839371f10ad34a167e176e0ed14caa5e831008200512
                                          • Instruction ID: af86895dd30a1c8228634c9d74ea25943bf54e1ca20c28fb39176d6c31aee5a5
                                          • Opcode Fuzzy Hash: 5ba80a17c0c6d48ef0d6839371f10ad34a167e176e0ed14caa5e831008200512
                                          • Instruction Fuzzy Hash: C8412735B00214CFCB14DFA8C4449AEBBB2FFC5711B24855AE696D77A0CB35AC42CB80
                                          Function 04D3CED0 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Hbq
                                          • API String ID: 0-1245868
                                          • Opcode ID: 273f2183d9b5c6ad7d968774a8615525827c370615392363b1bdbe0d1613c559
                                          • Instruction ID: 113f2b0e4254f63e53c056fbba17ab4dfe13e149408ba0976a80c51180a7844a
                                          • Opcode Fuzzy Hash: 273f2183d9b5c6ad7d968774a8615525827c370615392363b1bdbe0d1613c559
                                          • Instruction Fuzzy Hash: 7C31A375E00208AFC708EF78D82566EBBB6FFC5301F2081A9D909A7392CF345D498795
                                          Function 04D31BC0 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Hbq
                                          • API String ID: 0-1245868
                                          • Opcode ID: cf1936f256b73839fc23fcd271422031a1f10e996b9646dcdecfd1d892330f22
                                          • Instruction ID: 6635338668925a87df4c0fc72e8632ad8eb89bfcb7bb589af3a41a2475c11cb8
                                          • Opcode Fuzzy Hash: cf1936f256b73839fc23fcd271422031a1f10e996b9646dcdecfd1d892330f22
                                          • Instruction Fuzzy Hash: 7E212831A001089FDB04AF68D91A67FBBB6FF89301F1448A9E506E7345DF359D19C7A1
                                          Function 06D9A850 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Te^q
                                          • API String ID: 0-671973202
                                          • Opcode ID: d1b3e56965874983f16614f4ee77f3263e09d7a8d2e6c08bda8abee5c93e7016
                                          • Instruction ID: 96f81497264a966a505ec315e94d997cd56db75c8045e6cce6c3713f70ff98b9
                                          • Opcode Fuzzy Hash: d1b3e56965874983f16614f4ee77f3263e09d7a8d2e6c08bda8abee5c93e7016
                                          • Instruction Fuzzy Hash: 09114F76F002198BCF44EBB998106FEB7F6ABC4350B54407AC455EB240EB368D06C7A1
                                          Function 04D3B365 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: W
                                          • API String ID: 0-655174618
                                          • Opcode ID: d9c5c4b42d8e1a20052c712e380ae45ec3f408788b40c8a687513d7f44f31aaf
                                          • Instruction ID: a68642f35ded02292d2b89281c69a86870adb5e2752f8870acd890e79bf93490
                                          • Opcode Fuzzy Hash: d9c5c4b42d8e1a20052c712e380ae45ec3f408788b40c8a687513d7f44f31aaf
                                          • Instruction Fuzzy Hash: F911B038741108DFDB44DF68D498EA97BB1AF49319F114099FA069B3B2DA32EC42CB50
                                          Function 04D3DD58 Relevance: .8, Instructions: 758COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d6f89f9dd9016881493e767c8b2860e0aac71d1c55623eb2e76daf2cec53ff8b
                                          • Instruction ID: 0c1a20cd1e5dcc3db7cf75106a984fe7f3e9cb7e3e4b10b4e4eafb13954b8bda
                                          • Opcode Fuzzy Hash: d6f89f9dd9016881493e767c8b2860e0aac71d1c55623eb2e76daf2cec53ff8b
                                          • Instruction Fuzzy Hash: 4B62AB70E01B458BD7745F6488983AE7BA1FF85306F10492EC0BECE6D5DB39A481CB99
                                          Function 06D911E8 Relevance: .7, Instructions: 732COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a752325054f35ee8c400e154c642e015b6c8b787700a2c50daf68d0263027be6
                                          • Instruction ID: b3328697d4a9b8a1d16deb53aede149033c8ae66338ac24105f2440d6b38d1e6
                                          • Opcode Fuzzy Hash: a752325054f35ee8c400e154c642e015b6c8b787700a2c50daf68d0263027be6
                                          • Instruction Fuzzy Hash: 85726B31D0061ACFDB54EF68C894AADB7B1FF45304F008299D559AB265EF30AAC9CF91
                                          Function 04D3C12F Relevance: .6, Instructions: 605COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 190cfbabe2f0a045b9cdd1a1bf0f9effd9641f1955bc0450039ce89010a71460
                                          • Instruction ID: 348ac07c2b650be4dfc9a9d4897429ecaf15353f144576504c8ded4ecaca73f4
                                          • Opcode Fuzzy Hash: 190cfbabe2f0a045b9cdd1a1bf0f9effd9641f1955bc0450039ce89010a71460
                                          • Instruction Fuzzy Hash: E652263990065ACFCB11DF24D9A8AEA7BB6EF46300F1541E5E84A7B255CB346E86CF40
                                          Function 04D3DCF8 Relevance: .5, Instructions: 491COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 447c39419e82ceb9f9828c6f3248d46eb1356b51cafba8100213a70c35299420
                                          • Instruction ID: c94d41c4dac0ce5083f65c25c1293ba82ee5da6819ce232b5e774bc6eba40437
                                          • Opcode Fuzzy Hash: 447c39419e82ceb9f9828c6f3248d46eb1356b51cafba8100213a70c35299420
                                          • Instruction Fuzzy Hash: 65224BB0D05B428AD7745F64998429EB790BF46311F20495FC1FECE2D9DB36A086CBCA
                                          Function 06D96A42 Relevance: .2, Instructions: 201COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fee01eeb11e4b236e5796d3464ca54a300b5d46c956e30b69f490dba3b778cbd
                                          • Instruction ID: 98628626e8380f0af7649728d16450762d617a148f79ee38aedb898e4989c67b
                                          • Opcode Fuzzy Hash: fee01eeb11e4b236e5796d3464ca54a300b5d46c956e30b69f490dba3b778cbd
                                          • Instruction Fuzzy Hash: 9A812674200B048FC749EF38C854A9AB7E6FFC9301B11896DE51A9B361EF31AD46CB91
                                          Function 06D90770 Relevance: .2, Instructions: 197COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1eae206269f40ce4ddd1a3e28c010f1c8ad7d0e512d08b386b8c90809545a9f2
                                          • Instruction ID: 150e2c3c146edf11f809cf080792c7fedcd89f559011a5ac7881d8bf3dd43f6a
                                          • Opcode Fuzzy Hash: 1eae206269f40ce4ddd1a3e28c010f1c8ad7d0e512d08b386b8c90809545a9f2
                                          • Instruction Fuzzy Hash: 5D91F97190061ADFCB41DFA8C880999FBF5FF89310B14879AE819AB355E770E985CB90
                                          Function 06D96A50 Relevance: .2, Instructions: 196COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e91d1d841b1a0f7b00f9c9129d9115d0ec9b9f4a086cda3e1bc46aaa0aa6f9fe
                                          • Instruction ID: 720429cc76ff72c00ed014a7d3a11b780e1279ce575a187e3afc303111fff0bf
                                          • Opcode Fuzzy Hash: e91d1d841b1a0f7b00f9c9129d9115d0ec9b9f4a086cda3e1bc46aaa0aa6f9fe
                                          • Instruction Fuzzy Hash: 20811674600B048FC749EF38C854A9AB7E6FFC9301B10896DE51A9B361EF31AD46CB90
                                          Function 04D3FD90 Relevance: .2, Instructions: 176COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: af926db007b7aca0840b371000b34ca7044ee1df43d8e2c156e1a28a8f1a5136
                                          • Instruction ID: 2858719b0e36f7c9f796ea3b003edb8993b1af69181752049af4723da99385c6
                                          • Opcode Fuzzy Hash: af926db007b7aca0840b371000b34ca7044ee1df43d8e2c156e1a28a8f1a5136
                                          • Instruction Fuzzy Hash: 4771CC79700A00CFC718DF29C498959BBF2FF8961971589A9E54ACB372DB32EC41CB50
                                          Function 04D3FD80 Relevance: .2, Instructions: 176COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: df084803dcb752f865abf2d9ea4085f6621698e733d91e4e0d1adff22023f178
                                          • Instruction ID: 5790f0009c24729fd16b315c5ec50e6dba469bb2f58a8d1c526d278fc3256854
                                          • Opcode Fuzzy Hash: df084803dcb752f865abf2d9ea4085f6621698e733d91e4e0d1adff22023f178
                                          • Instruction Fuzzy Hash: 4371CCB9600A00CFC718DF29C498959BBF2FF8971971589A9E54ACB372DB32EC45CB50
                                          Function 04D3AD40 Relevance: .2, Instructions: 175COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 16714da4831c71cd0a75f74cdb532951a448daaef111f944e2d243398abe61c1
                                          • Instruction ID: 8315dd350d05e5c3993bf2a533bf4ed0bfe612427975894a1de376867af68ecc
                                          • Opcode Fuzzy Hash: 16714da4831c71cd0a75f74cdb532951a448daaef111f944e2d243398abe61c1
                                          • Instruction Fuzzy Hash: 0E51D431B003098FDB15EBA4C855AADBBF2EF84305F14852AE446AB351EF74AD4ACB41
                                          Function 06D90761 Relevance: .2, Instructions: 152COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 223b8a980f548fb3ac492e8dfc3606f8926dd59bb9c5664d49afd3f1d533e4ff
                                          • Instruction ID: 836741323dcaa0a9323117f19eb5a350d45640227e1a8e8db817751ac6fe2bc1
                                          • Opcode Fuzzy Hash: 223b8a980f548fb3ac492e8dfc3606f8926dd59bb9c5664d49afd3f1d533e4ff
                                          • Instruction Fuzzy Hash: 13612971D1070ADFDB41DFA8C880999F7B0FF49320B14875AE859EB256EB70E985CB90
                                          Function 06D98BCF Relevance: .1, Instructions: 145COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1d109a7384a92b1e86b4c99b75161ac58c21e564915985bbdc0f8ef3990356ad
                                          • Instruction ID: 8164a66f6a32e86f780186cf7825e7c607af19c3154c5aa3998a796996281c8d
                                          • Opcode Fuzzy Hash: 1d109a7384a92b1e86b4c99b75161ac58c21e564915985bbdc0f8ef3990356ad
                                          • Instruction Fuzzy Hash: 5E51B2B490A689DFD706CB69E554988BFF1EF8A200B2684D6D484CB373CB359D16C713
                                          Function 06D9FD08 Relevance: .1, Instructions: 128COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 299734475ccd99b74edff773f47d33c090ff0129d5886004f0df3958650662b7
                                          • Instruction ID: bf379bb7a6a6ddde1f7ecbacca54583994a1584f43fd3bf167d39dcb322ed149
                                          • Opcode Fuzzy Hash: 299734475ccd99b74edff773f47d33c090ff0129d5886004f0df3958650662b7
                                          • Instruction Fuzzy Hash: E4411274E092098FDB48CFAAC4446AEBBF6AF8D310F14D02AD859E7351D73499418BA4
                                          Function 04D31170 Relevance: .1, Instructions: 124COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8acc1159e42931df33ca6f236f4b301bf30174202b5e5c560f56f40a94a85486
                                          • Instruction ID: 9028c2bb70629f1d3c225f70a86840292841722b63d5f0dc79de482db06c79f1
                                          • Opcode Fuzzy Hash: 8acc1159e42931df33ca6f236f4b301bf30174202b5e5c560f56f40a94a85486
                                          • Instruction Fuzzy Hash: 0641BB79E0122ACFCB11EFA9D844AEDBBF5FB88312F144165D805E7350DB30A906CBA0
                                          Function 06D98D81 Relevance: .1, Instructions: 123COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 90d02bfd858a613b565e200aede93583afb5db851fb6f523329b39a53441e15b
                                          • Instruction ID: 97d6140928cc06ac404a56e24f6b6f40d6b9beebe0f4a28bb86e79bda1db641a
                                          • Opcode Fuzzy Hash: 90d02bfd858a613b565e200aede93583afb5db851fb6f523329b39a53441e15b
                                          • Instruction Fuzzy Hash: 03415574D0921AEFDF80CFA8E4948EEBBB5FB4E610B019856E496E7311D731D850DBA0
                                          Function 04D38880 Relevance: .1, Instructions: 118COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 88c1083015960d173531a899ddd4ddc6c59394097b9922daafdaba77ef42cbb0
                                          • Instruction ID: d1ea5e6c90e510a2d7978044a41e488292609abf7301586a79924b734a137aa2
                                          • Opcode Fuzzy Hash: 88c1083015960d173531a899ddd4ddc6c59394097b9922daafdaba77ef42cbb0
                                          • Instruction Fuzzy Hash: DA410874A002188FDB44EBA8C854FDEB7F1FF49715F114059E505AB3A1DB34A805DFA1
                                          Function 06D98D90 Relevance: .1, Instructions: 117COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3b1fa0298226480b956d7d2fee8403d383e4bc89a3b8e70881cea1287f6034db
                                          • Instruction ID: 2f78de7ea615becdd46d0f699882204baf777710481e36dfd6bf8198a52edd35
                                          • Opcode Fuzzy Hash: 3b1fa0298226480b956d7d2fee8403d383e4bc89a3b8e70881cea1287f6034db
                                          • Instruction Fuzzy Hash: 3641F274E0921AEFDF80CFA8E4948EEBBB5FB4E610B019855E496E7310D731D850DBA4
                                          Function 06D99653 Relevance: .1, Instructions: 108COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1bb3fbb4e30ea081dbdb4bd1a14cbbf765062d530e8ce167d0f91ac1a1ff33bf
                                          • Instruction ID: fdcb509ae8dcf2cc1ba275748472e5c230d12ad189d1893d018359f66d66813c
                                          • Opcode Fuzzy Hash: 1bb3fbb4e30ea081dbdb4bd1a14cbbf765062d530e8ce167d0f91ac1a1ff33bf
                                          • Instruction Fuzzy Hash: 6341AC74E1021E9FDF44DFA9D8A4AEDBBB2BB49310F149059E815FB210DB34A941CF64
                                          Function 04D350D0 Relevance: .1, Instructions: 104COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f187a07e6f3c6a82c26b5b631fc75c80d9fe49412c4fca2d9b0b71423f2356a7
                                          • Instruction ID: 1882837b010f399ccc7a96460ed4a1d7144b3b3dc18c0ff853250a1766fb2556
                                          • Opcode Fuzzy Hash: f187a07e6f3c6a82c26b5b631fc75c80d9fe49412c4fca2d9b0b71423f2356a7
                                          • Instruction Fuzzy Hash: 0831A174F102555BDF14AFB998189BFBBFAEFC4209B00842AE556D3341EF389D0187A0
                                          Function 06D98F0E Relevance: .1, Instructions: 104COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 480af11d48e06579438241d285b5295b34f40829b02e732bb366efb23741e9f4
                                          • Instruction ID: 1186942c8c048dd06bbfa741c66faa09a902e6ee01bd464cbd20850fc5ac24b5
                                          • Opcode Fuzzy Hash: 480af11d48e06579438241d285b5295b34f40829b02e732bb366efb23741e9f4
                                          • Instruction Fuzzy Hash: 14410270D0921AEFDF80CFA8E4948EDBBB1FB4E610F019855E496E7311CB329850DBA4
                                          Function 06D9AB44 Relevance: .1, Instructions: 102COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c9020fb9e42bf8021526b92297ae237c567320f434d05ff9741399ddb805665c
                                          • Instruction ID: bb6ef9132410a71aff5fa2474b5dfb1c8a042d2299fda88f4e6f14de3de8755f
                                          • Opcode Fuzzy Hash: c9020fb9e42bf8021526b92297ae237c567320f434d05ff9741399ddb805665c
                                          • Instruction Fuzzy Hash: A73159B69102089FCF54DFA9D844ADEBFF5EF49310F10842AE919A7210D735A944CFA4
                                          Function 04D3AD3F Relevance: .1, Instructions: 101COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d5af170ebd03b619d36d8ce210843124bf0e0b8bc0c0747cb5d5765548fe905c
                                          • Instruction ID: a7021bd2b69c53f6d21b9d171d98cd2aa9d40ffe74710f1bf2f5f830d59454b2
                                          • Opcode Fuzzy Hash: d5af170ebd03b619d36d8ce210843124bf0e0b8bc0c0747cb5d5765548fe905c
                                          • Instruction Fuzzy Hash: 1C417F30B003098FCB15EBA4C594AADBBB2EF84306F18892DD446AB395DF74AD46CB41
                                          Function 06D979B8 Relevance: .1, Instructions: 101COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fe714254132a2918539f484839ddd4305276a3f3462a0dca7638da715e7e6974
                                          • Instruction ID: 8e6401536a9b76eabd5f06b45b0aeacf2702fed59ddfa97822aa4e437521f15a
                                          • Opcode Fuzzy Hash: fe714254132a2918539f484839ddd4305276a3f3462a0dca7638da715e7e6974
                                          • Instruction Fuzzy Hash: 43315A35B005098FDB05DF64CA80EDE7BF6EF89305F1580A9E805AB362DA35EE05CB60
                                          Function 04D34F3C Relevance: .1, Instructions: 100COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 65304496fa5b82c7d82badfdd74b15980b19930900b66e100e8461be22242477
                                          • Instruction ID: b72235bc62ab9c673f0d13abff76ba489c71d2e6d506dd7262bf9a3aaf8755f5
                                          • Opcode Fuzzy Hash: 65304496fa5b82c7d82badfdd74b15980b19930900b66e100e8461be22242477
                                          • Instruction Fuzzy Hash: 3741F0B1D00308DFDB20CFA9C584ACDBBB1BF48304F24812AD419AB251D775AA8ACF91
                                          Function 04D34970 Relevance: .1, Instructions: 99COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a40def362c52ad5f954cfefd38f87a8845115b1710c59aba3d2725c17becb682
                                          • Instruction ID: 3bea341e3488b68f2f5e135897b30bdbbcc34a53b9437fdad3800784f02146ce
                                          • Opcode Fuzzy Hash: a40def362c52ad5f954cfefd38f87a8845115b1710c59aba3d2725c17becb682
                                          • Instruction Fuzzy Hash: 6E41C2B1D00309DBDB24DFA9C584ADDBBF5BF48305F24802AD409BB254D775AA4ACF91
                                          Function 04D3496C Relevance: .1, Instructions: 99COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 77f14b8f62d64f0ec06730839daa841c88e2d4f0b11d58cffb187923db822e17
                                          • Instruction ID: a9367cdead925f9f15827edbc48c72be00d6b42faf5f660b5ac7cd282bf1ae86
                                          • Opcode Fuzzy Hash: 77f14b8f62d64f0ec06730839daa841c88e2d4f0b11d58cffb187923db822e17
                                          • Instruction Fuzzy Hash: 8741E2B1D00309DBDB24DFA9C584ADDBBF5BF48305F24802AE409BB254D775AA49CF91
                                          Function 04D30438 Relevance: .1, Instructions: 98COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 05d2cbad17f5cf07b403893430bae776779332eed61f22d8cc661f3576ce84ab
                                          • Instruction ID: 2bac59a6ed53129fc0f5c93393c63373cb54da6a944ff8dfbd2c3181562940b5
                                          • Opcode Fuzzy Hash: 05d2cbad17f5cf07b403893430bae776779332eed61f22d8cc661f3576ce84ab
                                          • Instruction Fuzzy Hash: 4141AE71A05700CBE712EF78C8847657BB1FF89314F0986BADC496B25AEF35A844CB60
                                          Function 04D37077 Relevance: .1, Instructions: 97COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b07e619faa741501e35ada48cb938be16026b4a0a7009188943237eff8ace6d6
                                          • Instruction ID: 7fcefefc1dcbefbd6df82d722cc7b5f385e64cd227a6163d5cbe8ff105caa6eb
                                          • Opcode Fuzzy Hash: b07e619faa741501e35ada48cb938be16026b4a0a7009188943237eff8ace6d6
                                          • Instruction Fuzzy Hash: AF41FD75A0064A9FCB40DF68D8849AEFBB5FF49314B14C699E818AB311E730ED45CF90
                                          Function 04D37088 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ed085a4793026dd837f50edb0ed412d5bd767d1fe95331570845e654457323ee
                                          • Instruction ID: c2de0de64953d347036ec729afa88fea59cf794b3e39be8dec873d29ca1bae8e
                                          • Opcode Fuzzy Hash: ed085a4793026dd837f50edb0ed412d5bd767d1fe95331570845e654457323ee
                                          • Instruction Fuzzy Hash: C841E675A0060A9FCB40DF69D88499EFBB5FF49310B14C659E918AB321E730ED85CF90
                                          Function 04D34C68 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6f3352a1d2d563c473f9de7d6314bed2a65808392b40b899dc1ab7f911fd829d
                                          • Instruction ID: c1199edde408133949bf9450d60369391608582cda1c7393250fd8d483c5bc0c
                                          • Opcode Fuzzy Hash: 6f3352a1d2d563c473f9de7d6314bed2a65808392b40b899dc1ab7f911fd829d
                                          • Instruction Fuzzy Hash: 8241B0B0D103589FDB14CFAAD884ADEFBB5BF88710F20812AE418BB254D775A845CF51
                                          Function 04D30448 Relevance: .1, Instructions: 89COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bbb7713b2d01883e058fbd425b29881fa44c8dc4638982572d4655100fea2080
                                          • Instruction ID: adc57cac77b2ee05f14e2b08b9e78c5a5fce54948bd3bfd5178302ddf1f355b8
                                          • Opcode Fuzzy Hash: bbb7713b2d01883e058fbd425b29881fa44c8dc4638982572d4655100fea2080
                                          • Instruction Fuzzy Hash: 58317E75A006008BEB05EF79D88476577B6FF89314F0986B9DD496B24AEF31A484CB60
                                          Function 06D94349 Relevance: .1, Instructions: 85COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1cdb63482b4a98b673e404245f6d9f02bb87cd2f6cba0313765a240135128920
                                          • Instruction ID: 08e21af3ec77f2c49858b8807ca5cb777fddf3001492a695728870e61b3fbc11
                                          • Opcode Fuzzy Hash: 1cdb63482b4a98b673e404245f6d9f02bb87cd2f6cba0313765a240135128920
                                          • Instruction Fuzzy Hash: 6A314670106186DFCB618F64C55C5A5FFF5FF4A3007268D9ED1D286282C734A846DFA1
                                          Function 04D34E40 Relevance: .1, Instructions: 82COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8bed436705fb667a0b547830c4d1c4f286836fe21f3745ec83e7aef66ea5d84b
                                          • Instruction ID: fe954b134a79508cb68926143ffde922927f44c616d7687f9aea75027ab3fa1f
                                          • Opcode Fuzzy Hash: 8bed436705fb667a0b547830c4d1c4f286836fe21f3745ec83e7aef66ea5d84b
                                          • Instruction Fuzzy Hash: 3621E6326042448FCB11DF78C5448AABBE6EFC5315B0588ADE545DB752EF35EC098B91
                                          Function 04D3F4E1 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eb2074158f6c71a033586758a0341b32664b4ee399773a111d3bb72e19f1fe78
                                          • Instruction ID: efeeb4a59c32c4b177c43668deb363c1dc0aa6cd7c5d85c5b8e94fdea366629c
                                          • Opcode Fuzzy Hash: eb2074158f6c71a033586758a0341b32664b4ee399773a111d3bb72e19f1fe78
                                          • Instruction Fuzzy Hash: 7C215771D01209DFCB04EFB8D8909EEBBB1FF8A305F10952AE554B7251EB306A49CB61
                                          Function 00A5D3D8 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1657541383.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_a5d000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 178e55c5a7eeeb80fa2ce855eb7b1f2f8ead0955be87147f81e600be07391229
                                          • Instruction ID: 760cb93fdf613a76157eaa294d4c2beb0e6a8d38f4a4dddf4e6ae42b43e773a7
                                          • Opcode Fuzzy Hash: 178e55c5a7eeeb80fa2ce855eb7b1f2f8ead0955be87147f81e600be07391229
                                          • Instruction Fuzzy Hash: D12136B1500200EFDB15DF04C9C0B26BF75FB94325F20C568EC0A0B246C336E85AC7A2
                                          Function 04D3B934 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 505889db00dacf1fe4f3959438b270ef1b356de1ceb11b683adce5e535971339
                                          • Instruction ID: 6a3a69df1e46b8c63d50c9b96a893dd862dc3e1f20620c2521922688b9439f95
                                          • Opcode Fuzzy Hash: 505889db00dacf1fe4f3959438b270ef1b356de1ceb11b683adce5e535971339
                                          • Instruction Fuzzy Hash: 5E210A71E51209DFCB44EFB8D8909EEBBB1FF8A305F10952AE55477250EB306A49CB60
                                          Function 06D97040 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5a48aa92f36ff08cbf1e7057945127ffdbcaab95bbc6162ab7827fd0298ca3d2
                                          • Instruction ID: 5a9a2692976a2607ee5d4f93b7a1579cea506719985ae03fdd63905d05c7a593
                                          • Opcode Fuzzy Hash: 5a48aa92f36ff08cbf1e7057945127ffdbcaab95bbc6162ab7827fd0298ca3d2
                                          • Instruction Fuzzy Hash: A72162303102108FDB59DB39C954A2977F6EF85715B2584AEE40ACB3B1DBB2DC46CB60
                                          Function 04D38E94 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3035611fc5fed1e83a13957ae1d138e9e5bd2c2a0e2f2d1c6a996cfa768876d6
                                          • Instruction ID: f0c780cb4463ae8d409a47c80b4f8d698cca767e7732a09f82d2c77656d530cc
                                          • Opcode Fuzzy Hash: 3035611fc5fed1e83a13957ae1d138e9e5bd2c2a0e2f2d1c6a996cfa768876d6
                                          • Instruction Fuzzy Hash: 35216D767006149FCB24DF19C588A6AB3B6FF88722F10842EEA0687752CB71F841CB50
                                          Function 06D97050 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 74dbb4d48c0e309d7412aefcfe0c4aa6b5db1da1758618bdff594fd191848b82
                                          • Instruction ID: b9f3ed9c2d3ee21193cd7270574b3966dac71732d73a2940f47f21d3577e74f1
                                          • Opcode Fuzzy Hash: 74dbb4d48c0e309d7412aefcfe0c4aa6b5db1da1758618bdff594fd191848b82
                                          • Instruction Fuzzy Hash: AF214F303102108FCF59EB3AC855A2A73F6EF85715B10846DE50ACB3A5DBB2DC41CB60
                                          Function 00A6D1D4 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1657574310.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_a6d000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b224ddaebc2cb302609f0714d99696f331651a3de93ce24e739339755c814abe
                                          • Instruction ID: 2faa750a7b3ca886a783c555dd153a9857eda0090f9d8e308510a63563c0d85a
                                          • Opcode Fuzzy Hash: b224ddaebc2cb302609f0714d99696f331651a3de93ce24e739339755c814abe
                                          • Instruction Fuzzy Hash: E521F5B1A04200EFDB05DF24D9D4B25BBB5FB94354F24CA6DD90A4B291C336D846CA61
                                          Function 00A6D01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1657574310.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_a6d000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ae7934391b6318c4eeabb0f9c5f82cb29d2d656efdc7f3993ecf1c6cb1135696
                                          • Instruction ID: ab7ce21ac96bae5a2f10bf21bf564fa643000a0c3b1408dea3061aaa13fb9489
                                          • Opcode Fuzzy Hash: ae7934391b6318c4eeabb0f9c5f82cb29d2d656efdc7f3993ecf1c6cb1135696
                                          • Instruction Fuzzy Hash: C921D375A04240DFCB14DF14D984B26BBB5FB94354F24C969D80B4B286C336D807CA61
                                          Function 04D3A157 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c14dac9268e3d706289a0997407f17bd64b692ef30e0a09c7123e4a455919650
                                          • Instruction ID: 26c0d1f4491373272161a5c21404007473f37baf728b1cb071a165457c707a65
                                          • Opcode Fuzzy Hash: c14dac9268e3d706289a0997407f17bd64b692ef30e0a09c7123e4a455919650
                                          • Instruction Fuzzy Hash: 7821A531B006059FDB259E78D8545EE7BF2EF84311F048669D9869B391EB30ED86CB90
                                          Function 06D96D10 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c55dcf0a0fc92af60535d5e10850d486165f8bb4ba1220dcac80ca567f2f7d41
                                          • Instruction ID: 167c118a944ae30ee06d9822a0597484a3990fa7c641091fb75781ff7a62119a
                                          • Opcode Fuzzy Hash: c55dcf0a0fc92af60535d5e10850d486165f8bb4ba1220dcac80ca567f2f7d41
                                          • Instruction Fuzzy Hash: 632159756006559BC720DF69C8809BBBBF9FF89700B108969E8599B720E730AD45C7A0
                                          Function 06D91D10 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7f4d76581efa56c660b4ed487fa5b3602e6a57f93fed98005f4f959fad956f6b
                                          • Instruction ID: 3880897186c7e7a76ada1e3821cf00ccd6a0c11f3e5b56f56b6b7a79b42f3575
                                          • Opcode Fuzzy Hash: 7f4d76581efa56c660b4ed487fa5b3602e6a57f93fed98005f4f959fad956f6b
                                          • Instruction Fuzzy Hash: 00213031E106099FCB10EF6CD940999FBB4FF99311B50C66AE958A7300FB30A998CBD1
                                          Function 06D9AADC Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 24f174aa2677370e65ace2cbd3902b1489d630062aa813ec87bc45051900fca7
                                          • Instruction ID: c74c159ce0c86b0d3306f3b86519a2aee52313dd41c7191e3ff948f9388c2553
                                          • Opcode Fuzzy Hash: 24f174aa2677370e65ace2cbd3902b1489d630062aa813ec87bc45051900fca7
                                          • Instruction Fuzzy Hash: 9111B2B5A193889FDB46CBB48C6956D7FF5DF42204B1444EBE849C7252E9348D068362
                                          Function 04D3B547 Relevance: .1, Instructions: 67COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 68bd5e6972e5e46821b3576597b07155cd139036f13bac6865cfb709f51ee715
                                          • Instruction ID: e02d1441c78dce538bc1aef470355ef261ccf002cbbb512aab8ce970a988be98
                                          • Opcode Fuzzy Hash: 68bd5e6972e5e46821b3576597b07155cd139036f13bac6865cfb709f51ee715
                                          • Instruction Fuzzy Hash: 72215C76B006149FCB24CE15C584A6A77B6FF88712B55842EE906C7B62DB31F8428B10
                                          Function 06D9AEDC Relevance: .1, Instructions: 67COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2400c0d6c9bad5112b1ed9c18dca80b43c959434007aa5fcf08db9c53ab692d3
                                          • Instruction ID: 3184c8172eedf927dab535e303a10c21caa13f1f4ba383e910baf7783aec59e8
                                          • Opcode Fuzzy Hash: 2400c0d6c9bad5112b1ed9c18dca80b43c959434007aa5fcf08db9c53ab692d3
                                          • Instruction Fuzzy Hash: 0D31E0B1C013189FDB60DF99C588B8EBFF4AB08314F24801AE449AB241C7B59945CFA5
                                          Function 06D9A980 Relevance: .1, Instructions: 67COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0c3cad8ea8af6e2be98eb09f68e3b74b05c6bd1dfadfe82c8ef4dd7b066b8c31
                                          • Instruction ID: 24a23db6f1f64110e7147e2d5dd6b7a5a159d9144968dc7d544178025b41b8fd
                                          • Opcode Fuzzy Hash: 0c3cad8ea8af6e2be98eb09f68e3b74b05c6bd1dfadfe82c8ef4dd7b066b8c31
                                          • Instruction Fuzzy Hash: 2631CEB1D013189FDB60DF99C988B9EBFF5AB08318F24801AE509BB240C7B59845CFA5
                                          Function 04D3A168 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: edece079271ba9eabef095a802092fdb05c9167f53e7366901869f630e5d34d5
                                          • Instruction ID: f8c3549ac2b10f75a26672599644cd6908d7f3e92864af8522df5ff5c0299c24
                                          • Opcode Fuzzy Hash: edece079271ba9eabef095a802092fdb05c9167f53e7366901869f630e5d34d5
                                          • Instruction Fuzzy Hash: F3117F31B006059BDB24DE68D8549AE77F2EF84302F048A29D98697394EB30FE81CB91
                                          Function 06D98CB8 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d506d37f52902b56f5ba18a086144df1c377df7b266fb4b21caaeb81a0a4a50f
                                          • Instruction ID: d219e8f1b21829fcc7af607cc1314666910a66d7aa1ab27781e097e4e9c10d00
                                          • Opcode Fuzzy Hash: d506d37f52902b56f5ba18a086144df1c377df7b266fb4b21caaeb81a0a4a50f
                                          • Instruction Fuzzy Hash: DD21B374A01909EFCB04DF5AE284999BBF1FF8C310B6281D4D5489B365DB31EE61DB00
                                          Function 06D9AD28 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f1fc254f8f3cce6e106b47ab8b5bc4c734036373997761a25000099e4f464d83
                                          • Instruction ID: ce084961beb1fda1a29f1c0b62aa618b372a641d3ff2f69bdca361c2b5f0a81e
                                          • Opcode Fuzzy Hash: f1fc254f8f3cce6e106b47ab8b5bc4c734036373997761a25000099e4f464d83
                                          • Instruction Fuzzy Hash: 3111A076A007065B8B51EF6D8C505BFB7F7EBC82607298529E865D7340EF309D0547B0
                                          Function 04D35D20 Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4e7365034b5ac3b6d2b54e860fe03be01b2110ae370f4f91c9640f7e51ce840a
                                          • Instruction ID: d6d00689156cb759bc2a8610714a8570c60d908a9fdc5929c1ea4d1c1ebaedf2
                                          • Opcode Fuzzy Hash: 4e7365034b5ac3b6d2b54e860fe03be01b2110ae370f4f91c9640f7e51ce840a
                                          • Instruction Fuzzy Hash: 21110470B093856FEB07777968704BEBF75DF87644B08089AD444DB253CA24190AC3B6
                                          Function 04D34E3F Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a68b54615c31ff1431835035cfe22aa4e207500242a7f5f9c72907cfb970e961
                                          • Instruction ID: 5178ff333d9518e20749befa92fc78ff4a5c6eb867663daa4371b42a5b7f8601
                                          • Opcode Fuzzy Hash: a68b54615c31ff1431835035cfe22aa4e207500242a7f5f9c72907cfb970e961
                                          • Instruction Fuzzy Hash: 671190726002098FCB10EF68C5448ABB7F6FFC4716B018969E516EB750EF34ED098BA1
                                          Function 00A5D3D3 Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1657541383.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_a5d000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                          • Instruction ID: 1eb079060a704f5ddebe60fc5a8c5eb0a7408d0dd821df9a850d120395d15804
                                          • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                          • Instruction Fuzzy Hash: FF110376504240DFDB16CF00D5C4B16BF72FB94324F24C2A9DC090B256C33AE85ACBA1
                                          Function 06D9AB54 Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7f79bea957871e38127fec018f75accab30e8c80c5c9e77ed76177db02ca56be
                                          • Instruction ID: 4492c2a122556f01fe5c27bec917de474f8047c5ba1043092357788d4c7b06f3
                                          • Opcode Fuzzy Hash: 7f79bea957871e38127fec018f75accab30e8c80c5c9e77ed76177db02ca56be
                                          • Instruction Fuzzy Hash: FB21FFB58103499FCB50DF9AC884ADEBBF4EB49320F10841AE919B7210C375A954CFA5
                                          Function 04D35FB2 Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3740df57702034f45776428348c93db27df1dd8d663216329056f75dd26fcf05
                                          • Instruction ID: bde04f3c67e5aa18d05635af9b6386629c35986face8cfc37f5326403a6a4c29
                                          • Opcode Fuzzy Hash: 3740df57702034f45776428348c93db27df1dd8d663216329056f75dd26fcf05
                                          • Instruction Fuzzy Hash: 14216A70E02218EFCB14DFA0E5945DDBBB2FF4430AF208559E48272294CB35A865CF50
                                          Function 04D31318 Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 74ef0121adb8e8baa5640448ac7dd6af5594acab2c3d92ae62b14fdf10201de6
                                          • Instruction ID: c4f3ceb7a249edd1090e6cd228c84c0cecdbcfba9332b595fa920ed5d4e04e43
                                          • Opcode Fuzzy Hash: 74ef0121adb8e8baa5640448ac7dd6af5594acab2c3d92ae62b14fdf10201de6
                                          • Instruction Fuzzy Hash: 00112971B002059BD714AF65C4157EF7BF2EB84345F108868D24A97294DB75A90ACBE1
                                          Function 04D31328 Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bd32b117e3b2d71e9f3f169975b7c6d21afedfba510e043a8d227fc712e51e74
                                          • Instruction ID: 2100e8a95ea86a1dd06fc642fc7fdaca2035731d6d55b5ddd8a517edf5f2292f
                                          • Opcode Fuzzy Hash: bd32b117e3b2d71e9f3f169975b7c6d21afedfba510e043a8d227fc712e51e74
                                          • Instruction Fuzzy Hash: 9011A031B00209CBDB14EFA5D4147AEB7F2EF88346F104868D646A7294CB75AD19CBE1
                                          Function 06D93D08 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3c5a922ccf4f6c9a1e40d15c5d88b810c7a5c0e5610ebb7011f6b58eb4e3d9d4
                                          • Instruction ID: ac5c34e1774ac32d3c7fff1bcebbc4f67380f24f901d09de1e643df2b4f0f2b3
                                          • Opcode Fuzzy Hash: 3c5a922ccf4f6c9a1e40d15c5d88b810c7a5c0e5610ebb7011f6b58eb4e3d9d4
                                          • Instruction Fuzzy Hash: B001C035A01219CFDB198F35E85449ABBB7FF89325B04457AE50683351DB76A822CB90
                                          Function 00A6D017 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1657574310.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_a6d000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                          • Instruction ID: 31274acff67ba2854362fbbb1b093dfc7f5a29cda6466fdc6b5b3d7cc1300076
                                          • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                          • Instruction Fuzzy Hash: 23118E75A04280DFDB15CF14D5C4B15BB72FB84314F24C6A9D84A4B656C33AD84ACB61
                                          Function 00A6D1CF Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1657574310.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_a6d000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                          • Instruction ID: 9b4128c5ef5b54cbe6fd16814d272c776218854acf71c5f91ae9c86f321731d2
                                          • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                          • Instruction Fuzzy Hash: A211DD75A04280DFCB12CF20C5D4B15FBB2FB84324F28C6ADD8494B296C33AD84ACB61
                                          Function 04D34A34 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1a6d1b72f1f7f228fda8d64f582b653e01c1f26944e9c8661038f1dff7235d74
                                          • Instruction ID: 93d1d4efb329dbd1d769f99ec75e79336f0402ad8da429f5695750a744f55446
                                          • Opcode Fuzzy Hash: 1a6d1b72f1f7f228fda8d64f582b653e01c1f26944e9c8661038f1dff7235d74
                                          • Instruction Fuzzy Hash: 1D1102B1D047089FDB14DF9AD448A9EFBF4EB88321F14842AE959A7310D374A944CFA5
                                          Function 04D353E3 Relevance: .0, Instructions: 50COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aeb3c2ee0caef84d6cf109b48c64a8185730ec7b599f65e6f32bb86ace7e4e65
                                          • Instruction ID: 2537cf727d6ef4dbea57566ac6fb3b3803afc2a71d27bee04e5546d534502ce2
                                          • Opcode Fuzzy Hash: aeb3c2ee0caef84d6cf109b48c64a8185730ec7b599f65e6f32bb86ace7e4e65
                                          • Instruction Fuzzy Hash: 491102B1C007089FCB14DF9AD444ACEFBF4EB88320F10852AD829A7310D378A545CFA1
                                          Function 06D98118 Relevance: .0, Instructions: 50COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 41bf84e5234afc2d23cd786d037b3ea5a09f6339b1798673c504b2246d3cba66
                                          • Instruction ID: ffe6c284ea4ef111eb8dcef066ab4bcf3371d053a9e180328ff42e8de87bf56e
                                          • Opcode Fuzzy Hash: 41bf84e5234afc2d23cd786d037b3ea5a09f6339b1798673c504b2246d3cba66
                                          • Instruction Fuzzy Hash: 5E01F7753046169FD7429B38E8445857BEBDBCB752B05887AF24AC7359DA30DC438750
                                          Function 06D9FF40 Relevance: .0, Instructions: 50COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ac6bdef4b7b43d7fca41e0db20d6b853b9554b80e66e31b251eb26026d639334
                                          • Instruction ID: 9747f9961fcfe72295cb707d15eb850d7d19c0816ebc7223a0de38e265431894
                                          • Opcode Fuzzy Hash: ac6bdef4b7b43d7fca41e0db20d6b853b9554b80e66e31b251eb26026d639334
                                          • Instruction Fuzzy Hash: 2A111570D08209DFDB84DFA9C1809ADBBF9FB8A314F109595D448E7301D730DA44CB90
                                          Function 06D938E8 Relevance: .0, Instructions: 50COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 821d731444e5d1ba1e887e6cbd0f964c67e03a808c389995c6c9e87935e582c2
                                          • Instruction ID: 07cd62af1084f917ea0259b916893d99a59edc6311f9e7dd5beabc9387d5a178
                                          • Opcode Fuzzy Hash: 821d731444e5d1ba1e887e6cbd0f964c67e03a808c389995c6c9e87935e582c2
                                          • Instruction Fuzzy Hash: C3014231B04614ABE3488A2A98C1212BBABFBC5211302C13BA049C7210DF30DC158AF2
                                          Function 04D3F5C7 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c7d3452766f17b56340a4c9e3e116bc5834fed03fd74fd1efe805d81341c7934
                                          • Instruction ID: 819c4a3b921568c68d7c5e16f0718aa3cc685a26329131f411ef85ef590a7d9e
                                          • Opcode Fuzzy Hash: c7d3452766f17b56340a4c9e3e116bc5834fed03fd74fd1efe805d81341c7934
                                          • Instruction Fuzzy Hash: 8811E5B4E01208DFCB44DFB8D594AADBBB0FF4A705F1141A9D459A7362DB30AA42CB61
                                          Function 04D3CBEF Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7cdb4b2ea2692f793588e9266187ecd87d6bf27863f4cdba5ddf988b489bda2a
                                          • Instruction ID: 65fa21e3c2b30e058e7bd2992d648feed441aa9b3fbccba7d7c624d03d89b2df
                                          • Opcode Fuzzy Hash: 7cdb4b2ea2692f793588e9266187ecd87d6bf27863f4cdba5ddf988b489bda2a
                                          • Instruction Fuzzy Hash: AB01D172D042199BCF02CFA8E8455EEBBB6FF8AB21F058425E9407B250C671295BCB90
                                          Function 04D36328 Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 00a4a03caff8e7a28ff2c38a531cbafe1be83ec5a97828dbf1eb2a233c1c1da0
                                          • Instruction ID: 2d054318fa8cd396797d1620b01c27765db0b15f739c69dcf508a3c8caa389d2
                                          • Opcode Fuzzy Hash: 00a4a03caff8e7a28ff2c38a531cbafe1be83ec5a97828dbf1eb2a233c1c1da0
                                          • Instruction Fuzzy Hash: 9A1103B59043489FDB20DF9AC448BDEFBF4EB48320F20845AE559A7340D379A944CFA5
                                          Function 04D3FCC0 Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 040bcad9c4564c921107a274ecd771a10f10e2a903375a997f57820a87fe938e
                                          • Instruction ID: eb2b864ffac4dc7108cd10ce2c2950f9c3469801e10db854aade0ffad1917e6e
                                          • Opcode Fuzzy Hash: 040bcad9c4564c921107a274ecd771a10f10e2a903375a997f57820a87fe938e
                                          • Instruction Fuzzy Hash: 67F022327007100FD7009F7AF89445ABBEAEBC1226300497AE44AC7322CA31AC0B8390
                                          Function 06D9CCF0 Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aaaa7ed5dacb2db74f9b7db461387663b4835b748103fb771670f4b84d0e207d
                                          • Instruction ID: d969f9a547bf3ad44ab2a70cc498aede273ea2289af4154a4c495737d1195ddc
                                          • Opcode Fuzzy Hash: aaaa7ed5dacb2db74f9b7db461387663b4835b748103fb771670f4b84d0e207d
                                          • Instruction Fuzzy Hash: 8F015E74BA47448FE749DB2DC855B213BB2AF96701F2980D6E116CF3B2CA21E845CB11
                                          Function 04D36B01 Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e44514f20eef8ea5f5764edce8df3b337d4e53c5e6f613daf36608d42ef85465
                                          • Instruction ID: 5851bd9f0036deee63c770f027cf2d5cf44a517e441ecf8294c6aea743c49a7a
                                          • Opcode Fuzzy Hash: e44514f20eef8ea5f5764edce8df3b337d4e53c5e6f613daf36608d42ef85465
                                          • Instruction Fuzzy Hash: C411F2B5904348CFDB20DFA9D484BDEBBF4EB88320F24845AD559A7350C375A944CFA5
                                          Function 04D3F6D7 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0ad4a87e54bb32ad55f77f26e2dcc7a1603bff3f469f0cd9889d8789b2a206e4
                                          • Instruction ID: 47544f0e03e89cda01fd06e4c54f49016f6a81f88de8c7557e777bd056c960f7
                                          • Opcode Fuzzy Hash: 0ad4a87e54bb32ad55f77f26e2dcc7a1603bff3f469f0cd9889d8789b2a206e4
                                          • Instruction Fuzzy Hash: 5C011670D01208EFDB44EFB8D5666ACBBB1FF45306F9045A9C419A7291D7356E42CF40
                                          Function 04D36928 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7fb6787a6076a9ff0625938a3a8e5b0cbfd7f76c08d5998acbf2e5fc5fc74b8d
                                          • Instruction ID: 6fdbca633637997f15fcae7853a0a63c215fd0b5c61273faf47637a7c40f5d0c
                                          • Opcode Fuzzy Hash: 7fb6787a6076a9ff0625938a3a8e5b0cbfd7f76c08d5998acbf2e5fc5fc74b8d
                                          • Instruction Fuzzy Hash: 5DF0F471B083546FCB08DBB988148AE7FF9CF85125B0480BBD80DC3242E974EC0183A5
                                          Function 04D3FBD8 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f48cdb5cb291dbf31a71ec2237d685a5229e08492227f4a4765aceb72c6dcccb
                                          • Instruction ID: b390fb2e9d13c6f4cbf7c39c7f73acb0b2beae55cc9f51bf41578f7c8e2c455a
                                          • Opcode Fuzzy Hash: f48cdb5cb291dbf31a71ec2237d685a5229e08492227f4a4765aceb72c6dcccb
                                          • Instruction Fuzzy Hash: B9012172F007088BD702AB3484510EEBB72FFC1612F06466EC8995B211EF30A987C3D1
                                          Function 00A5D759 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1657541383.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_a5d000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3354922709f9ec0003766939802197978b58b2c2fbd98c21386e93787dbf694d
                                          • Instruction ID: 808d5c2aa72217ffc80613fd92fe4d430e93cc75586cdbdc398db72cfe676528
                                          • Opcode Fuzzy Hash: 3354922709f9ec0003766939802197978b58b2c2fbd98c21386e93787dbf694d
                                          • Instruction Fuzzy Hash: 0601F7710083409AE7304B15CC84B26BFE8FF59322F18C81AEC094A286C3799844C671
                                          Function 04D3B944 Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4d8a2dc1b907c1f725a9b3868214cb0a9a4dafc8f438c283f1d81b2757109317
                                          • Instruction ID: c26c658b1eda26da0bd7f92fe5b5ba9bab1402609a3914fac5cda5029d2b8dbe
                                          • Opcode Fuzzy Hash: 4d8a2dc1b907c1f725a9b3868214cb0a9a4dafc8f438c283f1d81b2757109317
                                          • Instruction Fuzzy Hash: 4411B3B0E01208DFCB44EFA8C554AADBBB1FF49306F1045A9D409A7361DB30AE41CF65
                                          Function 04D3AA81 Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bc62c6f12764aafb301939f7af06dd7adc65bf0646214804e41a57a29735f22f
                                          • Instruction ID: b7fa8f3ee9aaca1644cbf24cb1d2beaf2baa44cda694a6df5d3ea167d372aef5
                                          • Opcode Fuzzy Hash: bc62c6f12764aafb301939f7af06dd7adc65bf0646214804e41a57a29735f22f
                                          • Instruction Fuzzy Hash: 9801B1716043408FEB009F69D8D4789BBA1FF85328F1582BDD9688F2D7D7769806CB90
                                          Function 06D9CCD9 Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dc47ab425e6b7c6a99ddde9e72c46b0d0df6fe7686cc600353c6b809ac4bb4c8
                                          • Instruction ID: f94f48d92da77e432146ba9e396cfd5271f68b96ffade17051f51bf3e6cfba4e
                                          • Opcode Fuzzy Hash: dc47ab425e6b7c6a99ddde9e72c46b0d0df6fe7686cc600353c6b809ac4bb4c8
                                          • Instruction Fuzzy Hash: F6011D34B94A449FD758CB18C949F507BA2AF86710F2A80E5E2068F3B2CB22E801CB15
                                          Function 04D3CF98 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f3e27db59f4f5183fb9e88eb68a5fb44b0ea908bff1443062d3f827f14448c57
                                          • Instruction ID: 7afb40888d772e1d6524b3d353b0896d23bff51a06ac30525ad56f6ffbfc4fc4
                                          • Opcode Fuzzy Hash: f3e27db59f4f5183fb9e88eb68a5fb44b0ea908bff1443062d3f827f14448c57
                                          • Instruction Fuzzy Hash: FA016D74D04208EFCB00EFB4E5694ADBBB0FB86301F2081AAE446A3351DB346E46CB85
                                          Function 04D3F468 Relevance: .0, Instructions: 42COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f6ee74208defcfe8d344367aa2ca051a042eadfeeed3fa68a86b0ba8795de7ad
                                          • Instruction ID: 0727833e0f65427525c585b459f24813795a826d697b1179be111604d788d705
                                          • Opcode Fuzzy Hash: f6ee74208defcfe8d344367aa2ca051a042eadfeeed3fa68a86b0ba8795de7ad
                                          • Instruction Fuzzy Hash: BD01C870D1120D9FD700EFB8D8519EDBB70FF45304F00869AE495A7211EB709607CB91
                                          Function 04D3FC58 Relevance: .0, Instructions: 42COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1b956bdc287c4edab2baf83134dd00ad5d3b2349c4d40cb016abae5112308908
                                          • Instruction ID: 96dc5895ec98a43693a9c46a79ae84ceb979f89050048ee35efbf5f5ff7f5ac1
                                          • Opcode Fuzzy Hash: 1b956bdc287c4edab2baf83134dd00ad5d3b2349c4d40cb016abae5112308908
                                          • Instruction Fuzzy Hash: 7BF02831600B048FC7219B25E4959AAFBF6FFC5725715455DE44A8B262DB31AC43CB50
                                          Function 04D36FD8 Relevance: .0, Instructions: 41COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 41530a53a29036161e028d6a4f4e47ca9c18fe6ac463fbd9b02747de5b17549a
                                          • Instruction ID: f4311c4b468c9322593a8b2f43eaa8604c1ffec7d808001a75db717ca8be5e05
                                          • Opcode Fuzzy Hash: 41530a53a29036161e028d6a4f4e47ca9c18fe6ac463fbd9b02747de5b17549a
                                          • Instruction Fuzzy Hash: 2801E931900649DFCB41EFB8C5458EDBFF0EF49200B1586AAD448EB621E7709A44CF51
                                          Function 04D35D48 Relevance: .0, Instructions: 40COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2d51aa38faf40c5d54b08058060aa604ab3db21d1dc9db89648deb2fdfe247ec
                                          • Instruction ID: f599f89e81688d02e7917ea21180060d96fbf1f462583c02578ae22bdb0d2a10
                                          • Opcode Fuzzy Hash: 2d51aa38faf40c5d54b08058060aa604ab3db21d1dc9db89648deb2fdfe247ec
                                          • Instruction Fuzzy Hash: D3F0B471F001156B9F05BBB9A8605BFBBBAEBC8715F100829E505A7340DF311E0187F9
                                          Function 06D94988 Relevance: .0, Instructions: 40COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 99cecab6dbaf52f2c31b67830703a2edabed9fb25cb1a341e02abb945a6f6533
                                          • Instruction ID: 6a813ef5ca857d184607cf48e8f1f45a2988de5f77792f49957ec8d33bd23ebc
                                          • Opcode Fuzzy Hash: 99cecab6dbaf52f2c31b67830703a2edabed9fb25cb1a341e02abb945a6f6533
                                          • Instruction Fuzzy Hash: 46F08B717086915FC7558B2A991045BBBEBEFC525070AC47FE149C7212DE30CC0387E1
                                          Function 04D3CC00 Relevance: .0, Instructions: 39COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 26c1cbd11da15dd6de148803136fe04e0a56a0ffab0943e29a54580cfd631f97
                                          • Instruction ID: 4a76e2587dd7165cc786a70551e4f73818926c0ea5a6ad2eeff9edf34c7ba2cf
                                          • Opcode Fuzzy Hash: 26c1cbd11da15dd6de148803136fe04e0a56a0ffab0943e29a54580cfd631f97
                                          • Instruction Fuzzy Hash: D7F03032D1061A9BCF05DFA8E8045EEBBB6FF8AB21F055425E9047B250D7B13949CF90
                                          Function 04D3AA90 Relevance: .0, Instructions: 38COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c28357330f5b078783cc8f206cd2eb18438f78928cfa5108437f6053c3af999b
                                          • Instruction ID: a133302ebdeb95b941dab2025df885338305b4da7da5e12d38d089115aa2d7f8
                                          • Opcode Fuzzy Hash: c28357330f5b078783cc8f206cd2eb18438f78928cfa5108437f6053c3af999b
                                          • Instruction Fuzzy Hash: 4C0162702042048FEB109F6AD4D479577A5FF85328F1482B9E9689F3D7CB7698059B90
                                          Function 06D96EFA Relevance: .0, Instructions: 38COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3f509f19431bcbc84f75b8bb88d7624ab55c31f7e7742253ad40731203110bd5
                                          • Instruction ID: 65fcf7193054135901db99df4b18314542cbeff6bb72fe8b8974cb9c1571d0e1
                                          • Opcode Fuzzy Hash: 3f509f19431bcbc84f75b8bb88d7624ab55c31f7e7742253ad40731203110bd5
                                          • Instruction Fuzzy Hash: 2FF0C2307017908FEB698B388499A5777E5AF46A14B4980AEF48A87721CE21E801C792
                                          Function 04D3FBE8 Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b49f31f18c8e3259b5b42c2c03f9230dfb1c3080f7ef28e5d084414b829c93a4
                                          • Instruction ID: 3a2e1862717ee45c7e57616c015e58b883781a157f4fd5f9280c0689da4feb64
                                          • Opcode Fuzzy Hash: b49f31f18c8e3259b5b42c2c03f9230dfb1c3080f7ef28e5d084414b829c93a4
                                          • Instruction Fuzzy Hash: 8BF06D31F00B088BDB16BB7884005AEB7B6EFC1616F05466ED85967210EF30A99287E1
                                          Function 06D9B29C Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3835a654554aea5f6c1b0f817bb8429f1cd7d65b8f0bce10461a511e83cb322f
                                          • Instruction ID: b54be2401b8dc183e7f5a2e43a8f4e126c02b2cbb91f00d41cb6eea4e1be8aac
                                          • Opcode Fuzzy Hash: 3835a654554aea5f6c1b0f817bb8429f1cd7d65b8f0bce10461a511e83cb322f
                                          • Instruction Fuzzy Hash: 47011E70C00219DFDF60DFA6D4043AE7BF1FF49310F118566E854AA290D7744940CBE4
                                          Function 06D9A380 Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 14aba1f28f206be0a723b65ca5f38a1fe37de22451ad997dc5e2e19bd4de0171
                                          • Instruction ID: a19b77f32d3bee1ff4063a6e3b96dc361e27300a14b9b4ef97a051b20e104034
                                          • Opcode Fuzzy Hash: 14aba1f28f206be0a723b65ca5f38a1fe37de22451ad997dc5e2e19bd4de0171
                                          • Instruction Fuzzy Hash: B8F05236B402018FCF505B78A42441A37EACFCA22131941BBE04AC7322DD30CC0387E2
                                          Function 04D3B828 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a1102e2ec867dea335b675db98ee6f75d48f20e7ece6abbb8bb65af81c7fa618
                                          • Instruction ID: 3299cf4dfbb182d6c7b8dd298861a0e592f84bef5932df479d85f45cd1af4204
                                          • Opcode Fuzzy Hash: a1102e2ec867dea335b675db98ee6f75d48f20e7ece6abbb8bb65af81c7fa618
                                          • Instruction Fuzzy Hash: 42F04F70D5120D9BC744EFB8C8549EEBBB4FB45305F008A9AE89467210EB70A648CB91
                                          Function 04D3ABA1 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 49a991a65d1b98fbeb2ee64cbc70ad20729cf72a2b8c8e1a55281f1df35983bb
                                          • Instruction ID: 6673d29f1223e57fcf2a063c48b0daacd9e20ab829897a9a21f8552bd4da1255
                                          • Opcode Fuzzy Hash: 49a991a65d1b98fbeb2ee64cbc70ad20729cf72a2b8c8e1a55281f1df35983bb
                                          • Instruction Fuzzy Hash: 9AF02736F500108FCB204628D88887DB797FBD272272981A3D495CB7F4E632F841C280
                                          Function 00A5D758 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1657541383.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_a5d000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8e4816bc596d0826685f2a4ebfc44670bf64e748e4796ca6d7b73cf7deb89559
                                          • Instruction ID: 048631ae6571ad9f1de17d5423ff376983efa90f401fd046df320c843b601071
                                          • Opcode Fuzzy Hash: 8e4816bc596d0826685f2a4ebfc44670bf64e748e4796ca6d7b73cf7deb89559
                                          • Instruction Fuzzy Hash: 61F062714043449EE7208B16DD84B62FFE8EF55735F18C45AED084E296D379A844CAB1
                                          Function 04D3FD2A Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f221637cb02a012422700aa368b41998dc5bee02205b17da35fa03b54968475a
                                          • Instruction ID: a960753632462078d35e0333ddce1cb2a66096b46517073fea22eb549c930e90
                                          • Opcode Fuzzy Hash: f221637cb02a012422700aa368b41998dc5bee02205b17da35fa03b54968475a
                                          • Instruction Fuzzy Hash: 42F0F474204A508FC715DF28E9988597BF5FF4A71971649A9E08ACB373CB62FC46CB40
                                          Function 06D9C0D8 Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 08cc4781c26d0db79a153107deebbbaeaebe4f65ee730cddf385389422a938c4
                                          • Instruction ID: 629fffa9a70a11e5634eb5a0391a12ccea8731d57d9f51b52a6416dc62ba2f03
                                          • Opcode Fuzzy Hash: 08cc4781c26d0db79a153107deebbbaeaebe4f65ee730cddf385389422a938c4
                                          • Instruction Fuzzy Hash: 63F0B432A082087FDF45DF64DC51D9F7FBADB05114B0480ABE808D7221E630AD1087A4
                                          Function 04D364F0 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d4d1e4e2c241ae0e2b7809cf5fa469e2aaf00aeb45ed3f19f5047c107d729cfb
                                          • Instruction ID: 9b2f446ac9bbc05b4535352e69d2f2847ba70b400405f116550a85490e14fd6a
                                          • Opcode Fuzzy Hash: d4d1e4e2c241ae0e2b7809cf5fa469e2aaf00aeb45ed3f19f5047c107d729cfb
                                          • Instruction Fuzzy Hash: 95F0A771B051947FE715DF7998518AA7FFACF82550B05C4FAD404DB252ED309D058391
                                          Function 04D3F6E8 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8e14d033116c768682411c1b2e5fc17b12050a6855c65073aeb121f13c949105
                                          • Instruction ID: e6aa360048da978b565f900378d19667b1c6b65aa7ad143e3ff2660d68999429
                                          • Opcode Fuzzy Hash: 8e14d033116c768682411c1b2e5fc17b12050a6855c65073aeb121f13c949105
                                          • Instruction Fuzzy Hash: 3B019D70D01208EFCB44EFB8D4656ADBBB1FF45306F5045A9D415A7690DB756A40CB40
                                          Function 04D3FC68 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ebfa75ad29b9387e740f881c15dc5db1605eddb887f731f5c0c9958be137a0fe
                                          • Instruction ID: 0b020ed0f05b36affd0b8acb2389dedce5610e5cf8f11ae539cf36589a19337a
                                          • Opcode Fuzzy Hash: ebfa75ad29b9387e740f881c15dc5db1605eddb887f731f5c0c9958be137a0fe
                                          • Instruction Fuzzy Hash: 99F0B4317006188FC7249B1AD48492AB7FAFFC8725B11455DE40A87361DF31BC42C790
                                          Function 04D3CFA8 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7b378235e170e280c7d1b6016d07284af11dcf2181c010c51ce43fc7f873526e
                                          • Instruction ID: 49d710f058f489354e4c61e3c102bd989f6f8782cad33796986ceb172bfe480b
                                          • Opcode Fuzzy Hash: 7b378235e170e280c7d1b6016d07284af11dcf2181c010c51ce43fc7f873526e
                                          • Instruction Fuzzy Hash: AEF0F974E00208EFCB44EFB4E5685ADBBB1FB8A302F1091A9E406A3350DB346E54CF85
                                          Function 06D9B2A8 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e8eeb4c91682269cdf1b5e27ba695e9a9665ef07dffc30d79a9af1520e694e89
                                          • Instruction ID: 9e1c3aa19ec47fcb5f1033624e982056869069df6afd1c2f0aa0832a971a0b4a
                                          • Opcode Fuzzy Hash: e8eeb4c91682269cdf1b5e27ba695e9a9665ef07dffc30d79a9af1520e694e89
                                          • Instruction Fuzzy Hash: 7401E870C00219DFDF64DFAAD4043AEBBF1FF49360F118626E824AA290D7744A44CBA0
                                          Function 06D9A390 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 076b47bbacd990957b7edacd3f9b867835214dc2726d67eb600e35975a875c72
                                          • Instruction ID: d4a5268d49bd190a56959da5f1c3a8df70153fe85a9d66319ffc2de21140408a
                                          • Opcode Fuzzy Hash: 076b47bbacd990957b7edacd3f9b867835214dc2726d67eb600e35975a875c72
                                          • Instruction Fuzzy Hash: 1CF0A735B001198B8F9457BD941451E72DA9FCD661329817FE50AC7324DD30CC0287E2
                                          Function 06D94A09 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9c9847d12d68dba7bacbe2e7bd32eb9bf152e5f7c0074c71f3d85d4cfb9a1aab
                                          • Instruction ID: faec46376e2dc5c4aa1fc816bb141e192c688f1796293394d714f72aa8f14ffb
                                          • Opcode Fuzzy Hash: 9c9847d12d68dba7bacbe2e7bd32eb9bf152e5f7c0074c71f3d85d4cfb9a1aab
                                          • Instruction Fuzzy Hash: 6BE02B357059181BE3155B7A5C85667BBDAEFC9720B04C029E808C3341DD206C0343E5
                                          Function 04D36FE8 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                                          • Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
                                          • Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                                          • Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91
                                          Function 06D96F08 Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 456c3c1f9dbe8285e0b51d410e3a54ed785618d96d49e5ac2d5ff01bd020732d
                                          • Instruction ID: 35158f4174be914f1ed8be29b79ff974319a765ab3bf84203bbc0d4939e296f0
                                          • Opcode Fuzzy Hash: 456c3c1f9dbe8285e0b51d410e3a54ed785618d96d49e5ac2d5ff01bd020732d
                                          • Instruction Fuzzy Hash: 5AF082307107608FEBA9DF29C458A56B7E5AF45A54B4980AEF55AC7720CA31E840C792
                                          Function 06D9C8F0 Relevance: .0, Instructions: 29COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ac4025c076606ca7f9fe6c8605ffdc8acadadf42750e5316bb714d2d9e01d87c
                                          • Instruction ID: 1cd77b65f2f342c68ae7566da5274a688f0fc4d3248c28b82874b39586a28365
                                          • Opcode Fuzzy Hash: ac4025c076606ca7f9fe6c8605ffdc8acadadf42750e5316bb714d2d9e01d87c
                                          • Instruction Fuzzy Hash: C2F0B7B0E1420AAFDB44DFA9C841AAEBBF4AB48204F1045A9D919E7241D77495008BE0
                                          Function 06D9C8EA Relevance: .0, Instructions: 29COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dd292b67e964c24edb4b9dc5cb07152fa3cecf5874c118cdcdf14bc74af58f24
                                          • Instruction ID: 5a49ec109b7d7310ba5b02adbf3a1ea163300ef2ae884f3a32f21beeb9b753d5
                                          • Opcode Fuzzy Hash: dd292b67e964c24edb4b9dc5cb07152fa3cecf5874c118cdcdf14bc74af58f24
                                          • Instruction Fuzzy Hash: 03F0DAB0E1020AAFDB54DFA9C586AAEBBF0FB48304F108569D519E7241D7748641CFE1
                                          Function 04D3F301 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5fa53f169ee9b67056f0cb87159b26ce7d2f3c6d968039a76bcf5a97b3604375
                                          • Instruction ID: 4716c280b2af57923f045608a81685764271716ccf46b4571da647ee85030f87
                                          • Opcode Fuzzy Hash: 5fa53f169ee9b67056f0cb87159b26ce7d2f3c6d968039a76bcf5a97b3604375
                                          • Instruction Fuzzy Hash: 60E06D70D05209EFCB04DBB4E992AEDBBB0FB42305F1442A9D40827252D6701A4ADB81
                                          Function 04D3FD38 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f4f67a378cd123c31f631479077b135c7becd6d3c53b7f5fa862cfdfa4d71fa7
                                          • Instruction ID: 40a80a5d9a913ae4587adb180891720a0e850a22858f6d539d2c9c086a3d72b5
                                          • Opcode Fuzzy Hash: f4f67a378cd123c31f631479077b135c7becd6d3c53b7f5fa862cfdfa4d71fa7
                                          • Instruction Fuzzy Hash: 47F0BC34200A208FC718DB28E598C597BEAEF49B1A71145A9E14ACB372CB62EC40CB80
                                          Function 06D980C8 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 981d4ac08f7cefa6dae8694f4762691deb7fe5f6e8efc6d388a47e0288ab816e
                                          • Instruction ID: 6bc6e9aed59c151ac5d7a720ca3b45e7255e139bb6c09ff5c31d717f75ba771a
                                          • Opcode Fuzzy Hash: 981d4ac08f7cefa6dae8694f4762691deb7fe5f6e8efc6d388a47e0288ab816e
                                          • Instruction Fuzzy Hash: 6AE092713006295FC384ABADD85484677FAEF8D621311C09AF549C7315DE349C02CB65
                                          Function 04D3DCB0 Relevance: .0, Instructions: 27COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2ff489b06c184fa539f35eb49ff57b03e3efd43375016f834bbdb600edd89429
                                          • Instruction ID: 848dd1f58c49f71c40f86bf93447ac1b4164388f773bcdaf0a8b16b9a9d0232d
                                          • Opcode Fuzzy Hash: 2ff489b06c184fa539f35eb49ff57b03e3efd43375016f834bbdb600edd89429
                                          • Instruction Fuzzy Hash: 80E0ED37260624878710DB58F8814B9B3A9F799A6E3188056E51CCB631E766D852C780
                                          Function 06D968B7 Relevance: .0, Instructions: 27COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 48724e5fcd5dfb7fcdf9fb7fa1b1d3b74c626d419569a4685a855289ec1f80f4
                                          • Instruction ID: 297c80f8e786c2fcee79f2eba6cda7d9eb581a4cdc9e5dec2aa7145561c4ebac
                                          • Opcode Fuzzy Hash: 48724e5fcd5dfb7fcdf9fb7fa1b1d3b74c626d419569a4685a855289ec1f80f4
                                          • Instruction Fuzzy Hash: 87E0D8B74152719BFF4AAF1CCC915D93BD0EFB63113084C87D0C99A121D510C44AD7AA
                                          Function 04D38828 Relevance: .0, Instructions: 26COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6a657d677a32964301d49364cf05436324a2271229525fa3bb5fb92b60e3bb50
                                          • Instruction ID: a7f44eb50613ffbc9d32c1ef7b79029c8cc8129ed37ad54ec2d674c111d7452a
                                          • Opcode Fuzzy Hash: 6a657d677a32964301d49364cf05436324a2271229525fa3bb5fb92b60e3bb50
                                          • Instruction Fuzzy Hash: 2EE0D8726047100BD3039628A88158EE7C3EEE16157158E1FD0444B256D9609D078380
                                          Function 06D94A18 Relevance: .0, Instructions: 24COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a415b0bf2f9a6bc65772befa67cfcc5a608e9411f21c1a696a621ece3919570b
                                          • Instruction ID: ea7aeb079ad07f0765ff65b18f50c7b6e593edf5686a958846b60b655018cb5e
                                          • Opcode Fuzzy Hash: a415b0bf2f9a6bc65772befa67cfcc5a608e9411f21c1a696a621ece3919570b
                                          • Instruction Fuzzy Hash: 3EE0863270091857D6185B6B5C04A6BB6DBEFC9B20B14C029E909D3344DE706C0186D4
                                          Function 04D3F698 Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 92d44f8e7fff9b917f94b1195e6fca3e71627900b8985efa09b88ac5b83d61a7
                                          • Instruction ID: 7087fd60b4a973eeded07e4e974a9d2260df9e5c01f2b1bf650762ec688732f0
                                          • Opcode Fuzzy Hash: 92d44f8e7fff9b917f94b1195e6fca3e71627900b8985efa09b88ac5b83d61a7
                                          • Instruction Fuzzy Hash: 04E0263844A249AFC301CFB0E9349ADBB34EB03218F1000EDD804232A1CB741D01CF59
                                          Function 04D360A6 Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6f9419e7da0bb7bfe9a6dc5d685f060cf15ea7c7cab12b99ae1dc1fba44e81ca
                                          • Instruction ID: 373c42020935b8a3276c28ea8d1639cc1619bd4d34bd6304427c949f809e3e46
                                          • Opcode Fuzzy Hash: 6f9419e7da0bb7bfe9a6dc5d685f060cf15ea7c7cab12b99ae1dc1fba44e81ca
                                          • Instruction Fuzzy Hash: A2E0DF71B6021DEBCF209F80E54A7ECBB70FB4471BF200012D205B1540C7715988CB90
                                          Function 06D92ABC Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 29927f3c083bb3a7072fd7325830e8c6e9f7cab1ae64f58a597c6056ba0b6fd9
                                          • Instruction ID: 4e09111ccdc39d46eb5bcee9eda81c0bfb149ed90c8c02fe4e603aaf7b72e024
                                          • Opcode Fuzzy Hash: 29927f3c083bb3a7072fd7325830e8c6e9f7cab1ae64f58a597c6056ba0b6fd9
                                          • Instruction Fuzzy Hash: 3AF08C306107118FCB01EB78E54485E7BF2FF943117108D1DE00A9B364DF71E9058B90
                                          Function 04D313F4 Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4984145b886425c533d467094bd4796735bf0f1cc0a693922992caa3c4d1171b
                                          • Instruction ID: 9043ec08527ff23849ae1e40fc654abccedb103b4892c8db8aebdd22ed00f64e
                                          • Opcode Fuzzy Hash: 4984145b886425c533d467094bd4796735bf0f1cc0a693922992caa3c4d1171b
                                          • Instruction Fuzzy Hash: A3F0C23AA1220DCFCF15EFA4D6446ECB7B1FF4A25AF6004A9C405B3254C7366E55CBA0
                                          Function 06D9C890 Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3c40031eeabf18615bb2bd955b3821bab18f9fbf0df7293056101b47225bc75
                                          • Instruction ID: 88ecfdb56b71247b0f20ddf838b82f53fa9643a50f125ff9543efee9fe2fec35
                                          • Opcode Fuzzy Hash: a3c40031eeabf18615bb2bd955b3821bab18f9fbf0df7293056101b47225bc75
                                          • Instruction Fuzzy Hash: 11E01AB0E502099FDB80EF78C58569EBBF1EF08200F21C5B6C018E7251E7708A468F91
                                          Function 06D980D8 Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 398d8fd2375519a135aa8293880316d0cfc4abc93e46ef4a827b4f764f4b84d0
                                          • Instruction ID: 02f56bb113c23cf7199071a3fc83721f40fbb100c08f3f10d6289a92da00962a
                                          • Opcode Fuzzy Hash: 398d8fd2375519a135aa8293880316d0cfc4abc93e46ef4a827b4f764f4b84d0
                                          • Instruction Fuzzy Hash: FBE0E6757005195F8744EBADD45495677FAAB8C631311C0A9F509C7354DE34DC014B95
                                          Function 04D3F310 Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fc45b47e5101dd22b43f88941d120b064ac464408b327a731159b693589c01b2
                                          • Instruction ID: f7177db479aef5d01853a5488924ac61f744d29ab250fccc9ffa5e4de6543af7
                                          • Opcode Fuzzy Hash: fc45b47e5101dd22b43f88941d120b064ac464408b327a731159b693589c01b2
                                          • Instruction Fuzzy Hash: 18E08C30D4120DEBCF04EFA8E941AADBBB0FB81306F5042A8D80427210D7702E44DB94
                                          Function 04D374C0 Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ddba75523c85f677157accd541d0bd0a96090f53a7b387b974a59a10cef6f939
                                          • Instruction ID: 29cecbbb3847964ef3e48ed139a3d500e12663d5f40ad2c1ee58641d040f38ab
                                          • Opcode Fuzzy Hash: ddba75523c85f677157accd541d0bd0a96090f53a7b387b974a59a10cef6f939
                                          • Instruction Fuzzy Hash: 55D02B2130824083E3043F75607937A3F9AEBC2A46B06807CDC06C7481DE39C8128351
                                          Function 04D34DE7 Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 803be163f75ae7b7ff0ff58c34f927c4b0acc30332920757305328bc6711cd0f
                                          • Instruction ID: b95852086647ac2562895560dba961d4270f16767dae64289338a0fe1237e941
                                          • Opcode Fuzzy Hash: 803be163f75ae7b7ff0ff58c34f927c4b0acc30332920757305328bc6711cd0f
                                          • Instruction Fuzzy Hash: E8E086B0A01208EFCB00EFA0E54155D7BB9EF84315B2045D4EC0997345DB321F009B91
                                          Function 04D34DE8 Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6baed47aa542ae1cdf18200d75f19d700e36086c5e6d20f8beb0ce0cee7bc613
                                          • Instruction ID: f064c49d1e7fe705bdf53ba3a3abb71a8ac985b5f1be7c60f5cac1b06f87886b
                                          • Opcode Fuzzy Hash: 6baed47aa542ae1cdf18200d75f19d700e36086c5e6d20f8beb0ce0cee7bc613
                                          • Instruction Fuzzy Hash: 6AE086B0A00208EFCB00EFA4E90155D7BF9EF84315B2045D4EC0593345DB322F009BA1
                                          Function 06D99016 Relevance: .0, Instructions: 18COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2c87d22764ad6d81d903942c7c3e1bdfd0af9e958eaf743dbb6220f7d15f1f87
                                          • Instruction ID: 0a975d3bc7bece4bb9a7e810ba86d793c88cf811c828843b82dc1712fe58abf2
                                          • Opcode Fuzzy Hash: 2c87d22764ad6d81d903942c7c3e1bdfd0af9e958eaf743dbb6220f7d15f1f87
                                          • Instruction Fuzzy Hash: B9D05235E04008CFCF00EAA8E8448ECFB31EB8A222B00A822D616E3200C3308911CA64
                                          Function 06D9C898 Relevance: .0, Instructions: 18COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 12ea3b550021b636485cbcb41587d6f3c12c7d9ef7e9d477f19b8ad9957d342c
                                          • Instruction ID: d7ee9058a2145eed317b432e4312c23d30ebcaf549b346743810c0010f21731f
                                          • Opcode Fuzzy Hash: 12ea3b550021b636485cbcb41587d6f3c12c7d9ef7e9d477f19b8ad9957d342c
                                          • Instruction Fuzzy Hash: 89E0B6B1D50209EFDB80EFB9C905A5EBBF4BF08600F11C5AAD019E7262E7749A058F91
                                          Function 04D374C8 Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 67f32f02ac2bf92cab7cff59929797d8035da2d51574e3525a92a3b16842d019
                                          • Instruction ID: 107dacd8842b992e05770376fed33bb3c702840a2da1d84c18f6d2835db459d4
                                          • Opcode Fuzzy Hash: 67f32f02ac2bf92cab7cff59929797d8035da2d51574e3525a92a3b16842d019
                                          • Instruction Fuzzy Hash: BFD0A7257082444793002EB6546973637DEFBC0A467458064E906C7185EF38E8519361
                                          Function 06D9C990 Relevance: .0, Instructions: 14COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9d7ca88b57a6ec95bc80b91d7844cebc68311493ae5490b9f926592501779ad2
                                          • Instruction ID: 36199d98ec251a9384ac5003e1a80d761d80db18a84a3ebf69bc4f711bf4bdec
                                          • Opcode Fuzzy Hash: 9d7ca88b57a6ec95bc80b91d7844cebc68311493ae5490b9f926592501779ad2
                                          • Instruction Fuzzy Hash: D0D0123311010C6E4FC0EF95EC00C6377EDBB647147008422E508C7431E621E424D7A1
                                          Function 06D9A819 Relevance: .0, Instructions: 13COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4378b0d6d246e7e3f472199d655dfc05b849ef52d723aa4a713432739262f911
                                          • Instruction ID: a4ef37af69942b2dfa1a533766ae13a0f90a78874de2b0ba7dd535c9d456d204
                                          • Opcode Fuzzy Hash: 4378b0d6d246e7e3f472199d655dfc05b849ef52d723aa4a713432739262f911
                                          • Instruction Fuzzy Hash: 38C0127B5061409FC7866B10C8409C97FA0EF326403494042D0C8460639610C51FEB61
                                          Function 04D3DC79 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cc6720226294adda2d3d8abce6d368f48fcb84f162c85d6c63f73c465ea3f7b5
                                          • Instruction ID: d88062308b2294ffe66f3e6b829f6d1cd523079840125cd7c594c60984a4f51a
                                          • Opcode Fuzzy Hash: cc6720226294adda2d3d8abce6d368f48fcb84f162c85d6c63f73c465ea3f7b5
                                          • Instruction Fuzzy Hash: A3C01293D0C5954EE7024415DC613CC37219B61205FAE48B5C491C5A47E04CC5074201
                                          Function 06D97287 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dc7ccef2dc33cf4902df5f265e30c7cf4f62d043d5fe737f36e491084d8ebdb4
                                          • Instruction ID: 2a5d21e67c3b96de09685ede8fe72c61a8c6f64b25415075e67187d009415505
                                          • Opcode Fuzzy Hash: dc7ccef2dc33cf4902df5f265e30c7cf4f62d043d5fe737f36e491084d8ebdb4
                                          • Instruction Fuzzy Hash: 8FC0129594854027D709D67954982957B87D7AA118B1880A4C60549107D42944578196
                                          Function 06D94464 Relevance: .0, Instructions: 11COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dc44a92f55baac9a673f46d4366fef9da2c95bfa57c1ce6a0a3326d453aad5f6
                                          • Instruction ID: 084f15cd6001867f0f06009e38e2dc66c57558c2a5c6ab17fff052d0d5a3acf4
                                          • Opcode Fuzzy Hash: dc44a92f55baac9a673f46d4366fef9da2c95bfa57c1ce6a0a3326d453aad5f6
                                          • Instruction Fuzzy Hash: B1D0C931951604CFC799EF78C6544297BF2FF48705751051CE1A796B90C735E802DF00
                                          Function 06D925D0 Relevance: .0, Instructions: 11COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a4d55a9e10162a6a36302c3e3f06dbb5875c65774df3dce2bc095cd9e2fde44c
                                          • Instruction ID: 2f6a906151c69fc6a186b87d24d10b4280d2ec8e2fa134dbd216aaf5356e1246
                                          • Opcode Fuzzy Hash: a4d55a9e10162a6a36302c3e3f06dbb5875c65774df3dce2bc095cd9e2fde44c
                                          • Instruction Fuzzy Hash: BAC0126404E28ACFC30117A4BD254657F28C90301A74500E6A94881123C619181187E6
                                          Function 06D9EAE8 Relevance: .0, Instructions: 10COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 914e9fd18eb4ffd2329d7bfbb48101ab8d61a3b2112342120261494bb24a444c
                                          • Instruction ID: 3b6feca7a26afad2fcbebcc679200f68e6930595bc0427284c531f1f6d31899d
                                          • Opcode Fuzzy Hash: 914e9fd18eb4ffd2329d7bfbb48101ab8d61a3b2112342120261494bb24a444c
                                          • Instruction Fuzzy Hash: 82C08C3000120F8BC700A7E4BA0C32477BABB00337F840120E209402608AF810A0CA21
                                          Function 06D993B8 Relevance: .0, Instructions: 9COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cab91b4fd17eaaee8fbf1e44d3c5a3255db238fff873502999071c0f11f60bc5
                                          • Instruction ID: 347dbca9beb74488e1a21d8eedc142043b01ee20a9adc3e110ca94ca4d30da64
                                          • Opcode Fuzzy Hash: cab91b4fd17eaaee8fbf1e44d3c5a3255db238fff873502999071c0f11f60bc5
                                          • Instruction Fuzzy Hash: 22D0CA30D0820ACFDF80DF90C4646EEB7B1BB49301F208008C42AA6280C338A9028F80
                                          Function 06D9C0B0 Relevance: .0, Instructions: 9COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4b290e82754770bd5f120baf86eabdbe211fe447400eff3fcd3e7da905e063f1
                                          • Instruction ID: 6b257a90c182b7834ec0442dd140d2e3648c466fed387588b17403bde56c8cd2
                                          • Opcode Fuzzy Hash: 4b290e82754770bd5f120baf86eabdbe211fe447400eff3fcd3e7da905e063f1
                                          • Instruction Fuzzy Hash: 0CC08C6A04E2C5AED30297704C25C12BF21DB1320870910EBA18441063C914083AD3BB
                                          Function 06D9AAFC Relevance: .0, Instructions: 8COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0a49eba5653687725909031b5ceac0520ccd12125a344e3b0c93005fd5d31176
                                          • Instruction ID: 14c5600b9dcc7debac2246b81225e594b3624e2b1b676368edc3ab515a818adc
                                          • Opcode Fuzzy Hash: 0a49eba5653687725909031b5ceac0520ccd12125a344e3b0c93005fd5d31176
                                          • Instruction Fuzzy Hash: 5FB012B71B420AAADBC432684C44B2A98A1EBB2704F40DC06B28D01040C422C434D33F
                                          Function 06D98A2A Relevance: .0, Instructions: 7COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 05d6ae1c95ca7065846de3c9bde7256a61dbd191634900e6100ff08afd1ff32d
                                          • Instruction ID: e60714b276cb6ce0254f3e869f85e6f2ab0d4c956a9f03fb0e18cf51aa2d6612
                                          • Opcode Fuzzy Hash: 05d6ae1c95ca7065846de3c9bde7256a61dbd191634900e6100ff08afd1ff32d
                                          • Instruction Fuzzy Hash: 1DA0025D46242927BD0B546818D31C02741D2F15946D65178C48902005110C45474208
                                          Function 06D92BED Relevance: .0, Instructions: 7COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f905140779622dd30d52d4a26434db2d48348f787a67b6639dca0c0a84ea4205
                                          • Instruction ID: 9b0311c68e7b34fab5f9e4021c39f5db1a9a0b3ef3eb435e6cbbcf6666d669b9
                                          • Opcode Fuzzy Hash: f905140779622dd30d52d4a26434db2d48348f787a67b6639dca0c0a84ea4205
                                          • Instruction Fuzzy Hash: B4C02B704034084EDF08DBB0C2E109FEDB6B7C4310F30610AD041F5744E2308B408396
                                          Function 06D925E0 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2fb2c508071de1d73889820f8b8415fd5844e42292c04effec066c89140d1d65
                                          • Instruction ID: c1d0673c767c89bd4acd4f2a5d187c957e2532e9678a9839e64728930fd096f4
                                          • Opcode Fuzzy Hash: 2fb2c508071de1d73889820f8b8415fd5844e42292c04effec066c89140d1d65
                                          • Instruction Fuzzy Hash: 52A0027104460FCB86402799B40D559F75D9545529B504055A60DC16155B6A54104595
                                          Function 06D96224 Relevance: .0, Instructions: 5COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4e5adf371b62f83f90e596fc6234c67f1e8dead680519a99fdafe0fb0b4b4d08
                                          • Instruction ID: aa18b724b6e2d0d21c5b87b2c9cc7c7401cc8d5c8056c99e2a1e3ed01032395f
                                          • Opcode Fuzzy Hash: 4e5adf371b62f83f90e596fc6234c67f1e8dead680519a99fdafe0fb0b4b4d08
                                          • Instruction Fuzzy Hash: 4DB01260C01634C8C281D674D54480417D5D3807013004E39104C460AFC060A8812781

                                          Non-executed Functions

                                          Function 06D95A49 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ax^
                                          • API String ID: 0-994873808
                                          • Opcode ID: e8fe98da7fcf499e5069cc745267cdb6d08f175bbb64bfbbda04f47821a6f455
                                          • Instruction ID: 7e4d0718d3065116429ecd49f162f40b981f544632894c68eee65ef49411bad7
                                          • Opcode Fuzzy Hash: e8fe98da7fcf499e5069cc745267cdb6d08f175bbb64bfbbda04f47821a6f455
                                          • Instruction Fuzzy Hash: EC41A071F1421A8FDF81CF99D8C19AAFBF5EB98204B058036D906E7351C234DE018AB5
                                          Function 06D95A58 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ax^
                                          • API String ID: 0-994873808
                                          • Opcode ID: 55ed54d165fe5e2177cd613f9569a0e5dca10479260e4911db06d4e6882499e5
                                          • Instruction ID: 9d3ffe2014d029b9186f894ff3fa23d81232c2ede55468675615b8af4334c088
                                          • Opcode Fuzzy Hash: 55ed54d165fe5e2177cd613f9569a0e5dca10479260e4911db06d4e6882499e5
                                          • Instruction Fuzzy Hash: E841A231F1421A8FDF80DF99D8819AEF7F6BB98204B158536D906EB350C234EE018BB5
                                          Function 06E20040 Relevance: .9, Instructions: 877COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1670034577.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6e20000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9d3ad4e4b98d78d0b77e01fb69df31f6077eba4cbd1faebfe6203ec7abf55b20
                                          • Instruction ID: d0f259ec8f09e704944605312b8df0b060d106a93f5deeec4487d12aa4e34b58
                                          • Opcode Fuzzy Hash: 9d3ad4e4b98d78d0b77e01fb69df31f6077eba4cbd1faebfe6203ec7abf55b20
                                          • Instruction Fuzzy Hash: 83A2DE74D02629CFDB68DF29C854AA9BBB2FF89305F1091E9D409A7251DB35AEC1CF40
                                          Function 06E2863A Relevance: .8, Instructions: 820COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1670034577.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6e20000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9f003ca97b2e9c502ecd11c3724c4a8e74dd78b429bf1590b4708c12521392e1
                                          • Instruction ID: 1c4dbf80fd5b3435433d9b42529e28afed0e43c98d7e5484a21d1c105eacf36e
                                          • Opcode Fuzzy Hash: 9f003ca97b2e9c502ecd11c3724c4a8e74dd78b429bf1590b4708c12521392e1
                                          • Instruction Fuzzy Hash: 95929275D0162A8FCB64DF69C984ADDB7B2FF89300F1096D9D509A7260EB30AE85CF40
                                          Function 06E20B00 Relevance: .7, Instructions: 658COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1670034577.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6e20000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9cc2381c7cff4f8e73d717bd7060d0e10c340579cbac36088510e290183a6917
                                          • Instruction ID: c50772423d2414e39361a15e99f0d3ab220c545f84a372ab57ccdb76213760c5
                                          • Opcode Fuzzy Hash: 9cc2381c7cff4f8e73d717bd7060d0e10c340579cbac36088510e290183a6917
                                          • Instruction Fuzzy Hash: 17629C74D02229CFEB64DF24C854BA9B7B2FB8A305F1095E9D44DA7241DB35AE81CF81
                                          Function 06E2AE07 Relevance: .5, Instructions: 529COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1670034577.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6e20000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dffbc957ae15bf7f1669c36c3295ec2e84b7b7ba3177cee6913b2e661b6596ce
                                          • Instruction ID: e28fcf8fe90fa61360acfab7c2c429315b93fd82eaf76cb7e6b49b95fc4cf13a
                                          • Opcode Fuzzy Hash: dffbc957ae15bf7f1669c36c3295ec2e84b7b7ba3177cee6913b2e661b6596ce
                                          • Instruction Fuzzy Hash: 5E52B231D0162A8BCB64EF69DC94ADDF7B6FF54300F2096AAD45977250EB306A85CF80
                                          Function 06E2BEC9 Relevance: .4, Instructions: 417COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1670034577.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6e20000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d9b5476c36131f4966376e657a121b11d58c6428de811542d2a65dc8b069f540
                                          • Instruction ID: 1eef0ff05606e8c60b9ec4dbf0cd498703ca1073916e30e542536d06c5a7d294
                                          • Opcode Fuzzy Hash: d9b5476c36131f4966376e657a121b11d58c6428de811542d2a65dc8b069f540
                                          • Instruction Fuzzy Hash: 53229171D0162ACBCB65EF64C8906DDF7B2FF99300F10969AD459B7210EB30AA85CF90
                                          Function 026FAEC0 Relevance: .4, Instructions: 407COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1658334495.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_26f0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 727966ca427f76abf75d93ce6e5760b915015da3b641769a55014af739a84327
                                          • Instruction ID: a22dbdd24b22b943b77b72605a550523c84bc7db4368f8b063ade805a38918eb
                                          • Opcode Fuzzy Hash: 727966ca427f76abf75d93ce6e5760b915015da3b641769a55014af739a84327
                                          • Instruction Fuzzy Hash: 3DE197717007148FDBA9EBB6C550B6EB7E7AF89308F14446DE24A8B391CB35E902CB51
                                          Function 06E26E10 Relevance: .3, Instructions: 342COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1670034577.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6e20000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7cf339c3024ae7fc79c4d145152c0d353e544a424009a16498bb586249a7b50a
                                          • Instruction ID: 1fdca695e2e92547a755db7dc75082de98b00317ece852deaea345f31cb9aec7
                                          • Opcode Fuzzy Hash: 7cf339c3024ae7fc79c4d145152c0d353e544a424009a16498bb586249a7b50a
                                          • Instruction Fuzzy Hash: 46F1D270D1022A8FDB65DF64C890BEDB7B2BF99300F1085A9D55977290EB706B89CF90
                                          Function 026F3358 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1658334495.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_26f0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 95101567cbacc6dd08893c8b0d8870b78d1f716a939acd9e17d54516fa8d3b30
                                          • Instruction ID: 00bd5982a7f6df7d6e84aaa0566d65ff23812730ee15a90ab100c75793e35bc8
                                          • Opcode Fuzzy Hash: 95101567cbacc6dd08893c8b0d8870b78d1f716a939acd9e17d54516fa8d3b30
                                          • Instruction Fuzzy Hash: CFE1F8B4E002598FCB14DFA9C5909AEFBF2FF89304F2481A9E515AB355D731A941CFA0
                                          Function 026F4E38 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1658334495.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_26f0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a89a3c1da085f8236decac98937f55d38de12e492c5cdad1e353fb9a5348d6f9
                                          • Instruction ID: 21edde24c2708c0675c388d2dde51327040139a604b054cc954276616c577a69
                                          • Opcode Fuzzy Hash: a89a3c1da085f8236decac98937f55d38de12e492c5cdad1e353fb9a5348d6f9
                                          • Instruction Fuzzy Hash: 72E10874E002598FCB14DFA9C590AAEFBB2FF89304F248169E515AB356D730AD41CFA1
                                          Function 026F2F20 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1658334495.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_26f0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2b0e33d940a3821ac8327201ac3d57e2202b43851f739f51d44b9f827b416d5a
                                          • Instruction ID: c255acf9c2618e1ef5bfb99a773c0035d3d91730b4a93e4b79b96ff30563754b
                                          • Opcode Fuzzy Hash: 2b0e33d940a3821ac8327201ac3d57e2202b43851f739f51d44b9f827b416d5a
                                          • Instruction Fuzzy Hash: 36E11974E005998FCB14DFA8C5809AEFBF2FF89304F2481A9E915AB355D730A942CF61
                                          Function 026F57E8 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1658334495.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_26f0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 31e1e204511bed8e27f5dab2834cabdd7e6e590e9e36da0d1ebdd521d4515a68
                                          • Instruction ID: d69442f762e8004090e94da2b2c3944a5328b5d9221176bb761779023983c9b3
                                          • Opcode Fuzzy Hash: 31e1e204511bed8e27f5dab2834cabdd7e6e590e9e36da0d1ebdd521d4515a68
                                          • Instruction Fuzzy Hash: 4EE10774E002598FCB14DFA8C5909AEFBB2FF89304F648169E915AB356D730AD41CFA0
                                          Function 026F3790 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1658334495.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_26f0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e3200c7fc0e14e11345282fa20d57bdd4cb400b776b8e3639022e8e6f227afc5
                                          • Instruction ID: 585f02a8a820e98df839e81b13d8b843a159801730d13d779612de99a459a87f
                                          • Opcode Fuzzy Hash: e3200c7fc0e14e11345282fa20d57bdd4cb400b776b8e3639022e8e6f227afc5
                                          • Instruction Fuzzy Hash: DEE10774E006598FCB14DFA9C5909AEFBF2FF89304F2481A9E915AB355D730A942CF60
                                          Function 06D9B8BA Relevance: .3, Instructions: 268COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f18e752c0f746f1a30f14262480cba05d3bc9e9c4b0ff493bbc4bf7b64a33880
                                          • Instruction ID: 4f170fe811bc34f90c4589757825fe6216a1d0583effc34204fa0210bdd9597a
                                          • Opcode Fuzzy Hash: f18e752c0f746f1a30f14262480cba05d3bc9e9c4b0ff493bbc4bf7b64a33880
                                          • Instruction Fuzzy Hash: 82D11531C20B5A8ACB01EF64D960A9DB7B5FFD5301F208B9AE44937255FB706AC5CB81
                                          Function 06D9B8C0 Relevance: .3, Instructions: 264COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a5714d170d80b2f10f27922f4e5d0acaaccc78ff16dacdf04443a8492b3a9634
                                          • Instruction ID: 4370d716cd606e446eea828d751980c9b3e0fa609f423828a623b33076b755bc
                                          • Opcode Fuzzy Hash: a5714d170d80b2f10f27922f4e5d0acaaccc78ff16dacdf04443a8492b3a9634
                                          • Instruction Fuzzy Hash: 45D11531C10B5A8ACB01EF64D960A9DB7B5FFD5301F208B9AE44A37255FB706AC4CB81
                                          Function 00ACE3A4 Relevance: .3, Instructions: 264COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1657762033.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_ac0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1f51b03b3337859e90b793e114becf6f1ae8f562dea7132596b5f14ed1c389c5
                                          • Instruction ID: 797646b2619233d64f9603f5d70ebe02c67d7513906c23e8c578bcc65e034b68
                                          • Opcode Fuzzy Hash: 1f51b03b3337859e90b793e114becf6f1ae8f562dea7132596b5f14ed1c389c5
                                          • Instruction Fuzzy Hash: 95A14E36E002198FCF09DFB4C984AAEB7B2FF84304B16457EE805AB265DB35E955CB40
                                          Function 06E2A510 Relevance: .2, Instructions: 200COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1670034577.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6e20000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4ec44a084f171fa7098a07c95b38e62db5c5f64e6d33e1b519b4bf61c2e29701
                                          • Instruction ID: 45e4f84c5358d71d950ae720b820497ea777443594ef80b4ed28fbdf7f97be48
                                          • Opcode Fuzzy Hash: 4ec44a084f171fa7098a07c95b38e62db5c5f64e6d33e1b519b4bf61c2e29701
                                          • Instruction Fuzzy Hash: D9A1AE75D012298FDB64CF69C980BDDB7B2BF99304F1086AAD849B7250EB706A85CF50
                                          Function 06E20007 Relevance: .2, Instructions: 171COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1670034577.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6e20000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6d5206c4cde56f94a4c3f7a8f42ac2c9f073eb4462dd980628548346c78d6c20
                                          • Instruction ID: 3a03c5d0cc6c647a03a39c34bc09e827c71844479021b6e545cc01419c96a3d5
                                          • Opcode Fuzzy Hash: 6d5206c4cde56f94a4c3f7a8f42ac2c9f073eb4462dd980628548346c78d6c20
                                          • Instruction Fuzzy Hash: 5B615E71E056288BEB59CF278D55299FBF3AFC9210F04C1FA844DAA265DB340A86CF51
                                          Function 06E2001F Relevance: .2, Instructions: 155COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1670034577.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6e20000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a20916825103a2743f3a6d703f56ba7f5a4995efed0bb184af5862cc0c1aa221
                                          • Instruction ID: fe99d28ffec5dd16d0883932b87a814b3b0bcf0230304143cdf3179a7a4588f3
                                          • Opcode Fuzzy Hash: a20916825103a2743f3a6d703f56ba7f5a4995efed0bb184af5862cc0c1aa221
                                          • Instruction Fuzzy Hash: AF615FB1E056288BEB69CF278D54299FAF7AFC9300F04C1FA844DA6265DB340A85CF51
                                          Function 026F4E37 Relevance: .1, Instructions: 128COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1658334495.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_26f0000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c7b22bb034d2691394c786b3c46900588718ace05da13f0df94674e5f10964af
                                          • Instruction ID: 925fea2eb200cd83934ba49949053ef491653d38ead39b025daa71bcbaa3f7e1
                                          • Opcode Fuzzy Hash: c7b22bb034d2691394c786b3c46900588718ace05da13f0df94674e5f10964af
                                          • Instruction Fuzzy Hash: 0F51FB74E012198BDB14CFA9C5809AEFBF2FF89304F24C169D518AB355DB319941CFA1
                                          Function 06D9BE60 Relevance: .1, Instructions: 119COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3a83c744a08788b9f83d3774fb9b0993b905e5381b1e9a03c52f3c18a0ee3a70
                                          • Instruction ID: 47480c90919ffc812d10e1cbf962069248ed7f8be29462e0e0ad8412d9b384a1
                                          • Opcode Fuzzy Hash: 3a83c744a08788b9f83d3774fb9b0993b905e5381b1e9a03c52f3c18a0ee3a70
                                          • Instruction Fuzzy Hash: 1541D375B04119DFDF84CFA8D9808AFFB7AEF89210B11856BD941EB250D631CD428BA1
                                          Function 06D9BE70 Relevance: .1, Instructions: 113COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2736e737030e417690f5b515223089a65423652b69d8e436ed64850b99d89977
                                          • Instruction ID: 479cd1ee2abe7bd9a95f924727781b8485040d2e55f2fe7ea1e15084b9188aa8
                                          • Opcode Fuzzy Hash: 2736e737030e417690f5b515223089a65423652b69d8e436ed64850b99d89977
                                          • Instruction Fuzzy Hash: E241A475B04119DFDF84CFA8D9808AFFB7AEFC9210B11455BD905EB250D631CD418BA1
                                          Function 06D94F01 Relevance: .1, Instructions: 109COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8c8e66688fb4beb01c28e7bec9f0b5948df06f72a1ec17bacf86c51391f39d42
                                          • Instruction ID: 61179872a5da06f0a27f8a2f26634fd9f9455f8d8fa8a72d01d521b7799b8e33
                                          • Opcode Fuzzy Hash: 8c8e66688fb4beb01c28e7bec9f0b5948df06f72a1ec17bacf86c51391f39d42
                                          • Instruction Fuzzy Hash: 35412431610706CFDB64CF29C885A5BBBF1EF84344B44C47AE09ACB661D234E842CF91
                                          Function 06D94F10 Relevance: .1, Instructions: 104COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1669463998.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_6d90000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d04266fd5cfa19ac96bb115d8bc784913e3a9df557316f10ddad11637d3d21b2
                                          • Instruction ID: 0540942a9c30126875b8eda27b08025f87f3dcd44ff5a2979c5fb6b4a9322675
                                          • Opcode Fuzzy Hash: d04266fd5cfa19ac96bb115d8bc784913e3a9df557316f10ddad11637d3d21b2
                                          • Instruction Fuzzy Hash: C0410531610706CFDB64CF69C884A5BBBF2FF84354B44C86AE15ACB661D234E952CFA1
                                          Function 04D30920 Relevance: 41.7, Strings: 33, Instructions: 438COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                          • API String ID: 0-2697097662
                                          • Opcode ID: fc11e62c9dd222b88f581a32cb12f93ef93843c6c41fcad1d75c3fa015d39c1b
                                          • Instruction ID: cc67fa61888abce8a64e03de1365ade6a4dcfde086abee9b5e05723e9a32d305
                                          • Opcode Fuzzy Hash: fc11e62c9dd222b88f581a32cb12f93ef93843c6c41fcad1d75c3fa015d39c1b
                                          • Instruction Fuzzy Hash: 6F120E70E013198FCB08EF75E991A9DB7B2FF80701F6049A9D449AB265DF306989CF91
                                          Function 04D30930 Relevance: 41.7, Strings: 33, Instructions: 434COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1666884092.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_4d30000_SecuriteInfo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                          • API String ID: 0-2697097662
                                          • Opcode ID: 2de4b535b3b46da6a79b0c49d5b0bbca94077f4647ae9cb0814aa4bd833fa687
                                          • Instruction ID: 43ad77fbb73e62ae068642e940334ad7252d81cbfd52fad345e3c85b59c341b8
                                          • Opcode Fuzzy Hash: 2de4b535b3b46da6a79b0c49d5b0bbca94077f4647ae9cb0814aa4bd833fa687
                                          • Instruction Fuzzy Hash: AA120E70E013198FCB08EF75E991A9DB7B2FF80701F6045A9D449AB265DF306989CF91

                                          Executed Functions

                                          Function 01499B38 Relevance: 3.1, Instructions: 3064COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b4a1aeddefcba1dc2580d3bb9a9fdbff1eb92628e9a2e382b072ecda5c0a63fb
                                          • Instruction ID: 80bc503b46499d6e39bf07ba2844836120d192504bb8fbe81c099e0aca69ce9a
                                          • Opcode Fuzzy Hash: b4a1aeddefcba1dc2580d3bb9a9fdbff1eb92628e9a2e382b072ecda5c0a63fb
                                          • Instruction Fuzzy Hash: 40631C31D10B1A8ECB51EF68C8805A9F7B1FF99300F15C79AE45977221EB70AAD5CB81
                                          Function 0149CDA8 Relevance: 2.3, Instructions: 2307COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d11f81d33bf2f52a54191def7f2100bc643b7684296d6354539de5cc79057008
                                          • Instruction ID: 53b80363077798023bf10aff2c5202b1087c10e19a4286930b169038f472eed0
                                          • Opcode Fuzzy Hash: d11f81d33bf2f52a54191def7f2100bc643b7684296d6354539de5cc79057008
                                          • Instruction Fuzzy Hash: 88332F31D107198EDB11DF68C8906AEF7B1FF99300F54C79AE459A7221EB70AAC5CB81
                                          Function 01499378 Relevance: .6, Instructions: 608COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5be2dab66b80f0f177056fa66ac6e4c66370005a7600c1d566cef4ecfbd05421
                                          • Instruction ID: 5dd87d3492ec49eb66fcfec37603b7f8d343480fdceada596cd5095c54bac736
                                          • Opcode Fuzzy Hash: 5be2dab66b80f0f177056fa66ac6e4c66370005a7600c1d566cef4ecfbd05421
                                          • Instruction Fuzzy Hash: 9B228C74A00205CFDF15CFA8D584AAEBBB6FB88314F14846AE509EB3A5DB34DC41CB91
                                          Function 01494A98 Relevance: .3, Instructions: 266COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5f75d9691e0d49df4da0f6e85ec3779026ffc1d2e214f4b904e9b97fa11d6e04
                                          • Instruction ID: 25396cddbdccd0c16a2e24f17cee696a9daeac6ed2f4ffd35bb16772ef8a3b25
                                          • Opcode Fuzzy Hash: 5f75d9691e0d49df4da0f6e85ec3779026ffc1d2e214f4b904e9b97fa11d6e04
                                          • Instruction Fuzzy Hash: 40B14374E002098FDF14CFA9DA9579EBFF2AF88354F18812AD415E7364EB749846CB81
                                          Function 01493E80 Relevance: .2, Instructions: 238COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b725ba182663bb7a409b216f43f1ef277015a67a6f2ec3cba0cc4c3c83ee0f6c
                                          • Instruction ID: 2213b408c85a77106d7000694dcf7fe144877d6701f26bf615c6d5253517e227
                                          • Opcode Fuzzy Hash: b725ba182663bb7a409b216f43f1ef277015a67a6f2ec3cba0cc4c3c83ee0f6c
                                          • Instruction Fuzzy Hash: 6F9151B0E002098FDF14CFA9D99579EBFF2BF58314F18812AE415A7364EB749846CB91
                                          Function 01496EE2 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LR^q$LR^q
                                          • API String ID: 0-4089051495
                                          • Opcode ID: a69c764a5a8b40fb4d461859a763db6420abb5858cc59b6cc31d66e3946e5dde
                                          • Instruction ID: e78d8cc05385c61577f39210b4bbe46d2f9d258b8b1e671a269f68d5aff6af46
                                          • Opcode Fuzzy Hash: a69c764a5a8b40fb4d461859a763db6420abb5858cc59b6cc31d66e3946e5dde
                                          • Instruction Fuzzy Hash: 3141AD74E102159FDF15CF69C4546AEBBB2FF89305F20842AE40AEB3A1EB7198468B41
                                          Function 0149F300 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PH^q
                                          • API String ID: 0-2549759414
                                          • Opcode ID: 95d3541afc16c6d540a0e003bbd11b399761284bda7c7fcf19c8a0e799950489
                                          • Instruction ID: e1e8458d324c240581e15ae013b3ff4d4842aeb5dece334a8ba75fcd05ab16c5
                                          • Opcode Fuzzy Hash: 95d3541afc16c6d540a0e003bbd11b399761284bda7c7fcf19c8a0e799950489
                                          • Instruction Fuzzy Hash: 2731B2707002058FDF25AB78D55466F7FE2AFC9600F24442AD406DB3A5EE79DC4ACB91
                                          Function 0149F2ED Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PH^q
                                          • API String ID: 0-2549759414
                                          • Opcode ID: f09198631e96c246b1e124d49ccefcf8c5351072ee951269b2d4caf88a869033
                                          • Instruction ID: a3e99d65ef7527e6f5d74ada65e19be0d08f8ee4848e4033be830635a748ea64
                                          • Opcode Fuzzy Hash: f09198631e96c246b1e124d49ccefcf8c5351072ee951269b2d4caf88a869033
                                          • Instruction Fuzzy Hash: D731E170B002018FDF269B78D55866F7FF2AB88600F24442ED406DB3A5EE79DC4ACB91
                                          Function 01496F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LR^q
                                          • API String ID: 0-2625958711
                                          • Opcode ID: deac55a65effd66151141f21b550cd3201a9809ff92b2b72efc1d7682c41e929
                                          • Instruction ID: dc744b1b520baa0ce9679528e336b82fd5e90ca56c27d64d4131a5efee71aa5d
                                          • Opcode Fuzzy Hash: deac55a65effd66151141f21b550cd3201a9809ff92b2b72efc1d7682c41e929
                                          • Instruction Fuzzy Hash: 01319E74E102098FDF15CFA9C45479EBBB2FF85311F10852AE906EB360EB71A846CB41
                                          Function 01496B8F Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LR^q
                                          • API String ID: 0-2625958711
                                          • Opcode ID: 512f55da6b913e637d11e219af35e29ab3b0bf546157c69fdca282f5b8e5761e
                                          • Instruction ID: 6d39894553c1b6525c8c7773f05e74f1d4ed85cf02aac4737179f187b2c161ef
                                          • Opcode Fuzzy Hash: 512f55da6b913e637d11e219af35e29ab3b0bf546157c69fdca282f5b8e5761e
                                          • Instruction Fuzzy Hash: 9A2103317042518FC705EB7C906466E3FF6EFD9241F0148AFD00ACB366EA3588468792
                                          Function 0149790A Relevance: .6, Instructions: 553COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: af15666126f2dc98b22443514b9bcf9ccc38a5eaaef2c18ccc36c160eab9c96b
                                          • Instruction ID: d111d2b7170fcb92ae612d67e80294f399127eb9c26ccbf6dc3c9a9dfce3001f
                                          • Opcode Fuzzy Hash: af15666126f2dc98b22443514b9bcf9ccc38a5eaaef2c18ccc36c160eab9c96b
                                          • Instruction Fuzzy Hash: ED1253757012128FCF25AB3CE49821DB6E2FBD9316B10592BE009CB369CE75DC86CB91
                                          Function 01494A8E Relevance: .3, Instructions: 261COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f0bd62bedd736e8de91fd91c5988c58673cb5e50903f890ca2444cba7aad6110
                                          • Instruction ID: 386de11f15b6689eb06a577bee5d858b3c545d1a58bd18881aad30be44813623
                                          • Opcode Fuzzy Hash: f0bd62bedd736e8de91fd91c5988c58673cb5e50903f890ca2444cba7aad6110
                                          • Instruction Fuzzy Hash: 97B12F70E002498FDF14CFA9DA857DEBFF1AF48354F18812AD419A7364EB749846CB91
                                          Function 01499364 Relevance: .2, Instructions: 239COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3fdbc1eecb399525d586585dd7f1c34ba7d7774525251627613ef1f88ea213da
                                          • Instruction ID: 773ec296400efa41fc5fb1bfc6044a47e9432f12c604ea9edc043063030f39d4
                                          • Opcode Fuzzy Hash: 3fdbc1eecb399525d586585dd7f1c34ba7d7774525251627613ef1f88ea213da
                                          • Instruction Fuzzy Hash: 4B913D34A002149FDB15DF68D584AAEBBF2FB88315F14846AE50AE7365DB35DC42CB50
                                          Function 01493E76 Relevance: .2, Instructions: 234COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 048cb3428fbd935ef0d77231e14e70210ebd5816e2c18c5debd76930643e4576
                                          • Instruction ID: 091ca4cdfe5e5ad60ffea733c2469c7bb1def595296737cd74affb1ebd006106
                                          • Opcode Fuzzy Hash: 048cb3428fbd935ef0d77231e14e70210ebd5816e2c18c5debd76930643e4576
                                          • Instruction Fuzzy Hash: 94914EB0E002098FDF10CFA9D99579EBFF2BF58314F18812AE455A7364EB749846CB91
                                          Function 01494810 Relevance: .2, Instructions: 180COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9db80e76fa3a1b080f5774a52fdf0d64af441ef818a0115f966b05a1550f9850
                                          • Instruction ID: 4cb43c688f91c83127514a02458f0933cd2eb0613e8fbe5b1f4e396666cac29a
                                          • Opcode Fuzzy Hash: 9db80e76fa3a1b080f5774a52fdf0d64af441ef818a0115f966b05a1550f9850
                                          • Instruction Fuzzy Hash: 3A717070E002498FDF14DFA9DA8479EBFF2BF48314F18812AE415A7364EB749846CB95
                                          Function 01494804 Relevance: .2, Instructions: 178COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 64fa03d502c43787bda1838fd74cbc6b4e855a84202e44f73004ea6f0bf55b5d
                                          • Instruction ID: 15af5e2f0e9bc87966dadffe84d5fd0449da862288aea74abf4ccc8714fe2494
                                          • Opcode Fuzzy Hash: 64fa03d502c43787bda1838fd74cbc6b4e855a84202e44f73004ea6f0bf55b5d
                                          • Instruction Fuzzy Hash: 8C716F70D002498FDF10DFA9DA8479EBFF1AF48314F18812AE415A7364DB749846CB95
                                          Function 01496CDD Relevance: .1, Instructions: 135COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8600a96dc49be9c94968a75b30318cff29af5a0f84f5c9ea31aba4a456e05af8
                                          • Instruction ID: 3cb8bdc7269cebf2a8c31c4a42cef6bb3794ad231b48fe365d009e9e0d5a5305
                                          • Opcode Fuzzy Hash: 8600a96dc49be9c94968a75b30318cff29af5a0f84f5c9ea31aba4a456e05af8
                                          • Instruction Fuzzy Hash: 93511474D102188FDF18CFA9C844B9EBBB1BF48314F15811AD819BB361D774A945CF95
                                          Function 01496CE8 Relevance: .1, Instructions: 132COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b820dac56ae7a231c772662db4b98533f4757232767dc04708cf1ed5b291b734
                                          • Instruction ID: 09554fb7b1fce6e88e5a5d5fb7dd94a474c38a7d71c47ad7a481a060445c1b8b
                                          • Opcode Fuzzy Hash: b820dac56ae7a231c772662db4b98533f4757232767dc04708cf1ed5b291b734
                                          • Instruction Fuzzy Hash: 5C510474D002188FDF18CFA9C844B9EBBB1BF48714F15811AE819BB361D774A945CF95
                                          Function 01491138 Relevance: .1, Instructions: 112COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4d037c4a32386d19b6c9110444a674650a990c9cc7e5e841f5f33e96d80e5290
                                          • Instruction ID: 40ca3000877099f66d41c22f5e5c66f2fc9db699e145838eaabe363dfe7658c1
                                          • Opcode Fuzzy Hash: 4d037c4a32386d19b6c9110444a674650a990c9cc7e5e841f5f33e96d80e5290
                                          • Instruction Fuzzy Hash: B551D874311251CFC719DB6CF89CA44BFF1F7A930634485AAE1044B23BDA286DC5DBA2
                                          Function 0149F1B0 Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 43c6993931476eb196c1b968a7d5e3a0726f5607e01d8a7da881d8de165ed871
                                          • Instruction ID: e89d6aea94556c45c75b808b847566b5d5892faa27c43ddcd8e8e12255806ecf
                                          • Opcode Fuzzy Hash: 43c6993931476eb196c1b968a7d5e3a0726f5607e01d8a7da881d8de165ed871
                                          • Instruction Fuzzy Hash: F8317E79E102069BCF19CFA8D49469EBBF2BF89300F14851AE805EB351DB71EC46CB80
                                          Function 014926DC Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fd47cd9b7ca78d861ef6058d61f8247c3352faea226a5280d6f30bbc76b0b4f8
                                          • Instruction ID: 8d38f284f15bc877d92463daad7e8fd52e38351242e1f4daeddbdad39cb007fa
                                          • Opcode Fuzzy Hash: fd47cd9b7ca78d861ef6058d61f8247c3352faea226a5280d6f30bbc76b0b4f8
                                          • Instruction Fuzzy Hash: 1441E0B0D00349AFDB14DFA9C884ADEBFB5FF48314F14842AE419AB264DB75A945CB90
                                          Function 0149F1C0 Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c562b313c67114d7101f71f0a2968955f99e3db8e0fe6678323b0db4db21eec7
                                          • Instruction ID: 168aee8cf581d6c8b0f8584be2bd18288d50daa5b36c254e4b988461f9aec9f3
                                          • Opcode Fuzzy Hash: c562b313c67114d7101f71f0a2968955f99e3db8e0fe6678323b0db4db21eec7
                                          • Instruction Fuzzy Hash: 13316035E1020A9BCF19CFA9D49469EBBF2FF89300F14852AE815E7351DB71AC46CB80
                                          Function 014926E8 Relevance: .1, Instructions: 90COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c4307905d34a063ed03f7af6dc8a16d301221bee040ca35a2d276a0f7b73e20f
                                          • Instruction ID: 3dc7f8d1317e11570e0dd002512278a167ee5c0b8c5464bc4d60cdca2246a8cf
                                          • Opcode Fuzzy Hash: c4307905d34a063ed03f7af6dc8a16d301221bee040ca35a2d276a0f7b73e20f
                                          • Instruction Fuzzy Hash: 9541DFB0D00349AFDB14DFA9C584ADEBFF5EF48314F20842AE419AB264DB75A945CB90
                                          Function 0149924F Relevance: .1, Instructions: 80COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8ebe0683de7545a8995fb7c4bcef15a83282516bd64bc1de7202260c2eb9f9b4
                                          • Instruction ID: bf41eabd77afe9a6e83d8641df7e663e2f6c79fea0e1a533c34fc235d387cb81
                                          • Opcode Fuzzy Hash: 8ebe0683de7545a8995fb7c4bcef15a83282516bd64bc1de7202260c2eb9f9b4
                                          • Instruction Fuzzy Hash: 7C315E71E0020A9BDF19CFA8D58469EFBB2FF89304F54C61AE805EB351DB719846CB40
                                          Function 01499260 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9435bd7b9082959a35f9f5af84d208f86bc6cf1e73989fbb60fa9bfb62cc0a57
                                          • Instruction ID: 924289d036effe22c50ec2d2bd64da28716c0f39a7dcfc500033519dc66973e8
                                          • Opcode Fuzzy Hash: 9435bd7b9082959a35f9f5af84d208f86bc6cf1e73989fbb60fa9bfb62cc0a57
                                          • Instruction Fuzzy Hash: F8217131E1020A9BDF19CFA9D48469EFBB2FF89304F14C61AE805EB351DB719846CB91
                                          Function 0149137F Relevance: .1, Instructions: 77COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4a874eac43b69b4bc8405504f73211f19a923ed93365d66cc72a7e2bed984e8d
                                          • Instruction ID: 73746def0e67d939857edb5ca2f534f95fce60340a7127a4e36cbe94f4c4f9ad
                                          • Opcode Fuzzy Hash: 4a874eac43b69b4bc8405504f73211f19a923ed93365d66cc72a7e2bed984e8d
                                          • Instruction Fuzzy Hash: B12195786002028FEF32576CE48832A7FB1E79A775F00483BD506C77B6DA398C868B41
                                          Function 014916A2 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 34aae876bcf97beb2fd4a8a946a92dcfa50e3e8cf60b1e30a4a06d9978fc299d
                                          • Instruction ID: feebf41156eaafe86eeef926aeca7ebcd56a0187e040790c51f542daf072d3df
                                          • Opcode Fuzzy Hash: 34aae876bcf97beb2fd4a8a946a92dcfa50e3e8cf60b1e30a4a06d9978fc299d
                                          • Instruction Fuzzy Hash: 9B2162786001124FDF22DB6CF84876E3BA5E755755F104A66D40AC7377EB38DC828B91
                                          Function 01499150 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3105a4ec891dbfd8b9cebddc3e631b7010764d6feff1dcba00815f1455472933
                                          • Instruction ID: 1873b0b7a388a788091f436aacee95d6d7633c02d366e0044840f99737287197
                                          • Opcode Fuzzy Hash: 3105a4ec891dbfd8b9cebddc3e631b7010764d6feff1dcba00815f1455472933
                                          • Instruction Fuzzy Hash: C0219271E002069BDF19CFA4D85459EBBB2BF89314F14891FE816F7350DB709846CB50
                                          Function 01491878 Relevance: .1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a2c298e6b9dfcb35cc17d1a43315d007620b68e28439297069c124a5167d3a23
                                          • Instruction ID: 5e681b2c257b878386ca017d22a0a972e1082b0b3a1d4ddf71a295d7ca39a303
                                          • Opcode Fuzzy Hash: a2c298e6b9dfcb35cc17d1a43315d007620b68e28439297069c124a5167d3a23
                                          • Instruction Fuzzy Hash: 25215E70B00206CFDF24EB68D5587AE7BF1AF49615F20046AC506EB361EB369D41CB61
                                          Function 01499A30 Relevance: .1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9cebe7d60ca7f4f736b67791ca72a76f60c5e91e00bf53ce99dc314754b78d89
                                          • Instruction ID: 9c427d6ef50a11f04d5d317dc2d41a4808b90a22044638bb997f3af9665f1c78
                                          • Opcode Fuzzy Hash: 9cebe7d60ca7f4f736b67791ca72a76f60c5e91e00bf53ce99dc314754b78d89
                                          • Instruction Fuzzy Hash: 1A215071B102458FDF14DB69C954BAE7BF6FF88714F10806AE505EB3B4DA759C008790
                                          Function 01499160 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c59aae851eec9c1e7d92d32691f989f0b714a5697c88f78e3e7b36e66d3468b9
                                          • Instruction ID: e24f4dd0318a505117ce02dbdf0b5b14683a47277601e0870536a8d574ecaa8a
                                          • Opcode Fuzzy Hash: c59aae851eec9c1e7d92d32691f989f0b714a5697c88f78e3e7b36e66d3468b9
                                          • Instruction Fuzzy Hash: 28218030E0020A9BDF19CFA5D85499EBBB2BF89304F14891FE815BB390DB709846CB50
                                          Function 01491888 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: caed709669ff7a7f019994075016ee4c680922eb210f33bfea1250f4404c5da8
                                          • Instruction ID: 25e65523d8ebd41eeeacc4329a24943cdfe0cea1b1abc3e1f0264e8184ec9948
                                          • Opcode Fuzzy Hash: caed709669ff7a7f019994075016ee4c680922eb210f33bfea1250f4404c5da8
                                          • Instruction Fuzzy Hash: 34215E30700216CFDF14EB78C5187AE7BF6AB49615F20046AC506EB3A1DF369D41CBA1
                                          Function 014916B0 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 540511942ccb9f829af427a673e113a285ab728cc7a24420787f47e4463c7ab6
                                          • Instruction ID: f269291cd048cb7d369164bb1d38363335a9972b6f00d735569022fe0415afd8
                                          • Opcode Fuzzy Hash: 540511942ccb9f829af427a673e113a285ab728cc7a24420787f47e4463c7ab6
                                          • Instruction Fuzzy Hash: 852130747001124FDF21D76CF888B5E3BA5E749755F104A62E50AC7376EA38DC858B92
                                          Function 01494F8A Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 94c766bf08e6d349b4a3022995ee2588fb007bda7f5e96a9e7f085427baac50c
                                          • Instruction ID: b4c34a6cd42be95b3256075e1714e861f5bdee1cc220d3112708ec1ed205b841
                                          • Opcode Fuzzy Hash: 94c766bf08e6d349b4a3022995ee2588fb007bda7f5e96a9e7f085427baac50c
                                          • Instruction Fuzzy Hash: 1121F8B4700205CFDB14DF78D958AAD7BF1BF88705B2004AAE406EB3A5DB359D01CB91
                                          Function 01494F98 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6d1aba3d96a4b052d965a21d5b68613c0647971300d08e3c5541c04651035ecb
                                          • Instruction ID: 334863b98b54f2099b63c3776852f2e930a294f56a7f7707b124cb75750092c3
                                          • Opcode Fuzzy Hash: 6d1aba3d96a4b052d965a21d5b68613c0647971300d08e3c5541c04651035ecb
                                          • Instruction Fuzzy Hash: F8211B74700205CFDB14DF78D958A9E7BF1AB89704B20046AE406EB3A5DB35DD01CB91
                                          Function 014917C0 Relevance: .1, Instructions: 64COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 81f0cc365eb2c7872631882ec42fef06ea7fc176a49d38005fb8ab40ca78432b
                                          • Instruction ID: ecbcbfd192be8cbb54272e7919e98463ecb31347dbb4c098699b7296c28561ff
                                          • Opcode Fuzzy Hash: 81f0cc365eb2c7872631882ec42fef06ea7fc176a49d38005fb8ab40ca78432b
                                          • Instruction Fuzzy Hash: FE11087AF003419FCF21ABB8A84C66F7FF5EB85760F100566D545C7345EB3989428792
                                          Function 01491488 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c404554ea4718d5b06bf68c5d95cc96808f483748563b55a4c2de8d8da269a96
                                          • Instruction ID: 354675827fe234aeb56abf54fa3f0fdb3c3e7874d78f0717102a63b10adee382
                                          • Opcode Fuzzy Hash: c404554ea4718d5b06bf68c5d95cc96808f483748563b55a4c2de8d8da269a96
                                          • Instruction Fuzzy Hash: 3A11E271E003568FCF22EFB888901AE7FB4AF19224F19007BD801E7312E775D9428B91
                                          Function 01490848 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3012c15f21fccabe78e755b4d34073bed31dae8cff900e348309b091b489fec4
                                          • Instruction ID: 0fd5e0d69cea938f9b10676b0d11a3aa4f6f991469c91b4186922b17c6207a05
                                          • Opcode Fuzzy Hash: 3012c15f21fccabe78e755b4d34073bed31dae8cff900e348309b091b489fec4
                                          • Instruction Fuzzy Hash: 01115B30B002148BEF65EA7DE44472E3AA9EB85215F20493BE406CF362DA75CC858BD1
                                          Function 01490838 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 083b7fa2a78d039f59cf9d7f2303e6b904b11669e6ef880ac0ee5180f7e60fd3
                                          • Instruction ID: 5231e8baaa2b681ca2a398ee41ae5e924ccf6848924d5cad310f9ff1f7a818a4
                                          • Opcode Fuzzy Hash: 083b7fa2a78d039f59cf9d7f2303e6b904b11669e6ef880ac0ee5180f7e60fd3
                                          • Instruction Fuzzy Hash: 38116D31B042058FEF669A7CA44437E3EA9EB86215F10497BE406DF3A2DA75CC858BD1
                                          Function 01491498 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9de908827a8f5c6e1c1c70214d10eec40eeed786ea00affbae31b4528c1f2a1f
                                          • Instruction ID: 8aa2dc3a767d88ef2a0b52759d5867af68a401faf070ac0cb3464529496aac48
                                          • Opcode Fuzzy Hash: 9de908827a8f5c6e1c1c70214d10eec40eeed786ea00affbae31b4528c1f2a1f
                                          • Instruction Fuzzy Hash: 3C018031A012168FCF21EFBD88905AEBFF9EF58620B14047BE805E7315E775E9418BA1
                                          Function 01499898 Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3913980f6aeb9f7b145b9657e20066a642e5d151a0f587ca254b0783541dc167
                                          • Instruction ID: cff8e4ecd58e0670a944c2c5b6d8c14006d6178786849ba3b274e588b27727e9
                                          • Opcode Fuzzy Hash: 3913980f6aeb9f7b145b9657e20066a642e5d151a0f587ca254b0783541dc167
                                          • Instruction Fuzzy Hash: 5C01F530A002048BCF04EF59D88478EBBA5FF94311F54C569D80C5B39AEB70A945C7A1
                                          Function 014980F1 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 83481f6bde49e503bfeb5f0e2e1b43051e3105d23c97ac1fbeecbc59d729eb3b
                                          • Instruction ID: f5718f961f312a1d23024d44948448da1d250a4e8cf3a3cc0d2525f194b068df
                                          • Opcode Fuzzy Hash: 83481f6bde49e503bfeb5f0e2e1b43051e3105d23c97ac1fbeecbc59d729eb3b
                                          • Instruction Fuzzy Hash: C901D6B060025A9FCF05DBB8F88498D7FF5EB95345F0006ADD4045F1A6DE356E42CB81
                                          Function 01497090 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f19842ced4869eb2d489d766fdb78762a8f3ca68560db1086b702c1f261e62d6
                                          • Instruction ID: 228158d462db6ffc72b798e64f7a6fd83c56f48891b2e514d39c108e01c67998
                                          • Opcode Fuzzy Hash: f19842ced4869eb2d489d766fdb78762a8f3ca68560db1086b702c1f261e62d6
                                          • Instruction Fuzzy Hash: 47F0C439B00208CFC714EB78E598A6D77B2EF88655F5044A9E506DB3A8DB36AD42CB41
                                          Function 01498100 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1692314118.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_1490000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d4778efb9a796fafeff7550338a4c80b899598a48bec1c418b6c7f103a822ca9
                                          • Instruction ID: b5bd67954c36599512e7fa56fd7fe4053f00c195c5bd652dc75b29689121dc71
                                          • Opcode Fuzzy Hash: d4778efb9a796fafeff7550338a4c80b899598a48bec1c418b6c7f103a822ca9
                                          • Instruction Fuzzy Hash: 36F0A474A0021AEFCF04EFACF88498C7BF5EB48305F004669D4089B265DE306E858B81

                                          Execution Graph

                                          Execution Coverage:9.8%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:169
                                          Total number of Limit Nodes:12
                                          execution_graph 29487 6903400 29488 6903424 29487->29488 29489 6903483 29488->29489 29492 69040b6 29488->29492 29497 69040b8 29488->29497 29496 69040b8 29492->29496 29493 69040ee 29493->29489 29496->29493 29502 69037d0 29496->29502 29499 69040d9 29497->29499 29498 69040ee 29498->29489 29499->29498 29500 69037d0 DrawTextExW 29499->29500 29501 690413e 29500->29501 29503 69037db 29502->29503 29506 6904fdc 29503->29506 29505 690413e 29508 6904fe7 29506->29508 29507 6905cd1 29507->29505 29508->29507 29512 6906bf0 29508->29512 29515 6906be1 29508->29515 29509 6905dd5 29509->29505 29519 690660c 29512->29519 29516 6906bf0 29515->29516 29517 690660c DrawTextExW 29516->29517 29518 6906c0d 29517->29518 29518->29509 29520 6906c28 DrawTextExW 29519->29520 29522 6906c0d 29520->29522 29522->29509 29557 6909f70 29558 6909f9d 29557->29558 29561 6906710 29558->29561 29560 690a315 29563 690671b 29561->29563 29562 69040b8 DrawTextExW 29562->29563 29563->29562 29564 690a805 29563->29564 29564->29560 29523 cab4d8 29524 cab4e7 29523->29524 29526 cab5bf 29523->29526 29527 cab5ca 29526->29527 29528 cab577 29526->29528 29529 cab604 29527->29529 29535 cab858 29527->29535 29539 cab868 29527->29539 29528->29524 29529->29524 29530 cab5fc 29530->29529 29531 cab808 GetModuleHandleW 29530->29531 29532 cab835 29531->29532 29532->29524 29536 cab87c 29535->29536 29538 cab8a1 29536->29538 29543 cab030 29536->29543 29538->29530 29540 cab87c 29539->29540 29541 cab030 LoadLibraryExW 29540->29541 29542 cab8a1 29540->29542 29541->29542 29542->29530 29544 caba48 LoadLibraryExW 29543->29544 29546 cabac1 29544->29546 29546->29538 29547 cad858 29548 cad89e GetCurrentProcess 29547->29548 29550 cad8e9 29548->29550 29551 cad8f0 GetCurrentThread 29548->29551 29550->29551 29552 cad92d GetCurrentProcess 29551->29552 29553 cad926 29551->29553 29554 cad963 GetCurrentThreadId 29552->29554 29553->29552 29556 cad9bc 29554->29556 29565 ca4668 29566 ca467a 29565->29566 29567 ca4686 29566->29567 29569 ca4779 29566->29569 29570 ca479d 29569->29570 29574 ca4888 29570->29574 29578 ca4877 29570->29578 29575 ca48af 29574->29575 29577 ca498c 29575->29577 29582 ca4524 29575->29582 29579 ca48af 29578->29579 29580 ca498c 29579->29580 29581 ca4524 CreateActCtxA 29579->29581 29581->29580 29583 ca5d18 CreateActCtxA 29582->29583 29585 ca5ddb 29583->29585 29480 47392f0 29481 473947b 29480->29481 29483 4739316 29480->29483 29483->29481 29484 4737700 29483->29484 29485 4739570 PostMessageW 29484->29485 29486 47395dc 29485->29486 29486->29483 29588 4736487 29589 4736460 29588->29589 29593 4738000 29589->29593 29605 4737ff0 29589->29605 29590 4736384 29594 473801a 29593->29594 29595 473803e 29594->29595 29617 4738beb 29594->29617 29622 4738844 29594->29622 29630 4738965 29594->29630 29634 47385e6 29594->29634 29639 4738551 29594->29639 29644 4738c8c 29594->29644 29648 473869f 29594->29648 29652 47384d8 29594->29652 29656 47386ea 29594->29656 29595->29590 29606 473801a 29605->29606 29607 473803e 29606->29607 29608 4738551 2 API calls 29606->29608 29609 47385e6 2 API calls 29606->29609 29610 4738965 2 API calls 29606->29610 29611 4738844 4 API calls 29606->29611 29612 4738beb 2 API calls 29606->29612 29613 47386ea 2 API calls 29606->29613 29614 47384d8 2 API calls 29606->29614 29615 473869f 2 API calls 29606->29615 29616 4738c8c 2 API calls 29606->29616 29607->29590 29608->29607 29609->29607 29610->29607 29611->29607 29612->29607 29613->29607 29614->29607 29615->29607 29616->29607 29618 473866f 29617->29618 29619 4738e82 29618->29619 29661 4735ce0 29618->29661 29665 4735cda 29618->29665 29619->29595 29623 4738901 29622->29623 29669 4735c20 29623->29669 29673 4735c1a 29623->29673 29624 473866f 29625 4738e82 29624->29625 29628 4735ce0 WriteProcessMemory 29624->29628 29629 4735cda WriteProcessMemory 29624->29629 29625->29595 29628->29624 29629->29624 29677 4735dd0 29630->29677 29681 4735dc8 29630->29681 29631 4738987 29635 4738a3b 29634->29635 29685 4735710 29635->29685 29689 4735708 29635->29689 29636 4738a56 29640 4738561 29639->29640 29642 4735ce0 WriteProcessMemory 29640->29642 29643 4735cda WriteProcessMemory 29640->29643 29641 4738a1c 29642->29641 29643->29641 29646 4735710 Wow64SetThreadContext 29644->29646 29647 4735708 Wow64SetThreadContext 29644->29647 29645 4738538 29646->29645 29647->29645 29650 4735ce0 WriteProcessMemory 29648->29650 29651 4735cda WriteProcessMemory 29648->29651 29649 47386cb 29650->29649 29651->29649 29693 4735f68 29652->29693 29697 4735f5e 29652->29697 29657 47386f7 29656->29657 29701 4735660 29657->29701 29705 4735659 29657->29705 29658 4738538 29662 4735d28 WriteProcessMemory 29661->29662 29664 4735d7f 29662->29664 29664->29618 29666 4735ce0 WriteProcessMemory 29665->29666 29668 4735d7f 29666->29668 29668->29618 29670 4735c60 VirtualAllocEx 29669->29670 29672 4735c9d 29670->29672 29672->29624 29674 4735c20 VirtualAllocEx 29673->29674 29676 4735c9d 29674->29676 29676->29624 29678 4735e1b ReadProcessMemory 29677->29678 29680 4735e5f 29678->29680 29680->29631 29682 4735dd1 ReadProcessMemory 29681->29682 29684 4735e5f 29682->29684 29684->29631 29686 4735755 Wow64SetThreadContext 29685->29686 29688 473579d 29686->29688 29688->29636 29690 4735755 Wow64SetThreadContext 29689->29690 29692 473579d 29690->29692 29692->29636 29694 4735ff1 29693->29694 29694->29694 29695 4736156 CreateProcessA 29694->29695 29696 47361b3 29695->29696 29696->29696 29698 4735f68 CreateProcessA 29697->29698 29700 47361b3 29698->29700 29700->29700 29702 47356a0 ResumeThread 29701->29702 29704 47356d1 29702->29704 29704->29658 29706 47356a0 ResumeThread 29705->29706 29708 47356d1 29706->29708 29708->29658 29586 cadaa0 DuplicateHandle 29587 cadb36 29586->29587

                                          Executed Functions

                                          Function 00CAD858 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 294 cad858-cad8e7 GetCurrentProcess 298 cad8e9-cad8ef 294->298 299 cad8f0-cad924 GetCurrentThread 294->299 298->299 300 cad92d-cad961 GetCurrentProcess 299->300 301 cad926-cad92c 299->301 302 cad96a-cad982 300->302 303 cad963-cad969 300->303 301->300 307 cad98b-cad9ba GetCurrentThreadId 302->307 303->302 308 cad9bc-cad9c2 307->308 309 cad9c3-cada25 307->309 308->309
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 00CAD8D6
                                          • GetCurrentThread.KERNEL32 ref: 00CAD913
                                          • GetCurrentProcess.KERNEL32 ref: 00CAD950
                                          • GetCurrentThreadId.KERNEL32 ref: 00CAD9A9
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1693203308.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_ca0000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: f8bc116c84d1bcadfee0282b05fb48d55002f9af3883ec96d037e88033230abe
                                          • Instruction ID: 56ecd8d1f9edae75f510c030f710def966ff5cf2e606018a6acb8809dbbc974f
                                          • Opcode Fuzzy Hash: f8bc116c84d1bcadfee0282b05fb48d55002f9af3883ec96d037e88033230abe
                                          • Instruction Fuzzy Hash: D75135B09003098FDB14DFA9D948BEEBBF1FB88314F208459E01AA73A0DB749944CB65
                                          Function 04735F5E Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 397 4735f5e-4735ffd 400 4736036-4736056 397->400 401 4735fff-4736009 397->401 408 4736058-4736062 400->408 409 473608f-47360be 400->409 401->400 402 473600b-473600d 401->402 403 4736030-4736033 402->403 404 473600f-4736019 402->404 403->400 406 473601b 404->406 407 473601d-473602c 404->407 406->407 407->407 410 473602e 407->410 408->409 411 4736064-4736066 408->411 417 47360c0-47360ca 409->417 418 47360f7-47361b1 CreateProcessA 409->418 410->403 413 4736089-473608c 411->413 414 4736068-4736072 411->414 413->409 415 4736076-4736085 414->415 416 4736074 414->416 415->415 419 4736087 415->419 416->415 417->418 420 47360cc-47360ce 417->420 429 47361b3-47361b9 418->429 430 47361ba-4736240 418->430 419->413 422 47360f1-47360f4 420->422 423 47360d0-47360da 420->423 422->418 424 47360de-47360ed 423->424 425 47360dc 423->425 424->424 427 47360ef 424->427 425->424 427->422 429->430 440 4736242-4736246 430->440 441 4736250-4736254 430->441 440->441 442 4736248 440->442 443 4736256-473625a 441->443 444 4736264-4736268 441->444 442->441 443->444 447 473625c 443->447 445 473626a-473626e 444->445 446 4736278-473627c 444->446 445->446 448 4736270 445->448 449 473628e-4736295 446->449 450 473627e-4736284 446->450 447->444 448->446 451 4736297-47362a6 449->451 452 47362ac 449->452 450->449 451->452 454 47362ad 452->454 454->454
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0473619E
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1701087404.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4730000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 87d0fc0dfa19aa6fa47c7b4714be2a9cc3894078afc2eb5f45ceb3ead435bbb3
                                          • Instruction ID: 0e263235cf18d5140c9f42d1bebd7e689c62e1c1d5385c15ffa8e4e2ec6f82ab
                                          • Opcode Fuzzy Hash: 87d0fc0dfa19aa6fa47c7b4714be2a9cc3894078afc2eb5f45ceb3ead435bbb3
                                          • Instruction Fuzzy Hash: DFA17B70D002199FEB24CF68C941BEEBBB2FF48315F148569E809A7341DB75A985CF92
                                          Function 04735F68 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 455 4735f68-4735ffd 457 4736036-4736056 455->457 458 4735fff-4736009 455->458 465 4736058-4736062 457->465 466 473608f-47360be 457->466 458->457 459 473600b-473600d 458->459 460 4736030-4736033 459->460 461 473600f-4736019 459->461 460->457 463 473601b 461->463 464 473601d-473602c 461->464 463->464 464->464 467 473602e 464->467 465->466 468 4736064-4736066 465->468 474 47360c0-47360ca 466->474 475 47360f7-47361b1 CreateProcessA 466->475 467->460 470 4736089-473608c 468->470 471 4736068-4736072 468->471 470->466 472 4736076-4736085 471->472 473 4736074 471->473 472->472 476 4736087 472->476 473->472 474->475 477 47360cc-47360ce 474->477 486 47361b3-47361b9 475->486 487 47361ba-4736240 475->487 476->470 479 47360f1-47360f4 477->479 480 47360d0-47360da 477->480 479->475 481 47360de-47360ed 480->481 482 47360dc 480->482 481->481 484 47360ef 481->484 482->481 484->479 486->487 497 4736242-4736246 487->497 498 4736250-4736254 487->498 497->498 499 4736248 497->499 500 4736256-473625a 498->500 501 4736264-4736268 498->501 499->498 500->501 504 473625c 500->504 502 473626a-473626e 501->502 503 4736278-473627c 501->503 502->503 505 4736270 502->505 506 473628e-4736295 503->506 507 473627e-4736284 503->507 504->501 505->503 508 4736297-47362a6 506->508 509 47362ac 506->509 507->506 508->509 511 47362ad 509->511 511->511
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0473619E
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1701087404.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4730000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 8fb8c6faac7bd8747c23b567a4701905626f6b74659be615a475ccdb2843b2be
                                          • Instruction ID: a07f46fa433cd37a5ab3333e0c72a1514fea7b88890b843005d0c71d930ee986
                                          • Opcode Fuzzy Hash: 8fb8c6faac7bd8747c23b567a4701905626f6b74659be615a475ccdb2843b2be
                                          • Instruction Fuzzy Hash: 0E917B70D002199FEB20CF68C941BEDBBB2BF48315F148569E808A7341DB74A985CF92
                                          Function 00CAB5BF Relevance: 1.7, APIs: 1, Instructions: 222COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 512 cab5bf-cab5c8 513 cab5ca-cab5df 512->513 514 cab577-cab59d 512->514 516 cab60b-cab60f 513->516 517 cab5e1-cab5ee call ca8b1c 513->517 525 cab59f-cab5aa 514->525 526 cab5ac-cab5b4 514->526 518 cab623-cab664 516->518 519 cab611-cab61b 516->519 523 cab5f0 517->523 524 cab604 517->524 530 cab671-cab67f 518->530 531 cab666-cab66e 518->531 519->518 574 cab5f6 call cab858 523->574 575 cab5f6 call cab868 523->575 524->516 529 cab5b7-cab5bc 525->529 526->529 533 cab6a3-cab6a5 530->533 534 cab681-cab686 530->534 531->530 532 cab5fc-cab5fe 532->524 537 cab740-cab800 532->537 538 cab6a8-cab6af 533->538 535 cab688-cab68f call caafd4 534->535 536 cab691 534->536 540 cab693-cab6a1 535->540 536->540 569 cab808-cab833 GetModuleHandleW 537->569 570 cab802-cab805 537->570 541 cab6bc-cab6c3 538->541 542 cab6b1-cab6b9 538->542 540->538 544 cab6d0-cab6d9 call caafe4 541->544 545 cab6c5-cab6cd 541->545 542->541 550 cab6db-cab6e3 544->550 551 cab6e6-cab6eb 544->551 545->544 550->551 553 cab709-cab70d 551->553 554 cab6ed-cab6f4 551->554 576 cab710 call cabb68 553->576 577 cab710 call cabb59 553->577 554->553 555 cab6f6-cab706 call caaff4 call cab004 554->555 555->553 558 cab713-cab716 560 cab718-cab736 558->560 561 cab739-cab73f 558->561 560->561 571 cab83c-cab850 569->571 572 cab835-cab83b 569->572 570->569 572->571 574->532 575->532 576->558 577->558
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00CAB826
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1693203308.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_ca0000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: c65d1a734560233f1f0849c6d69477e0a043cd3961527694761e8a314769c485
                                          • Instruction ID: 81595f8ef037b3b0372a66ab4fd293e0428d62e586d5a2d9cdd44b4fbc80cfcb
                                          • Opcode Fuzzy Hash: c65d1a734560233f1f0849c6d69477e0a043cd3961527694761e8a314769c485
                                          • Instruction Fuzzy Hash: 4091AEB0A00B458FD728CF69D44475ABBF1FF85308F00892DE09ADBA41D774E945CB90
                                          Function 00CA5D0D Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 686 ca5d0d-ca5dd9 CreateActCtxA 688 ca5ddb-ca5de1 686->688 689 ca5de2-ca5e3c 686->689 688->689 696 ca5e4b-ca5e4f 689->696 697 ca5e3e-ca5e41 689->697 698 ca5e60 696->698 699 ca5e51-ca5e5d 696->699 697->696 701 ca5e61 698->701 699->698 701->701
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 00CA5DC9
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1693203308.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_ca0000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 8025f7cab1e861cf376df616e4133cbc735758a73a9e5047de10ab55682f03c0
                                          • Instruction ID: fe631ab37431143ececc12128627cf0b3465bd9557d0d28b39f51b0353bb85c9
                                          • Opcode Fuzzy Hash: 8025f7cab1e861cf376df616e4133cbc735758a73a9e5047de10ab55682f03c0
                                          • Instruction Fuzzy Hash: 3D41F0B0C00719CADB24DFA9C884BDEBBF1BF49304F20806AD409AB251DBB56946CF51
                                          Function 00CA4524 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 702 ca4524-ca5dd9 CreateActCtxA 705 ca5ddb-ca5de1 702->705 706 ca5de2-ca5e3c 702->706 705->706 713 ca5e4b-ca5e4f 706->713 714 ca5e3e-ca5e41 706->714 715 ca5e60 713->715 716 ca5e51-ca5e5d 713->716 714->713 718 ca5e61 715->718 716->715 718->718
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 00CA5DC9
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1693203308.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_ca0000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 5448ac6db16b3531d675fb7ab54538c4c95c73d24fdf09675fde667a69d6d756
                                          • Instruction ID: 933ea4c27d4f6e4bbad4dc26c837e4f60bafc44fc3c277f25d4877a82026d598
                                          • Opcode Fuzzy Hash: 5448ac6db16b3531d675fb7ab54538c4c95c73d24fdf09675fde667a69d6d756
                                          • Instruction Fuzzy Hash: BF41D0B0D0071ACADB24DFA9C844B9EFBF5BF49304F20806AD409AB251DBB56945CF91
                                          Function 04735CDA Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 719 4735cda-4735d2e 722 4735d30-4735d3c 719->722 723 4735d3e-4735d7d WriteProcessMemory 719->723 722->723 725 4735d86-4735db6 723->725 726 4735d7f-4735d85 723->726 726->725
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04735D70
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1701087404.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4730000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: ef5feb4aab95ed8568459ff5f0765ea583125e0356814472efd90472e66fb850
                                          • Instruction ID: 69701c485e095bbb71ab80d8c9d9e3aae42720965ff8f584df81134805ab33d6
                                          • Opcode Fuzzy Hash: ef5feb4aab95ed8568459ff5f0765ea583125e0356814472efd90472e66fb850
                                          • Instruction Fuzzy Hash: 0D2137B59003599FCB10DFAAC885BDEBBF5FF48310F108429E518A7241C778A945DBA0
                                          Function 06906C20 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 730 6906c20-6906c74 731 6906c76-6906c7c 730->731 732 6906c7f-6906c8e 730->732 731->732 733 6906c90 732->733 734 6906c93-6906ccc DrawTextExW 732->734 733->734 735 6906cd5-6906cf2 734->735 736 6906cce-6906cd4 734->736 736->735
                                          APIs
                                          • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,06906C0D,?,?), ref: 06906CBF
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1703003085.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6900000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: DrawText
                                          • String ID:
                                          • API String ID: 2175133113-0
                                          • Opcode ID: d2d848abd9a2109f58126647a710df5d0a6d5a0a77c171b9197ff92972fdfa78
                                          • Instruction ID: df974f9f7bac6fae309cc3a57767d4e468ffb447c6385ffe460227aa7733f366
                                          • Opcode Fuzzy Hash: d2d848abd9a2109f58126647a710df5d0a6d5a0a77c171b9197ff92972fdfa78
                                          • Instruction Fuzzy Hash: A13104B5D003199FDF00CF99D884ADEBBF5FB48320F14842AE919A7650D774A545CFA0
                                          Function 0690660C Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 739 690660c-6906c74 741 6906c76-6906c7c 739->741 742 6906c7f-6906c8e 739->742 741->742 743 6906c90 742->743 744 6906c93-6906ccc DrawTextExW 742->744 743->744 745 6906cd5-6906cf2 744->745 746 6906cce-6906cd4 744->746 746->745
                                          APIs
                                          • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,06906C0D,?,?), ref: 06906CBF
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1703003085.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_6900000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: DrawText
                                          • String ID:
                                          • API String ID: 2175133113-0
                                          • Opcode ID: 9606e826a21edd27f7a1bd37c63073a33c9889bb113e58477652007107216d59
                                          • Instruction ID: 3eed14bced6d6da485f33ec833918e44bc994df8af25fede96149cf01803932e
                                          • Opcode Fuzzy Hash: 9606e826a21edd27f7a1bd37c63073a33c9889bb113e58477652007107216d59
                                          • Instruction Fuzzy Hash: 1931D1B5D003199FDF10CF9AD884AAEBBF5EB48320F14842AE919A7650D774A954CBA0
                                          Function 04735CE0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 749 4735ce0-4735d2e 751 4735d30-4735d3c 749->751 752 4735d3e-4735d7d WriteProcessMemory 749->752 751->752 754 4735d86-4735db6 752->754 755 4735d7f-4735d85 752->755 755->754
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04735D70
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1701087404.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4730000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: b09f02493a6f3756c0c0bb9519ab4213eb8f6e56d27ce75e187b183e3b11496a
                                          • Instruction ID: 1c9d7d2dcac518323a7237ed3a3d068228ab0c800061a3f6c04b105922607c2a
                                          • Opcode Fuzzy Hash: b09f02493a6f3756c0c0bb9519ab4213eb8f6e56d27ce75e187b183e3b11496a
                                          • Instruction Fuzzy Hash: 6B214AB59003499FCB10DFA9C885BDEBBF5FF48310F108429E959A7341C778A954CBA4
                                          Function 04735708 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0473578E
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1701087404.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4730000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: e70a3cd3c6e5f8c2298a27aeb0a8ffbab1da5059d908ac12e6555701299c2e4d
                                          • Instruction ID: e718088e7c11c60c1e67f610523eb0620d16a9f413fd59477a51622143bd5bd4
                                          • Opcode Fuzzy Hash: e70a3cd3c6e5f8c2298a27aeb0a8ffbab1da5059d908ac12e6555701299c2e4d
                                          • Instruction Fuzzy Hash: 1F213AB59003099FDB10DFAAC485BEEBBF5EF88314F148429D459A7341C7789945CFA4
                                          Function 04735DC8 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04735E50
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1701087404.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4730000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 219ab1fa0413f4fcf938f9d2783ace35f4b2fb25a61b6ff55cb5a067aa0f36b2
                                          • Instruction ID: d778ea08c6295873278d85d29cc0bd0609a0ee58184481f1393e8de0b5411bf2
                                          • Opcode Fuzzy Hash: 219ab1fa0413f4fcf938f9d2783ace35f4b2fb25a61b6ff55cb5a067aa0f36b2
                                          • Instruction Fuzzy Hash: D9215CB1C003499FCB10DFAAC885ADEFBF5FF48310F10842AE559A7241C7749945CBA0
                                          Function 04735DD0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04735E50
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1701087404.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4730000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 8083599eb691c3b9bc40b967bccadd95adafb47dd7c39152c1282aa3f0034086
                                          • Instruction ID: 85a92665eaa7317d197874bebef6528579cebbbbaf46518549463b73d11a2e9c
                                          • Opcode Fuzzy Hash: 8083599eb691c3b9bc40b967bccadd95adafb47dd7c39152c1282aa3f0034086
                                          • Instruction Fuzzy Hash: 672139B1C003499FCB10DFAAC885ADEFBF5FF48310F508429E559A7241C774A944DBA5
                                          Function 04735710 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0473578E
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1701087404.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4730000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 3b48f618a129ce8d6b821c53922b9cfa768ef2156c274bd275a2c62ac69a156a
                                          • Instruction ID: a89a4ec30e6b0c044ee46f0d16092e449c946858270b8ab9a48f9f42d6240fde
                                          • Opcode Fuzzy Hash: 3b48f618a129ce8d6b821c53922b9cfa768ef2156c274bd275a2c62ac69a156a
                                          • Instruction Fuzzy Hash: 3D2179B19003088FDB10DFAAC4857EEBBF4EF88324F148429D419A7341CB78A945CFA4
                                          Function 00CADAA0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CADB27
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1693203308.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_ca0000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: f06029c21948e22ebfd0f406334f842e3c922498d3e486f515aee5692859ba94
                                          • Instruction ID: 196bba81054840dbf6dafbe079b41ed60ff367475e3e14c46224c676c1644f4c
                                          • Opcode Fuzzy Hash: f06029c21948e22ebfd0f406334f842e3c922498d3e486f515aee5692859ba94
                                          • Instruction Fuzzy Hash: B721E2B59002499FDB10CFAAD884ADEBFF8FB48320F14801AE919A3350C374A944CFA0
                                          Function 04735C1A Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04735C8E
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1701087404.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4730000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 4cc2b22b861f04906371e611a3e2b90a9d045f4bd3723f3e14df90e5ace64351
                                          • Instruction ID: f7cf1173d7e683aaa78f78d041ba383f8827f5368dae3dafef7dd4ec08d9146d
                                          • Opcode Fuzzy Hash: 4cc2b22b861f04906371e611a3e2b90a9d045f4bd3723f3e14df90e5ace64351
                                          • Instruction Fuzzy Hash: 6F2189719003499FCB20DFAAC844ADFBFF5EF88324F148819E559A7290C775A544CBA0
                                          Function 00CAB030 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CAB8A1,00000800,00000000,00000000), ref: 00CABAB2
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1693203308.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_ca0000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: f7634d56151b49c77f64d970f452a47f0e79e85ee39684e03ffea748c89cf3c6
                                          • Instruction ID: 46f101d24e568a44e7520c20aa21feac632b37a91e936b28d82935e8e2c39be7
                                          • Opcode Fuzzy Hash: f7634d56151b49c77f64d970f452a47f0e79e85ee39684e03ffea748c89cf3c6
                                          • Instruction Fuzzy Hash: EE1114B6D003499FCB10DF9AC444ADEFBF4EB49314F14842ED529A7201C3B5A945CFA4
                                          Function 00CABA41 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CAB8A1,00000800,00000000,00000000), ref: 00CABAB2
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1693203308.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_ca0000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 1d1c3a8f8dba060640b3f94d500c9dd830a05e3caa09ab0d7e12278ae3b0f6a8
                                          • Instruction ID: 02a0796d815d7edc0c7de44215581b4ecaca05057a1425be915047a6a05720e4
                                          • Opcode Fuzzy Hash: 1d1c3a8f8dba060640b3f94d500c9dd830a05e3caa09ab0d7e12278ae3b0f6a8
                                          • Instruction Fuzzy Hash: AA1112B69002498FDB14CFAAC444ADEFBF5EF89324F14841ED469A7251C374AA45CFA0
                                          Function 04735C20 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04735C8E
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1701087404.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4730000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 2ea479816e51667a9e17dc7eb0364fe2d2a8f2affb349ca57c0556250f25d841
                                          • Instruction ID: 661e0f6725985afcd3988dec8d16555b2cf8bc8ea0df79d0afa482552a766414
                                          • Opcode Fuzzy Hash: 2ea479816e51667a9e17dc7eb0364fe2d2a8f2affb349ca57c0556250f25d841
                                          • Instruction Fuzzy Hash: E01164B18002499FCB10DFAAC844ADFBFF5EF88324F208819E519A7250CB75A944CFA0
                                          Function 04735659 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1701087404.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4730000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: d2ef2f26e4dbb3a66b465537855204a9343edda23f6953f3ea0d63c4d65f7077
                                          • Instruction ID: a7a4972fcd3a7904519fee2d7562c32ada4a232506c8a6606c76706e31adead2
                                          • Opcode Fuzzy Hash: d2ef2f26e4dbb3a66b465537855204a9343edda23f6953f3ea0d63c4d65f7077
                                          • Instruction Fuzzy Hash: D51149B19002488FDB10DFAAC4456DFBBF5EB88315F248819D459A7250C674A945CB94
                                          Function 04735660 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1701087404.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4730000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: dc970b2ef66cea65f7b6e15ceeb4a0c3ea55eab4524d2a9f9277ce03386b16bb
                                          • Instruction ID: 10ff6b63f7f57ce65b67b73635e6af5f3106016924ff3c244ba07ff34c459412
                                          • Opcode Fuzzy Hash: dc970b2ef66cea65f7b6e15ceeb4a0c3ea55eab4524d2a9f9277ce03386b16bb
                                          • Instruction Fuzzy Hash: 681166B19003488FCB10DFAAC4497DFFBF4EB88324F208819C419A7340CB74A944CBA4
                                          Function 04739568 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 047395CD
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1701087404.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4730000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 64b4f268b791ec2745195771a11e51dd0c781dc6bc1c3c1c7d6da3df6bdfcd71
                                          • Instruction ID: 424e0763e51c5ec94ec194a329fd613c26988d8b92cd508ea777fbb00c2979e0
                                          • Opcode Fuzzy Hash: 64b4f268b791ec2745195771a11e51dd0c781dc6bc1c3c1c7d6da3df6bdfcd71
                                          • Instruction Fuzzy Hash: 0111E3B58003499FDB10DF99D849BDEBFF8EB48320F108419E559A7251C375A594CFA1
                                          Function 04737700 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 047395CD
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1701087404.0000000004730000.00000040.00000800.00020000.00000000.sdmp, Offset: 04730000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4730000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 10814c416b509039530c57b1736fbfe2dc785394e09c7e68e81fd2f2ec95bf00
                                          • Instruction ID: 23c21384b9efdb274e3327655528ffbda44fabbbe20a579076de6a6bc42bd479
                                          • Opcode Fuzzy Hash: 10814c416b509039530c57b1736fbfe2dc785394e09c7e68e81fd2f2ec95bf00
                                          • Instruction Fuzzy Hash: 5111E3B58003489FDB10DF9AC449BDEBFF8EB48310F108419E559A7241D3B5AA84CFA5
                                          Function 00CAB7C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00CAB826
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1693203308.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_ca0000_XjmosAst.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: cb6366649d08e69a35e030b70ca889636bebc98edddc28162bead03a892e88d4
                                          • Instruction ID: 36eb2fd85ae9518c3f3abf955cc98307f40cbd86059bfb962fe142a9d0012a57
                                          • Opcode Fuzzy Hash: cb6366649d08e69a35e030b70ca889636bebc98edddc28162bead03a892e88d4
                                          • Instruction Fuzzy Hash: FB110FB5C003498FCB10DF9AD444A9EFBF8EF89324F10842AD429A7251C379AA45CFA1
                                          Function 00C4D4C4 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1692699655.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_c4d000_XjmosAst.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 93bed18bdf427805dddabaebd40ef4e93672d26992f075c2e300e143a0d11755
                                          • Instruction ID: f2f97179a06ca60af16c41878b4b73a10cbba667a6fe901b2570c7b41f804721
                                          • Opcode Fuzzy Hash: 93bed18bdf427805dddabaebd40ef4e93672d26992f075c2e300e143a0d11755
                                          • Instruction Fuzzy Hash: 862137B1604240DFCB05EF14D9C0B26BF65FB98328F24C66DE90A0B256C736D956DBA2
                                          Function 00C4D3D8 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1692699655.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_c4d000_XjmosAst.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2b68692d93529d1e8b9a4c3a38ec37f9947a16bf2af01160757ab8f3396ce1d8
                                          • Instruction ID: 73b1a42597c5ba99774372440f4b95baf55276679c889eba6d49b3a019695c55
                                          • Opcode Fuzzy Hash: 2b68692d93529d1e8b9a4c3a38ec37f9947a16bf2af01160757ab8f3396ce1d8
                                          • Instruction Fuzzy Hash: A42128B5604204DFDB05EF14D9C4B16BF65FB94324F24C56DE90B0B256C33AE856CBA2
                                          Function 00C5D1D4 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1692779247.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_c5d000_XjmosAst.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c10a0e5ab5e7d75113f674b35387732da55f7f24d57787a125cfc90ee5745b8a
                                          • Instruction ID: 0470e6da22e767e8947450460b3161dbdde1024dedcd4f7519b082e64c461ed5
                                          • Opcode Fuzzy Hash: c10a0e5ab5e7d75113f674b35387732da55f7f24d57787a125cfc90ee5745b8a
                                          • Instruction Fuzzy Hash: CB21D379604300AFDB15DF14D9C4B26BBA5FB94315F24C6ADEC0A4B292C336DC8ACA65
                                          Function 00C5D01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1692779247.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_c5d000_XjmosAst.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dd0b0abea5f94c60d8849c107aaf05d29924aa9a8196064d657062fbaac80ff5
                                          • Instruction ID: 77fb20e12673901ff73c923b225ab9901b82c29f6bbb44c7a3d70bd4da49238f
                                          • Opcode Fuzzy Hash: dd0b0abea5f94c60d8849c107aaf05d29924aa9a8196064d657062fbaac80ff5
                                          • Instruction Fuzzy Hash: 8421C179604300DFDB24DF14D9C4B16BBA5EB94315F24C569DC0A4B296C33AD88BCA65
                                          Function 00C5D005 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1692779247.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_c5d000_XjmosAst.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9b4c1f2b62d15e89783712faf8aa4eb1bc2c64f8f2dc342f36e6a2b2470ee945
                                          • Instruction ID: 9142c2054d7ae75e01e475f6727a6c30e0acebd36849362c794e027b5bba6b71
                                          • Opcode Fuzzy Hash: 9b4c1f2b62d15e89783712faf8aa4eb1bc2c64f8f2dc342f36e6a2b2470ee945
                                          • Instruction Fuzzy Hash: D22195755093C08FDB12CF24D594715BF71EB46314F28C5EAD8498F2A7C33A984ACB62
                                          Function 00C4D3D3 Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1692699655.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_c4d000_XjmosAst.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                          • Instruction ID: 3a99a0799ad89d1253c16df0596d0685981ba638d8bcd899838eae2c0a7d3259
                                          • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                          • Instruction Fuzzy Hash: 79112676504240CFCB02DF10D5C4B16BF72FB94324F24C2A9DC0A0B256C33AE95ACBA1
                                          Function 00C4D4BF Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1692699655.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_c4d000_XjmosAst.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                          • Instruction ID: 42e58c43eac00bf29ae2409d6364441244b241d5d3bbfefa186c50bb32c0a5f3
                                          • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                          • Instruction Fuzzy Hash: A71126B6904280CFCB02DF10D5C4B16BF72FB94324F24C6A9DC0A0B256C336D95ACBA1
                                          Function 00C5D1CF Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1692779247.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_c5d000_XjmosAst.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                          • Instruction ID: 168843640ac48c0ccfc33d5743854c35990391bfa508020392f0f79fd17fdfc7
                                          • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                          • Instruction Fuzzy Hash: 1011AC79504340DFCB11CF10C9C4B15BB61FB84314F24C6ADDC4A4B296C33AD88ACB51
                                          Function 00C4D759 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1692699655.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_c4d000_XjmosAst.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 343a671a87e1764d467e315e1dbd81204efb95d04e8956d4d3d854c24cffd372
                                          • Instruction ID: 583efbb5557776ae270dbb19036763eb582cae474ecb28ff6391571253c38178
                                          • Opcode Fuzzy Hash: 343a671a87e1764d467e315e1dbd81204efb95d04e8956d4d3d854c24cffd372
                                          • Instruction Fuzzy Hash: 6F012B710043409AE7106F6ADCC4B26FFD8FF51725F18C85AEC1E4A28AC3789840C671
                                          Function 00C4D758 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.1692699655.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_c4d000_XjmosAst.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2eae583bd2fc55890f14f3796a2a4ea702ab6852265e1f7a8bb8150b15be484e
                                          • Instruction ID: 23e93336324da78f98999c28c9fbfdc430ef139b4df8dc3feb858fea26749e42
                                          • Opcode Fuzzy Hash: 2eae583bd2fc55890f14f3796a2a4ea702ab6852265e1f7a8bb8150b15be484e
                                          • Instruction Fuzzy Hash: 7FF0C2320043409EE7209E1ADC84B62FFA8EF51734F18C45AED194E28AC379A840CAB0

                                          Executed Functions

                                          Function 01289B38 Relevance: 2.8, Instructions: 2821COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9551c68d05f1405f04e18392417c89523735fd088ec62404f4f0c89da6980f5b
                                          • Instruction ID: 676b620f12f2ff91b18eda1c1f67fbb352cd7313058223d4e339235eee55fdb3
                                          • Opcode Fuzzy Hash: 9551c68d05f1405f04e18392417c89523735fd088ec62404f4f0c89da6980f5b
                                          • Instruction Fuzzy Hash: 8C53F831C10B1A8ACB51EF68C8805A9F7B1FF99300F15D79AE45977221FB70AAD5CB81
                                          Function 0128CDA8 Relevance: 2.3, Instructions: 2314COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c97ceb7cbc3dbbe4230867b64d5424d32dde1935bba742db6aecb5102ad9f84c
                                          • Instruction ID: 79ba75758c3a45763fa96ea51f947b8d8f41c332ddb7afeb962117f1c86dfb94
                                          • Opcode Fuzzy Hash: c97ceb7cbc3dbbe4230867b64d5424d32dde1935bba742db6aecb5102ad9f84c
                                          • Instruction Fuzzy Hash: 55333E31D1071A8EDB11EF68C8806ADF7B1FF99300F15C79AE458A7251EB70AAC5CB81
                                          Function 01284A98 Relevance: .3, Instructions: 266COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 46a9da54dcb474669a8194bf181d73899c0d8f100c18b9259570ba317208c0eb
                                          • Instruction ID: dba8e797113a12bf615a8d1e709e4519c0e674fd3344cd40c30387fe8105c7ab
                                          • Opcode Fuzzy Hash: 46a9da54dcb474669a8194bf181d73899c0d8f100c18b9259570ba317208c0eb
                                          • Instruction Fuzzy Hash: 9FB17F70E2124A8FDF10EFA9D88179DBBF2BF88314F148129D919E7394EB749845CB81
                                          Function 01283E80 Relevance: .2, Instructions: 238COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a6261bae79c7d9f39b7c2f2444419a123a844c147af7485436ce7a648e39b217
                                          • Instruction ID: 468c89d055f32d294c891a7b9d28e6514f17625205b1291c2e407e475cfcea6f
                                          • Opcode Fuzzy Hash: a6261bae79c7d9f39b7c2f2444419a123a844c147af7485436ce7a648e39b217
                                          • Instruction Fuzzy Hash: 0D918170E1124ACFDF14EFA8C8817DEBBF2BF58714F148129E515A7294EB749846CB81
                                          Function 01286EE2 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LR^q$LR^q
                                          • API String ID: 0-4089051495
                                          • Opcode ID: 670f05f99bd4e085b9c5e154c19c8e443328c29347304f431e07be818bc6026b
                                          • Instruction ID: d40cec7da654c410e987b47104395dd879ac60923a050a9698b9017c2c359ac2
                                          • Opcode Fuzzy Hash: 670f05f99bd4e085b9c5e154c19c8e443328c29347304f431e07be818bc6026b
                                          • Instruction Fuzzy Hash: 9641BF30E212169FDB15EF78C4547AEB7B2EF89300F20846AE506EB391DB719C46CB51
                                          Function 0128F2ED Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PH^q
                                          • API String ID: 0-2549759414
                                          • Opcode ID: 6593b197ed284c6558a57dc506e705b1c1fba28c429013f30b450f49d58c7c8a
                                          • Instruction ID: d8e35ca40bb17d980e1e50059302cd7e48691cb46bbd53f6458e4ba7b4c41e12
                                          • Opcode Fuzzy Hash: 6593b197ed284c6558a57dc506e705b1c1fba28c429013f30b450f49d58c7c8a
                                          • Instruction Fuzzy Hash: 83311630B142028FDB16AB38D5586AE7BF2EFC9200F24446DD506DB385DE79DC86CBA5
                                          Function 01286F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LR^q
                                          • API String ID: 0-2625958711
                                          • Opcode ID: 6cf2ad0e43d7516905af577ed77be7551000247595bc1eee96e10f44d61d7754
                                          • Instruction ID: 3a27474ac32fd5496e97189c12df50ef393f3334582f8695cc3c3a3076532c04
                                          • Opcode Fuzzy Hash: 6cf2ad0e43d7516905af577ed77be7551000247595bc1eee96e10f44d61d7754
                                          • Instruction Fuzzy Hash: 8631A434E2120A9BDF15DFA9C45479EB7B2FF85300F20852AE506EB280EB71D846CB51
                                          Function 01286BA1 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LR^q
                                          • API String ID: 0-2625958711
                                          • Opcode ID: ed18f847ba6cb1f5aac9e5965a767b2dea9a6990adace5d78fd9d685a7681082
                                          • Instruction ID: 0cdb7b173cbfb9fcfecf6b880894fda65dbab48a5099122cf3a6e5696eba8590
                                          • Opcode Fuzzy Hash: ed18f847ba6cb1f5aac9e5965a767b2dea9a6990adace5d78fd9d685a7681082
                                          • Instruction Fuzzy Hash: 4311EB31A182819FC3069B7884645AD7FF2EF8A750B1444FED046CF396DA398C46C751
                                          Function 0128790A Relevance: .6, Instructions: 557COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9352c8d65802ae990cddd01779f9f6b9216be8df3078c17ef8c06a86ad9d6569
                                          • Instruction ID: 53cd55bebfb574e34b4d5a13f610aa43451f868aa9ec45b2fc33269943cf6758
                                          • Opcode Fuzzy Hash: 9352c8d65802ae990cddd01779f9f6b9216be8df3078c17ef8c06a86ad9d6569
                                          • Instruction Fuzzy Hash: 431284307112169FCB1AAB3CD85422D73A2FB89351B604E29E106CB795DE79DCCACB91
                                          Function 012896E0 Relevance: .4, Instructions: 356COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 95aea6ea8185909901eec1ff192835c03d1b9a1ea4ef046c1f1eb46da57c4230
                                          • Instruction ID: c128773a0bae7c728a02efbbeeb142252ffc017eda26859dc2cf6c4fb02dbb4c
                                          • Opcode Fuzzy Hash: 95aea6ea8185909901eec1ff192835c03d1b9a1ea4ef046c1f1eb46da57c4230
                                          • Instruction Fuzzy Hash: 43C1C274A112068FDF15EFA8D8807AEBBB5FF88314F208569E609DB395D770D881CB91
                                          Function 01289364 Relevance: .3, Instructions: 344COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7f16684fadec3de6faf6754863b01193fa6f6d87a837b86d6da1fc8cf9d9e04f
                                          • Instruction ID: a974cf343d6af1e6f6dc9342442330d3c0be77e59fccd8ca229ad34afb22f7e9
                                          • Opcode Fuzzy Hash: 7f16684fadec3de6faf6754863b01193fa6f6d87a837b86d6da1fc8cf9d9e04f
                                          • Instruction Fuzzy Hash: FAD18C38A112158FDF15EFA8D594AAEBBF2FF88315F148569E506E7391CA34DC82CB40
                                          Function 01284A8D Relevance: .3, Instructions: 258COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 106f8386e2c6b178f81f94da63730e223ab2ca345c6f90d929e5ffc60eb01564
                                          • Instruction ID: c665833f8d260c83e88280ae3b9decb9830fe104405253f10774000aa2800109
                                          • Opcode Fuzzy Hash: 106f8386e2c6b178f81f94da63730e223ab2ca345c6f90d929e5ffc60eb01564
                                          • Instruction Fuzzy Hash: 6FA16D70E2124A8FDB10EFA8D8857DDBBF1BF48314F188129D919E7294EB749885CB81
                                          Function 01283E75 Relevance: .2, Instructions: 234COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cf88a5d71ec54398d6e923ecdb407c32272d66ce5c122439046464246678c7be
                                          • Instruction ID: 181e026c5faf12aec8ec40f34da2e05e775158d24c3952dfc0bf2591df1cd7e3
                                          • Opcode Fuzzy Hash: cf88a5d71ec54398d6e923ecdb407c32272d66ce5c122439046464246678c7be
                                          • Instruction Fuzzy Hash: 7D918E70E2124ACFDF14EFA8C8857DEBBF2BF58304F148129E515A7294EB749846CB91
                                          Function 01286CDD Relevance: .1, Instructions: 134COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 052e65b3d81aa5aeee190d38f2265a6f9a6a7da79cead0c6cccac6cbd0c9bc1d
                                          • Instruction ID: 69f6cb3ea40ec2d2364a2d9dd60c49ed4e73a27119a8a7d424cf0c736920900e
                                          • Opcode Fuzzy Hash: 052e65b3d81aa5aeee190d38f2265a6f9a6a7da79cead0c6cccac6cbd0c9bc1d
                                          • Instruction Fuzzy Hash: 90513374D202198FDB18DFA9C889B9DBBF1BF48310F148119E819BB391DB74A844CF55
                                          Function 01286CE8 Relevance: .1, Instructions: 132COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 275203fa87a6e552c8ddf06e560edd067bab347058e52c4209ea4d9f5e27a41d
                                          • Instruction ID: 50d03391be0eaa9be425a943715fde1f6c947848dc84a50b21e290847daba47c
                                          • Opcode Fuzzy Hash: 275203fa87a6e552c8ddf06e560edd067bab347058e52c4209ea4d9f5e27a41d
                                          • Instruction Fuzzy Hash: A7514470D102198FDB18DFA9C885B9DBBF1BF48304F148119E819BB391DB74A844CF95
                                          Function 01281128 Relevance: .1, Instructions: 121COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 25c2884cdd9741c80dd03e9d33f731ac42c82b389dc46276f0ffa7a1fba81275
                                          • Instruction ID: d821880509b37f62b9bb6e3c071dd0e4af54d80af780f4f37297a2cf30be1723
                                          • Opcode Fuzzy Hash: 25c2884cdd9741c80dd03e9d33f731ac42c82b389dc46276f0ffa7a1fba81275
                                          • Instruction Fuzzy Hash: B0515070211295CFC719EF6AFA989443FB1FB6A30530485E9E0044F23ADBB8ADC5CB52
                                          Function 01281138 Relevance: .1, Instructions: 112COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8088d9fb2b5644d2d78cb896f3fb678a72a08e1305ebad11095fa609c448672b
                                          • Instruction ID: 932b3867d29ece2f51784ea53697274e312e9bf5fd7c3c22f11a84990b667388
                                          • Opcode Fuzzy Hash: 8088d9fb2b5644d2d78cb896f3fb678a72a08e1305ebad11095fa609c448672b
                                          • Instruction Fuzzy Hash: 0C510270211295CFC719EB6AFA989443FB1F7AA30534485E9D1044F239DBB8BDC5CB91
                                          Function 0128F1B0 Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cde958b50029d49a39780db53f2469719ad2fafd75a374a19fd62e0ee53da32c
                                          • Instruction ID: 2600258ff7d9647f279a163c31097b7a73929f5aa70e5274ec3a7c923150aa31
                                          • Opcode Fuzzy Hash: cde958b50029d49a39780db53f2469719ad2fafd75a374a19fd62e0ee53da32c
                                          • Instruction Fuzzy Hash: ED31A135E1020A9BCB09DFA8D55469EBBF2BF89300F14C519E805E7394DF70AC42CB50
                                          Function 012826DC Relevance: .1, Instructions: 94COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d4f3a56baf0f230ab54f100437f1f0f5ea365487feb5ffab4aac72bf5f32f4a3
                                          • Instruction ID: c1d5bcd1768b9e7e941a9076b9e2e761969f27d6140dc82df6367c8d78bfc979
                                          • Opcode Fuzzy Hash: d4f3a56baf0f230ab54f100437f1f0f5ea365487feb5ffab4aac72bf5f32f4a3
                                          • Instruction Fuzzy Hash: 8241FEB0D11349DFDB14EFA9C485ADEBFF5EF48310F14802AE909AB250DB74A946CB90
                                          Function 0128F1C0 Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 25ed6de94e0ebf3d93914e934f49c14e540ae4fd477699f77000ec3ba0514559
                                          • Instruction ID: 3dd38de83dcfc4167ec268040da3fdd21297ad988eb7ec8e49b5b9d478516e38
                                          • Opcode Fuzzy Hash: 25ed6de94e0ebf3d93914e934f49c14e540ae4fd477699f77000ec3ba0514559
                                          • Instruction Fuzzy Hash: ED317C35E1020A9BCB19DFA9D99469EB7B2FF89300F108529E906E7384DF70AC42CB50
                                          Function 012826E8 Relevance: .1, Instructions: 90COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 40b50c1a601a34e0544a3bf561cafbb602b4acce5855bff589e6d23844a26d39
                                          • Instruction ID: 724f5934b0efa9b0b3886d3dfa0816f7f0e2e64b9b44ca2d918b005a684d93a6
                                          • Opcode Fuzzy Hash: 40b50c1a601a34e0544a3bf561cafbb602b4acce5855bff589e6d23844a26d39
                                          • Instruction Fuzzy Hash: F041EEB0D11349DFDB14EFA9C484ADEBFF5EF48310F108029E919AB250DB75A945CB90
                                          Function 0128924F Relevance: .1, Instructions: 82COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4984f87585405aa7421edbf3a00e59b7dbbd6260733d85eb8df87f081c1d9bf5
                                          • Instruction ID: ba5ea7102add69664100fba5455bd9f0d991c966d1522e44138ab8c163a95ec5
                                          • Opcode Fuzzy Hash: 4984f87585405aa7421edbf3a00e59b7dbbd6260733d85eb8df87f081c1d9bf5
                                          • Instruction Fuzzy Hash: 47318671E1020A9BDF05DFA9D8906AEF7B1FF89304F14C615E905EB385DB719886C750
                                          Function 01289150 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 77f5d93cc420052061e68e651b0c800b3908f2ad1f4d0f819db95379cfec10e4
                                          • Instruction ID: 999d67f5ff5ebd123313f543b0ce088da4456429e7ab59cd1bdabcd907c0c4c8
                                          • Opcode Fuzzy Hash: 77f5d93cc420052061e68e651b0c800b3908f2ad1f4d0f819db95379cfec10e4
                                          • Instruction Fuzzy Hash: 3721B530E152069BDF09DFA4D8556EEFBB2AF89314F14851AE815BB380DB709C86CB40
                                          Function 01289260 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0e6b436c71df5e20732afec0aeb39f900819008d303c777f4d83c8f51c9c398d
                                          • Instruction ID: f8ca54f5f7856aa35a08e3dfd4cea3431f16a6d342fface7a09b83901ec45ba9
                                          • Opcode Fuzzy Hash: 0e6b436c71df5e20732afec0aeb39f900819008d303c777f4d83c8f51c9c398d
                                          • Instruction Fuzzy Hash: DB216571E1020A9BDF05DFA9D8806AEF7B2FF89304F14D619E905EB385DB719885CB50
                                          Function 0128137F Relevance: .1, Instructions: 77COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0e940110408e560c7677636a65e12b2db8b85e5bc91b378a43d1cfa8fd8a4ec4
                                          • Instruction ID: f96b0d4c835ee7aeeb6d011f9f2e1f92049c77a5851e4ec9bf2650e6be67ed7e
                                          • Opcode Fuzzy Hash: 0e940110408e560c7677636a65e12b2db8b85e5bc91b378a43d1cfa8fd8a4ec4
                                          • Instruction Fuzzy Hash: 9421C970A222468FDB32772CE4883797B61DB06355F140C6AD60ADB7D2D668CCEBC751
                                          Function 01281878 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fa4d58b3a559802e2e7b621adef36b91fda126640db0e4ef7f8f14df40523ee6
                                          • Instruction ID: cc3e5765f969c7fc138b771532d6cb92e8a0cf7c2978f2672a73553dec69142b
                                          • Opcode Fuzzy Hash: fa4d58b3a559802e2e7b621adef36b91fda126640db0e4ef7f8f14df40523ee6
                                          • Instruction Fuzzy Hash: D1214C30B212468FEB25EB78C55A7EE7BF2AF49201F1004A9C505EB2D1DF768D52CB61
                                          Function 012816A2 Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 021725df22e4367c54b7eda7180ecfe50c0ca2407d4ff43ec36c0692fc4474ee
                                          • Instruction ID: 05cb2731be8177b2798ee72c4876926393ee36cf99b8f81ded828c0ccb2137fc
                                          • Opcode Fuzzy Hash: 021725df22e4367c54b7eda7180ecfe50c0ca2407d4ff43ec36c0692fc4474ee
                                          • Instruction Fuzzy Hash: 3A2104706112164FDB16FB3DE8887293761EB41305F000E25E50ACB2E6EB78DCD78B91
                                          Function 0123D030 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878074407.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_123d000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ef93b2937e68ecee5a920f0c53fab1e51aaf41d78cb47dd155ad0f5ba78bf6e9
                                          • Instruction ID: 444b3c7f879d20874049a13d37f5f4307707cd9e6238625d9abf68fa552935c5
                                          • Opcode Fuzzy Hash: ef93b2937e68ecee5a920f0c53fab1e51aaf41d78cb47dd155ad0f5ba78bf6e9
                                          • Instruction Fuzzy Hash: 8A2100B1614208DFCB11DF58D980B26FBA5FBC4714F64C66DE90A0A282C37AD806CA62
                                          Function 01284F89 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5982060c77dc7732abc979676ad8e079822e5a2196f8a432532a4e3e02c18a7a
                                          • Instruction ID: b1379be6d9b8bdafb6b93aa0ba28b431870001ead7d19f98f5595c0ae43332ec
                                          • Opcode Fuzzy Hash: 5982060c77dc7732abc979676ad8e079822e5a2196f8a432532a4e3e02c18a7a
                                          • Instruction Fuzzy Hash: D6215A347112458FCB24EB78D958AAD7BF2EF8D204F1004A9E506EB3A1DB769C42CB50
                                          Function 01289160 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b5955aff15add95f4d2918cb163682a16cb399a89f3740939c22ba33bf163d6c
                                          • Instruction ID: 2e7e68d7e6ca4e0dbd531c1192ff50877e215bd4fe342fc6ccee913412ae75b6
                                          • Opcode Fuzzy Hash: b5955aff15add95f4d2918cb163682a16cb399a89f3740939c22ba33bf163d6c
                                          • Instruction Fuzzy Hash: 8B219230E1120A9BDF09DFA8D8545AEF7B2BF89304F10851AE915FB380DB70AC86CB50
                                          Function 01281888 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5aa031995487abc4b7d8a01fb248a44cc6976e1af7a3d1aa89f2e0416f231b34
                                          • Instruction ID: a4b5789eae050dfd9c2e31c69252b856348c7b28f45bdb42c14e1e33c5167a51
                                          • Opcode Fuzzy Hash: 5aa031995487abc4b7d8a01fb248a44cc6976e1af7a3d1aa89f2e0416f231b34
                                          • Instruction Fuzzy Hash: 52216D30B212568FEB24EB78C5197AE77F6AF49201F100468C506EB3D1EF769D52CBA1
                                          Function 012816B0 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 37d24eb1e478f4663ca94b3d676cebd506bc3e7239e6f5dcf89309e04e49b798
                                          • Instruction ID: 4455e42f2c33c380e8608116f04c4f9012d2d4fef7edbbdc49cf0f1fd9a9453d
                                          • Opcode Fuzzy Hash: 37d24eb1e478f4663ca94b3d676cebd506bc3e7239e6f5dcf89309e04e49b798
                                          • Instruction Fuzzy Hash: FE21D57061111A4FDF25FB3DE8887193765E741305F104E25E50ACB2E6EB78DCD68B92
                                          Function 01284F98 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 797f8e1f423a801de68b94d5c1ceefe647b605d7e31da2dd3259c643317f8b4f
                                          • Instruction ID: 5b7fbaa25ecff27304e7193fad7053631ee77ea48fee30e6c762da84a0674ded
                                          • Opcode Fuzzy Hash: 797f8e1f423a801de68b94d5c1ceefe647b605d7e31da2dd3259c643317f8b4f
                                          • Instruction Fuzzy Hash: 082145347102058FDB24EB79D958AAD7BF2EF8D204F1004A9E606EB3A0DB769D41CB91
                                          Function 01280838 Relevance: .1, Instructions: 64COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8a8196685b177643a6bd5662a6686f5d5ff68cae97e434c0cef5f0084504004d
                                          • Instruction ID: 588582fa27a6aab1f14d6f29b96c2609e50a7cdbd10b5355bea75e829e41f0d3
                                          • Opcode Fuzzy Hash: 8a8196685b177643a6bd5662a6686f5d5ff68cae97e434c0cef5f0084504004d
                                          • Instruction Fuzzy Hash: 1B110830A362059FEF1266B9D44136D37A5EB42214F10497AF506CB2C2D968CCC98BD5
                                          Function 01281488 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5fc9634bb693bc5a87ac41e3580bcd981d232d8dcc37aeaad60ec5e1bfa00707
                                          • Instruction ID: 0cf5b6550e94b134c26cb9202807a4d2968b02c937fe9cb77b4b00fe91717143
                                          • Opcode Fuzzy Hash: 5fc9634bb693bc5a87ac41e3580bcd981d232d8dcc37aeaad60ec5e1bfa00707
                                          • Instruction Fuzzy Hash: 5D119431A222569FCF22FFBC94511EE7BF1EF58210B144479D805E72C1DA35D8478BA4
                                          Function 01280848 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 77ef1d5abdfa5ef84b44f5dec3afb4138dde8ec3681663b70ef8627a06a1a1c4
                                          • Instruction ID: 18fbf71e68bd882933f14800f7c155b5026709a004e0c0f80113a25c4f6a0246
                                          • Opcode Fuzzy Hash: 77ef1d5abdfa5ef84b44f5dec3afb4138dde8ec3681663b70ef8627a06a1a1c4
                                          • Instruction Fuzzy Hash: AF11B230B3221A8FEF556A7DD40472D32A5EB45315F104939F506CB2C2DA64CCC98BC9
                                          Function 012817C0 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a75f57477efaf2b0d0683b0432c94a093fdf98a7f17d5eae176cd42335e54fce
                                          • Instruction ID: c32f5285fa8501c6e48bd954dee8d204ea636684c5071d4d0c02848d6e3edcfa
                                          • Opcode Fuzzy Hash: a75f57477efaf2b0d0683b0432c94a093fdf98a7f17d5eae176cd42335e54fce
                                          • Instruction Fuzzy Hash: 9A110675F112118FDB11BF79A80C6AF7BE5EB88690F100429D509C7380EB34CC569B82
                                          Function 0123D02B Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878074407.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_123d000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                          • Instruction ID: afdf90caf9c274423431b3a5dcde21970b677c42b0aa2075634bfbea5c995b18
                                          • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                          • Instruction Fuzzy Hash: 5711EBB5504284CFCB12CF58C5C4B15FBB2FB84324F28C6AAD9494B292C33AD40ACB62
                                          Function 01281498 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9e26b33b07f9beff4f7ff46aaa08820adc53d66e21cae6a479e6d667c8523da2
                                          • Instruction ID: 4cac356cabc9902fdc9b037d55532388d7d32295a8ba15d4e424c8f9c0e107cf
                                          • Opcode Fuzzy Hash: 9e26b33b07f9beff4f7ff46aaa08820adc53d66e21cae6a479e6d667c8523da2
                                          • Instruction Fuzzy Hash: E1019631A122168FCF21FFBC94501ADBBF5EF58210B144479D905E7381EB39D842CBA5
                                          Function 01281524 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b82e4219393d4c6ab6cc2175bdb860555a226216a6849fd242e572f9c9f46070
                                          • Instruction ID: d9cd911806fd7e26fb1d789881b062dc8d61071f4a580d7ff5f18072686fdae8
                                          • Opcode Fuzzy Hash: b82e4219393d4c6ab6cc2175bdb860555a226216a6849fd242e572f9c9f46070
                                          • Instruction Fuzzy Hash: B9F02B73A26111CFD722ABACA8911AC7FA0EE6422171C4097D906DB2D1D639E453CB25
                                          Function 012880F1 Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e1867a26174a2e27b74e853e78377be8f177bfbd8c48efdbe73e649e26ad1213
                                          • Instruction ID: a298d62bcfbcd1c4c0ae6473e9da2f20a0143aa6d3544ebfb3e0eb3382451e0d
                                          • Opcode Fuzzy Hash: e1867a26174a2e27b74e853e78377be8f177bfbd8c48efdbe73e649e26ad1213
                                          • Instruction Fuzzy Hash: 7801267051025AAFCB05DBA8E88099D7BB1EB41304B104BB8D4285B1A6DE756E82C791
                                          Function 01287090 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8fa492d6acacc5b74a203cbc0395f18c2d5a7f65eb0aca178c801733c0c19343
                                          • Instruction ID: 8cf85752a4351cf999f44bebe8066f6b6b3dd5d930aaf6ff0dc02e7c64117d29
                                          • Opcode Fuzzy Hash: 8fa492d6acacc5b74a203cbc0395f18c2d5a7f65eb0aca178c801733c0c19343
                                          • Instruction Fuzzy Hash: 5EF03739B40208CFC714DB74D598B6CB7B2EF883A5F2044A8E506CB3A0DB35AD42CB41
                                          Function 01288100 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2878377100.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_1280000_MSBuild.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7e122c57eaf70d27ef2701b9abcbb687fada30f601404306c0c616d100a99f50
                                          • Instruction ID: 7152e903404e90ada0b8f04ee9a958cbaeff5ee62b77a7e5bd93259718d8b2a8
                                          • Opcode Fuzzy Hash: 7e122c57eaf70d27ef2701b9abcbb687fada30f601404306c0c616d100a99f50
                                          • Instruction Fuzzy Hash: 88F0AF7091022DAFCB04EFA9F88099D7BB5EB40305F008A68D40897264EE746E85CB91